Bug#960395: marked as done (buster-pu: package lemonldap-ng/2.0.2+ds-7+deb10u4)

Sat, 01 Aug 2020 04:59:14 -0700 

Your message dated Sat, 01 Aug 2020 12:51:28 +0100
with message-id 
<43535efb498a168cf81452ca0c326f004f46adc6.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.5 point release
has caused the Debian Bug report #960395,
regarding buster-pu: package lemonldap-ng/2.0.2+ds-7+deb10u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
960395: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960395
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu

Hi,

I introduced a bug in nginx configuration while fixing CVE-2019-19791.
Here is the fix.

Cheers,
Xavier

diff --git a/debian/changelog b/debian/changelog
index 3eb7087d9..e4b3abe17 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+lemonldap-ng (2.0.2+ds-7+deb10u4) buster; urgency=medium
+
+  * Fix nginx configuration regression introduced by CVE-2019-19791 fix
+    (Closes: #960392)
+
+ -- Xavier Guimard <[email protected]>  Tue, 12 May 2020 10:59:43 +0200
+
 lemonldap-ng (2.0.2+ds-7+deb10u3) buster; urgency=medium
 
   * Fix default configuration to prevent unwanted access to admin endpoints
diff --git a/debian/patches/CVE-2019-19791.patch 
b/debian/patches/CVE-2019-19791.patch
index 908e49f2c..4eeda1017 100644
--- a/debian/patches/CVE-2019-19791.patch
+++ b/debian/patches/CVE-2019-19791.patch
@@ -108,7 +108,16 @@ Last-Update: 2019-12-20
      # Note that Content-Security-Policy header is generated by portal itself
 --- a/_example/etc/portal-nginx.conf
 +++ b/_example/etc/portal-nginx.conf
-@@ -42,6 +42,31 @@
+@@ -1,3 +1,8 @@
++# FastCGI backend definition
++upstream llng_portal_upstream {
++    server unix:__FASTCGISOCKDIR__/llng-fastcgi.sock;
++}
++
+ server {
+   listen __PORT__;
+   server_name auth.__DNSDOMAIN__;
+@@ -42,6 +47,31 @@
      #uwsgi_param SCRIPT_FILENAME $document_root$sc;
      #uwsgi_param SCRIPT_NAME $sc;
  
@@ -140,7 +149,7 @@ Last-Update: 2019-12-20
    }
  
    index index.psgi;
-@@ -56,26 +81,6 @@
+@@ -56,26 +86,6 @@
      alias __PORTALSTATICDIR__;
    }

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.5

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---

Reply via email to