Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Please unblock package lemonldap-ng Hi all, We'd like to have an unblock to push lemonldap-ng_1.1.2-5+deb70u1 This release will contain : * the security fix to close #696329 * the pt_BR.po file to close #693366 Best regards, Xavier unblock lemonldap-ng/1.1.2-5+deb70u1 -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (800, 'testing'), (700, 'stable'), (600, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru lemonldap-ng-1.1.2/debian/changelog lemonldap-ng-1.1.2/debian/changelog --- lemonldap-ng-1.1.2/debian/changelog 2012-03-24 17:59:00.000000000 +0100 +++ lemonldap-ng-1.1.2/debian/changelog 2012-12-21 06:03:04.000000000 +0100 @@ -1,3 +1,10 @@ +lemonldap-ng (1.1.2-5+deb70u1) testing-proposed-updates; urgency=high + + * Fix for CVE-2012-6426 (Closes: #696329) + * Brazilian translation (Closes: #693366) + + -- Xavier Guimard <[email protected]> Thu, 20 Dec 2012 06:41:50 +0100 + lemonldap-ng (1.1.2-5) unstable; urgency=low * Remove some mistakes reported by diff -Nru lemonldap-ng-1.1.2/debian/patches/series lemonldap-ng-1.1.2/debian/patches/series --- lemonldap-ng-1.1.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ lemonldap-ng-1.1.2/debian/patches/series 2012-12-19 22:16:19.000000000 +0100 @@ -0,0 +1 @@ +verify-saml-signatures.patch diff -Nru lemonldap-ng-1.1.2/debian/patches/verify-saml-signatures.patch lemonldap-ng-1.1.2/debian/patches/verify-saml-signatures.patch --- lemonldap-ng-1.1.2/debian/patches/verify-saml-signatures.patch 1970-01-01 01:00:00.000000000 +0100 +++ lemonldap-ng-1.1.2/debian/patches/verify-saml-signatures.patch 2012-12-19 22:21:48.000000000 +0100 @@ -0,0 +1,146 @@ +Description: Verify SAML signature + Due to a bad use of Lasso library, SAML signatures are never checked, even if + we force signature check. + [CVE-2012-6426] +Author: Clément OUDOT <[email protected]> +Bug: http://jira.ow2.org/browse/LEMONLDAP-570 +Bug-Debian: http://bugs.debian.org/696329 +Forwarded: yes +Reviewed-By: Xavier Guimard <[email protected]> +Last-Update: 2012-12-19 + +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm +@@ -2218,6 +2218,21 @@ + return $self->checkLassoError($@); + } + ++## @method boolean forceSignatureVerification(Lasso::Profile profile) ++# Modify Lasso signature hint to force signature verification ++# @param profile Lasso profile object ++# @return result ++sub forceSignatureVerification { ++ my ( $self, $profile ) = splice @_; ++ ++ eval { ++ Lasso::Profile::set_signature_verify_hint( $profile, ++ Lasso::Constants::PROFILE_SIGNATURE_VERIFY_HINT_FORCE ); ++ }; ++ ++ return $self->checkLassoError($@); ++} ++ + ## @method string getAuthnContext(string context) + # Convert configuration string into SAML2 AuthnContextClassRef string + # @param context configuration string +@@ -3223,6 +3238,10 @@ + + Modify Lasso signature hint to disable signature verification + ++=head2 forceSignatureVerification ++ ++Modify Lasso signature hint to force signature verification ++ + =head2 getAuthnContext + + Convert configuration string into SAML2 AuthnContextClassRef string +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm +@@ -125,7 +125,18 @@ + ->{samlIDPMetaDataOptionsCheckSSOMessageSignature}; + + if ($checkSSOMessageSignature) { +- unless ( $self->checkSignatureStatus($login) ) { ++ ++ $self->forceSignatureVerification($login); ++ ++ if ($artifact) { ++ $result = $self->processArtResponseMsg( $login, $response ); ++ } ++ else { ++ $result = ++ $self->processAuthnResponseMsg( $login, $response ); ++ } ++ ++ unless ($result) { + $self->lmLog( "Signature is not valid", 'error' ); + return