Your message dated Tue, 07 Jan 2025 16:00:35 +0000
with message-id <[email protected]>
and subject line Bug#1090934: fixed in ldap-account-manager 9.0-1
has caused the Debian Bug report #1090934,
regarding ldap-account-manager: CVE-2024-52792
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1090934: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1090934
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ldap-account-manager
Version: 8.7-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for ldap-account-manager.
CVE-2024-52792[0]:
| LDAP Account Manager (LAM) is a php webfrontend for managing entries
| (e.g. users, groups, DHCP settings) stored in an LDAP directory. In
| affected versions LAM does not properly sanitize configuration
| values, that are set via `mainmanage.php` and `confmain.php`. This
| allows setting arbitrary config values and thus effectively
| bypassing `mitigation` of CVE-2024-23333/GHSA-fm9w-7m7v-wxqv.
| Configuration values for the main config or server profiles are set
| via `mainmanage.php` and `confmain.php`. The values are written to
| `config.cfg` or `serverprofile.conf` in the format of `settingsName:
| settingsValue` line-by-line. An attacker can smuggle arbitrary
| config values in a config file, by inserting a newline into certain
| config fields, followed by the value. This vulnerability has been
| addressed in version 9.0. All users are advised to upgrade. There
| are no known workarounds for this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-52792
https://www.cve.org/CVERecord?id=CVE-2024-52792
[1]
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-6cp9-j5r7-xhcc
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ldap-account-manager
Source-Version: 9.0-1
Done: Roland Gruber <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ldap-account-manager, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Roland Gruber <[email protected]> (supplier of updated ldap-account-manager
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 17 Dec 2024 19:23:11 +0200
Source: ldap-account-manager
Architecture: source
Version: 9.0-1
Distribution: unstable
Urgency: medium
Maintainer: Roland Gruber <[email protected]>
Changed-By: Roland Gruber <[email protected]>
Closes: 1076835 1090934
Changes:
ldap-account-manager (9.0-1) unstable; urgency=medium
.
* new upstream release
* Fix "ldap-account-manager: CVE-2024-52792" by using
new file format (Closes: #1090934)
* Fix "Please allow recent php-monolog (>= 3)" by using
different dependencies (Closes: #1076835)
Checksums-Sha1:
fedcde77cfac230cc1f29276e131bfbb553d3322 2032 ldap-account-manager_9.0-1.dsc
1e11f3defc4f00da73976b40f0b53c78fd3faa08 27437000
ldap-account-manager_9.0.orig.tar.bz2
394e45bad50fc34e60060ee9921b18897b4b7338 36532
ldap-account-manager_9.0-1.debian.tar.xz
d70f149c4dd3d72fd413bfa1b5822a93f2832929 7737
ldap-account-manager_9.0-1_amd64.buildinfo
Checksums-Sha256:
38603cb0ac0fb0bd295b227ee60c4068f1b60a37b7498116c2b28dd508ed33a7 2032
ldap-account-manager_9.0-1.dsc
acb9caadae57a1ec7583c4161d846dba53a648f1ff670a04f5de10d2f759d697 27437000
ldap-account-manager_9.0.orig.tar.bz2
10b4259c0ee0b1c31ac1049987d2255e3adb4428eae1d46ab1166c507a64a481 36532
ldap-account-manager_9.0-1.debian.tar.xz
a30b83a67dbc6380f3ea945dd589038ae146206ad9aa74bcad3f6e7ff38a80b6 7737
ldap-account-manager_9.0-1_amd64.buildinfo
Files:
7f6deba07c637af3da92a20d9fcff532 2032 web optional
ldap-account-manager_9.0-1.dsc
2e74cc8d7711f956fe629b9bede4acf7 27437000 web optional
ldap-account-manager_9.0.orig.tar.bz2
1db0fbb6ba0f37f1517bb3a1178bd3ad 36532 web optional
ldap-account-manager_9.0-1.debian.tar.xz
532a51a2a59503ce773854757f953829 7737 web optional
ldap-account-manager_9.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOAYLMZqeqHbTW+jfgVxjVIQAXyEFAmd9RR4ACgkQgVxjVIQA
XyFRAxAArrWTRRVG4P5ZtPCleiqlaeQgSjq9GiM2NdiGYuJ2tUFCMYKAUpivN8do
+g+cuAbaZ9Hesjh5gobnY0/EacaL98k+Ac3VaG+bnvU04+1D1mSpcg5UvkVHoXlR
LLImqOrsrnvgi0i2MzqWz/6ZxpOGPwUyLEPm53X7mnz5KUHso5pFDDE13MRltFWi
vA9Ab7sPwBMfNmD4qG8hhwNwDZ9S82WffjnoKAyxVu2eDJiG/eL/SZDdyiiWLbLu
tT4j3MtEvsEK3sWVPajs6qkW7X9gLKDBgVt9yC40jCpf5DMxiqSvwTqA/3cS4CWv
6Tq1s2RLE/RstOA5EyJQAKGlQ9Ad+0uCdnvL+OaFpikfb5yZEpytTqQ2cNHboXgt
9wECMmHIHTTyehDnP32tIbZyEAagUHVrF7IiifCj42vCLPT6/pBWDf7tLnoLLFF/
9tEKzeRAaxW7pqa4NWuEtqAsXCYlyM6+YSopbZ/SXVUPII/j4rbvQIMgNNmYpSzs
DE9OLfiqy9wj5R1K72nxfqzkTZvsck1xMEi8iONx9XZ+Cztix/DXa3HFdq1BSlq1
PHyBp/RUuEKpwdw1AXGi1BNi4eJphU4z7DwOlXLyGszXlk4vUk8YI+b9qiypv06q
DsnLZNz/BHLNldqCexCMtH11OOAGET4FPJ9jD82yrCi3ZbN2bdE=
=EgEV
-----END PGP SIGNATURE-----
pgpHLIHPRTiiJ.pgp
Description: PGP signature
--- End Message ---
