Hi, On Fri, Jul 23, 2021 at 08:00:25AM +0200, Yadd wrote: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: secur...@debian.org > > Please unblock package lemonldap-ng > > [ Reason ] > lemonldap-ng 2.0.11+ds-3 has several vulnerabilities fixed in 2.0.12. > This update fixes: > * Session cache corruption can lead to authorization bypass or spoofing > (Closes: CVE-2021-35472) > * OAuth2 handler does not verify access token validity > (Closes: CVE-2021-35473) > * XSS on register form > * Bad behavior which displays TOTP secret to connected user and debug logs > > [ Impact ] > One high vulnerability (CVE-2021-35472) and medium others
Additionaly, this one did affect as well buster and fixes were released today with DSA 4943-1. Regards, Salvatore