Bug#696516: unblock: lemonldap-ng/1.1.2-5+deb70u1

2012-12-24 Thread Adam D. Barratt 

Control: tags -1 -moreinfo +confirmed

On 23.12.2012 17:38, Xavier wrote:

Le 23/12/2012 13:31, Adam D. Barratt a écrit :

On 22.12.2012 07:34, Xavier Guimard wrote:

This release will contain :
* the security fix to close #696329
* the pt_BR.po file to close #693366


It looks like #696329 isn't fixed in unstable yet? What's the 
progress

on that? In general we'd expect fixes going via t-p-u to have been
applied to unstable first where appropriate, to give them some more
exposure / testing.

[...]

gregoa has done it just now (there were many other changes to check).


Thanks. Please go ahead.

Regards,

Adam


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#696516: unblock: lemonldap-ng/1.1.2-5+deb70u1

2012-12-24 Thread gregor herrmann 
On Mon, 24 Dec 2012 20:04:32 +, Adam D. Barratt wrote:

 It looks like #696329 isn't fixed in unstable yet? What's the
 progress
 on that? In general we'd expect fixes going via t-p-u to have been
 applied to unstable first where appropriate, to give them some more
 exposure / testing.
 [...]
 gregoa has done it just now (there were many other changes to check).
 
 Thanks. Please go ahead.

Thank you.
Upload (as clarified on IRC) as 1.1.2-5+deb7u1.

Cheers,
gregor

-- 
 .''`.  Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
 : :' : Debian GNU/Linux user, admin, and developer  -  http://www.debian.org/
 `. `'  Member of VIBE!AT  SPI, fellow of the Free Software Foundation Europe
   `-   NP: Nick Cave  The Bad Seeds: The Lyre Of Orpheus


signature.asc
Description: Digital signature

Bug#696516: unblock: lemonldap-ng/1.1.2-5+deb70u1

2012-12-23 Thread Adam D. Barratt 

Control: tags -1 + moreinfo

On 22.12.2012 07:34, Xavier Guimard wrote:

This release will contain :
* the security fix to close #696329
* the pt_BR.po file to close #693366


It looks like #696329 isn't fixed in unstable yet? What's the progress 
on that? In general we'd expect fixes going via t-p-u to have been 
applied to unstable first where appropriate, to give them some more 
exposure / testing.


Regards,

Adam


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#696516: unblock: lemonldap-ng/1.1.2-5+deb70u1

2012-12-23 Thread Xavier 
Le 23/12/2012 13:31, Adam D. Barratt a écrit :
 Control: tags -1 + moreinfo
 
 On 22.12.2012 07:34, Xavier Guimard wrote:
 This release will contain :
 * the security fix to close #696329
 * the pt_BR.po file to close #693366
 
 It looks like #696329 isn't fixed in unstable yet? What's the progress
 on that? In general we'd expect fixes going via t-p-u to have been
 applied to unstable first where appropriate, to give them some more
 exposure / testing.
 
 Regards,
 
 Adam

Hi Adam,

gregoa has done it just now (there were many other changes to check).

Thanks!


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#696516: unblock: lemonldap-ng/1.1.2-5+deb70u1

2012-12-21 Thread Xavier Guimard 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package lemonldap-ng

Hi all,

We'd like to have an unblock to push lemonldap-ng_1.1.2-5+deb70u1
This release will contain :
* the security fix to close #696329
* the pt_BR.po file to close #693366

Best regards,
Xavier

unblock lemonldap-ng/1.1.2-5+deb70u1

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (800, 'testing'), (700, 'stable'), (600, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru lemonldap-ng-1.1.2/debian/changelog lemonldap-ng-1.1.2/debian/changelog
--- lemonldap-ng-1.1.2/debian/changelog	2012-03-24 17:59:00.0 +0100
+++ lemonldap-ng-1.1.2/debian/changelog	2012-12-21 06:03:04.0 +0100
@@ -1,3 +1,10 @@
+lemonldap-ng (1.1.2-5+deb70u1) testing-proposed-updates; urgency=high
+
+  * Fix for CVE-2012-6426 (Closes: #696329)
+  * Brazilian translation (Closes: #693366)
+
+ -- Xavier Guimard x.guim...@free.fr  Thu, 20 Dec 2012 06:41:50 +0100
+
 lemonldap-ng (1.1.2-5) unstable; urgency=low
 