PE_SAML_SIGNATURE_ERROR; + } +@@ -406,7 +417,12 @@ + ->{samlIDPMetaDataOptionsCheckSLOMessageSignature}; + + if ($checkSLOMessageSignature) { +- unless ( $self->checkSignatureStatus($logout) ) { ++ ++ $self->forceSignatureVerification($logout); ++ ++ $result = $self->processLogoutResponseMsg( $logout, $response ); ++ ++ unless ($result) { + $self->lmLog( "Signature is not valid", 'error' ); + return PE_SAML_SIGNATURE_ERROR; + } +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm +@@ -150,7 +150,17 @@ + ->{samlSPMetaDataOptionsCheckSSOMessageSignature}; + + if ($checkSSOMessageSignature) { +- unless ( $self->checkSignatureStatus($login) ) { ++ ++ $self->forceSignatureVerification($login); ++ ++ if ($artifact) { ++ $result = $self->processArtResponseMsg( $login, $request ); ++ } ++ else { ++ $result = $self->processAuthnRequestMsg( $login, $request ); ++ } ++ ++ unless ($result) { + $self->lmLog( "Signature is not valid", 'error' ); + return PE_SAML_SIGNATURE_ERROR; + } +@@ -278,7 +288,10 @@ + ->{samlSPMetaDataOptionsCheckSLOMessageSignature}; + + if ($checkSLOMessageSignature) { +- unless ( $self->checkSignatureStatus($logout) ) { ++ ++ $self->forceSignatureVerification($logout); ++ ++ unless ( $self->processLogoutRequestMsg( $logout, $request ) ) { + $self->lmLog( "Signature is not valid", 'error' ); + $self->sendSLOErrorResponse( $logout, $method ); + } +@@ -1201,7 +1214,17 @@ + ->{samlSPMetaDataOptionsCheckSSOMessageSignature}; + + if ($checkSSOMessageSignature) { +- unless ( $self->checkSignatureStatus($login) ) { ++ ++ $self->forceSignatureVerification($login); ++ ++ if ($artifact) { ++ $result = $self->processArtResponseMsg( $login, $request ); ++ } ++ else { ++ $result = $self->processAuthnRequestMsg( $login, $request ); ++ } ++ ++ unless ($result) { + $self->lmLog( "Signature is not valid", 'error' ); + return PE_SAML_SIGNATURE_ERROR; + } +@@ -1864,7 +1887,10 @@ + ->{samlSPMetaDataOptionsCheckSLOMessageSignature}; + + if ($checkSLOMessageSignature) { +- unless ( $self->checkSignatureStatus($logout) ) { ++ ++ $self->forceSignatureVerification($logout); ++ ++ unless ( $self->processLogoutRequestMsg( $logout, $request ) ) { + $self->lmLog( "Signature is not valid", 'error' ); + $self->sendSLOErrorResponse( $logout, $method ); + } diff -Nru lemonldap-ng-1.1.2/debian/po/pt_BR.po lemonldap-ng-1.1.2/debian/po/pt_BR.po --- lemonldap-ng-1.1.2/debian/po/pt_BR.po 1970-01-01 01:00:00.000000000 +0100 +++ lemonldap-ng-1.1.2/debian/po/pt_BR.po 2012-12-20 07:10:41.000000000 +0100 @@ -0,0 +1,145 @@ +# Debconf translations for lemonldap-ng. +# Copyright (C) 2012 THE lemonldap-ng'S COPYRIGHT HOLDER +# This file is distributed under the same license as the lemonldap-ng package. +# Adriano Rafael Gomes <[email protected]>, 2012. +# +msgid "" +msgstr "" +"Project-Id-Version: lemonldap-ng 1.2.2-1\n" +"Report-Msgid-Bugs-To: [email protected]\n" +"POT-Creation-Date: 2010-12-04 23:10+0100\n" +"PO-Revision-Date: 2012-11-15 18:04-0200\n" +"Last-Translator: Adriano Rafael Gomes <[email protected]>\n" +"Language-Team: Brazilian Portuguese <[email protected]." +"org>\n" +"Language: pt_BR\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../liblemonldap-ng-conf-perl.templates:1001 +msgid "LDAP server:" +msgstr "Servidor LDAP:" + +#. Type: string +#. Description +#: ../liblemonldap-ng-conf-perl.templates:1001 +msgid "" +"Set here name or IP address of the LDAP server that has to be used by " +"Lemonldap::NG. You can modify this value later using the Lemonldap::NG " +"manager." +msgstr "" +"Informe aqui o nome ou endereço IP do servidor LDAP que deve ser usado pelo " +"Lemonldap::NG. Você