Hi all, I updated my debdiff due to a little security hole discovered in lemonldap-ng 1.9.x
Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index a1fe37b..e1e20aa 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +lemonldap-ng (1.9.7-3+deb9u2) stretch; urgency=medium + + * Fix CDA regression introduced in 1.9.7-3+deb9u1 + * Fix XXE vulnerability (Closes: #931117) + + -- Xavier Guimard <[email protected]> Wed, 26 Jun 2019 13:46:13 +0200 + lemonldap-ng (1.9.7-3+deb9u1) stretch-security; urgency=medium * Add patch to fix token security (Closes: #928944, CVE-2019-12046) diff --git a/debian/patches/CDA-regression.patch b/debian/patches/CDA-regression.patch new file mode 100644 index 0000000..242ce9c --- /dev/null +++ b/debian/patches/CDA-regression.patch @@ -0,0 +1,62 @@ +Description: CDA regression fix + Fix for #928944 (CVE-2019-12046) introduced a regression in cross-domain + feature. This diff fix it and fix also a little issue when portal is called + using an Ajax request: it must not send Access-Control-Allow-Origin header. + (https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1519) +Author: Clément Oudot <[email protected]> +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/deff50f072c64898d1204daa28c01fdcc7275ea4 +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1756 +Bug-Debian: https://bugs.debian.org/928944 +Forwarded: not-needed +Reviewed-By: Guilhem Moulin <[email protected]> +Last-Update: 2019-05-27 + +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm +@@ -1049,7 +1049,7 @@ + + } + +-## @method void updateSession(hashRef infos, string id) ++## @method void updateSession(hashRef infos, string id, string kind) + # Update session stored. + # If no id is given, try to get it from cookie. + # If the session is available, update datas with $info. +@@ -1057,9 +1057,10 @@ + # server local cache, if there are several LL::NG servers. + # @param infos hash reference of information to update + # @param id Session ID ++# @param kind Session kind + # @return nothing + sub updateSession { +- my ( $self, $infos, $id ) = @_; ++ my ( $self, $infos, $id, $kind ) = @_; + + # Return if no infos to update + return () unless ( ref $infos eq 'HASH' and %$infos ); +@@ -1084,7 +1085,7 @@ + } + + # Update session in global storage +- if ( my $apacheSession = $self->getApacheSession( $id, 1 ) ) { ++ if ( my $apacheSession = $self->getApacheSession( $id, 1, undef, $kind ) ) { + + # Store updateTime + $infos->{updateTime} = strftime( "%Y%m%d%H%M%S", localtime() ); +@@ -1569,7 +1570,6 @@ + print $self->header( + -status => '401 Unauthorizated', + '-WWW-Authenticate' => "SSO $self->{portal}", +- '-Access-Control-Allow-Origin' => '*', + ); + $self->quit; + } +@@ -2744,7 +2744,7 @@ + $cdaInfos->{cookie_name} = $self->{cookieName} . "http"; + } + +- $self->updateSession( $cdaInfos, $cdaSession->id ); ++ $self->updateSession( $cdaInfos, $cdaSession->id, 'CDA' ); + + $self->{urldc} .= + ( $self->{urldc} =~ /\?/ ? '&' : '?' ) diff --git a/debian/patches/fix-xxe-vulnerability.patch b/debian/patches/fix-xxe-vulnerability.patch new file mode 100644 index 0000000..90d8b90 --- /dev/null +++ b/debian/patches/fix-xxe-vulnerability.patch @@ -0,0 +1,19 @@ +Description: Fix XXE vulnerability + Due to #838097, XML::LibXML expands external entities by default. In + lemonldap-ng, this permits to an administrator allowed to create + notifications to access to server filesystem. +Author: Xavier Guimard <[email protected]> +Forwarded: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/5cbdaf7a +Last-Update: 2019-06-26 + +--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Notification.pm ++++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Notification.pm +@@ -44,7 +44,7 @@ + } + + # Initiate XML parser +- $parser = XML::LibXML->new(); ++ $parser = XML::LibXML->new( load_ext_dtd => 0, expand_entities => 0 ); + + return $self; + } diff --git a/debian/patches/series b/debian/patches/series index b13b6df..eb00970 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,5 @@ avoid-modify-sources.patch replace-mouse-by-moose.patch Avoid-developer-tests.patch CVE-2019-12046.patch +CDA-regression.patch +fix-xxe-vulnerability.patch