   * Remove some mistakes reported by
diff -Nru lemonldap-ng-1.1.2/debian/patches/series lemonldap-ng-1.1.2/debian/patches/series
--- lemonldap-ng-1.1.2/debian/patches/series	1970-01-01 01:00:00.0 +0100
+++ lemonldap-ng-1.1.2/debian/patches/series	2012-12-19 22:16:19.0 +0100
@@ -0,0 +1 @@
+verify-saml-signatures.patch
diff -Nru lemonldap-ng-1.1.2/debian/patches/verify-saml-signatures.patch lemonldap-ng-1.1.2/debian/patches/verify-saml-signatures.patch
--- lemonldap-ng-1.1.2/debian/patches/verify-saml-signatures.patch	1970-01-01 01:00:00.0 +0100
+++ lemonldap-ng-1.1.2/debian/patches/verify-saml-signatures.patch	2012-12-19 22:21:48.0 +0100
@@ -0,0 +1,146 @@
+Description: Verify SAML signature
+ Due to a bad use of Lasso library, SAML signatures are never checked, even if
+ we force signature check.
+ [CVE-2012-6426]
+Author: Clément OUDOT cou...@linagora.com
+Bug: http://jira.ow2.org/browse/LEMONLDAP-570
+Bug-Debian: http://bugs.debian.org/696329
+Forwarded: yes
+Reviewed-By: Xavier Guimard x.guim...@free.fr
+Last-Update: 2012-12-19
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
 b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
+@@ -2218,6 +2218,21 @@
+ return $self-checkLassoError($@);
+ }
+ 
++## @method boolean forceSignatureVerification(Lasso::Profile profile)
++# Modify Lasso signature hint to force signature verification
++# @param profile Lasso profile object
++# @return result
++sub forceSignatureVerification {
++my ( $self, $profile ) = splice @_;
++
++eval {
++Lasso::Profile::set_signature_verify_hint( $profile,
++Lasso::Constants::PROFILE_SIGNATURE_VERIFY_HINT_FORCE );
++};
++
++return $self-checkLassoError($@);
++}
++
+ ## @method string getAuthnContext(string context)
+ # Convert configuration string into SAML2 AuthnContextClassRef string
+ # @param context configuration string
+@@ -3223,6 +3238,10 @@
+ 
+ Modify Lasso signature hint to disable signature verification
+ 
++=head2 forceSignatureVerification
++
++Modify Lasso signature hint to force signature verification
++
+ =head2 getAuthnContext
+ 
+ Convert configuration string into SAML2 AuthnContextClassRef string
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
 b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
+@@ -125,7 +125,18 @@
+   -{samlIDPMetaDataOptionsCheckSSOMessageSignature};
+ 
+ if ($checkSSOMessageSignature) {
+-unless ( $self-checkSignatureStatus($login) ) {
++
++$self-forceSignatureVerification($login);
++
++if ($artifact) {
++$result = $self-processArtResponseMsg( $login, $response );
++}
++else {
++$result =
++  $self-processAuthnResponseMsg( $login, $response );
++}
++
++unless ($result) {
+ $self-lmLog( Signature is not valid, 'error' );
+ return PE_SAML_SIGNATURE_ERROR;
+ }
+@@ -406,7 +417,12 @@
+   -{samlIDPMetaDataOptionsCheckSLOMessageSignature};
+ 
+ if ($checkSLOMessageSignature) {
+-unless ( $self-checkSignatureStatus($logout) ) {
++
++$self-forceSignatureVerification($logout);
++
++$result = $self-processLogoutResponseMsg( $logout, $response );
++
++unless ($result) {
+ $self-lmLog( Signature is not valid, 'error' );
+ return PE_SAML_SIGNATURE_ERROR;
+ }
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
 b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
+@@