pode modificar esse valor mais tarde usando o " +"gerenciador do Lemonldap::NG." + +#. Type: string +#. Description +#: ../liblemonldap-ng-conf-perl.templates:2001 +msgid "Lemonldap::NG DNS domain:" +msgstr "Domínio DNS do Lemonldap::NG:" + +#. Type: string +#. Description +#: ../liblemonldap-ng-conf-perl.templates:2001 +msgid "" +"Set here the main domain protected by Lemonldap::NG. You can modify this " +"value later using the Lemonldap::NG manager." +msgstr "" +"Informe aqui o domínio principal protegido pelo Lemonldap::NG. Você pode " +"modificar esse valor mais tarde usando o gerenciador do Lemonldap::NG." + +#. Type: string +#. Description +#: ../liblemonldap-ng-conf-perl.templates:3001 +msgid "Lemonldap::NG portal:" +msgstr "Portal do Lemonldap::NG:" + +#. Type: string +#. Description +#: ../liblemonldap-ng-conf-perl.templates:3001 +msgid "" +"Set here the Lemonldap::NG portal URL. You can modify this value later using " +"the Lemonldap::NG manager." +msgstr "" +"Informe aqui a URL do portal do Lemonldap::NG. Você pode modificar esse " +"valor mais tarde usando o gerenciador do Lemonldap::NG." + +#. Type: string +#. Description +#: ../liblemonldap-ng-conf-perl.templates:4001 +msgid "LDAP server port:" +msgstr "Porta do servidor LDAP:" + +#. Type: string +#. Description +#: ../liblemonldap-ng-conf-perl.templates:4001 +msgid "" +"Set here the port used by the LDAP server. You can modify this value later " +"using the Lemonldap::NG manager." +msgstr "" +"Informe aqui a porta usada pelo servidor LDAP. Você pode modificar esse " +"valor mais tarde usando o gerenciador do Lemonldap::NG." + +#. Type: string +#. Description +#: ../liblemonldap-ng-conf-perl.templates:5001 +msgid "LDAP search base:" +msgstr "Base de busca LDAP:" + +#. Type: string +#. Description +#: ../liblemonldap-ng-conf-perl.templates:5001 +msgid "" +"Set here the search base to use in LDAP queries. You can modify this value " +"later using the Lemonldap::NG manager." +msgstr "" +"Informe aqui a base de busca (\"search base\") para usar nas pesquisas LDAP. " +"Você pode modificar esse valor mais tarde usando o gerenciador do Lemonldap::" +"NG." + +#. Type: string +#. Description +#: ../liblemonldap-ng-conf-perl.templates:6001 +msgid "LDAP account:" +msgstr "Conta LDAP:" + +#. Type: string +#. Description +#: ../liblemonldap-ng-conf-perl.templates:6001 +msgid "" +"Set here the account that Lemonldap::NG has to use for its LDAP requests. " +"Leaving it blank causes Lemonldap::NG to use anonymous connections. You can " +"modify this value later using the Lemonldap::NG manager." +msgstr "" +"Informe aqui a conta que o Lemonldap::NG deve usar para suas requisições " +"LDAP. Deixá-la em branco faz com que o Lemonldap::NG use conexões anônimas. " +"Você pode modificar esse valor mais tarde usando o gerenciador do Lemonldap::" +"NG." + +#. Type: string +#. Description +#: ../liblemonldap-ng-conf-perl.templates:7001 +msgid "LDAP password:" +msgstr "Senha LDAP:" + +#. Type: string +#. Description +#: ../liblemonldap-ng-conf-perl.templates:7001 +msgid "" +"Set here the password for the Lemonldap::NG LDAP account. You can modify " +"this value later using the Lemonldap::NG manager." +msgstr "" +"Informe aqui a senha para a conta LDAP do Lemonldap::NG. Você pode modificar " +"esse valor mais tarde usando o gerenciador do Lemonldap::NG." + +#. Type: boolean +#. Description +#: ../liblemonldap-ng-conf-perl.templates:8001 +msgid "" +"Lemonldap::NG configuration files have changed, try to migrate your files?" +msgstr "" +"Os arquivos de configuração do Lemonldap::NG mudaram, tentar migrar os seus " +"arquivos?"
