Processed: Re: Bug#1053219: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u2

[Debian Bug Tracking System]

Processing control commands:

> tags -1 confirmed
Bug #1053219 [release.debian.org] bookworm-pu: package 
lemonldap-ng/2.16.1+ds-deb12u2
Added tag(s) confirmed.

-- 
1053219: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053219
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1053219: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u2

[Adam D. Barratt]

Control: tags -1 confirmed

On Fri, 2023-09-29 at 17:37 +0400, Yadd wrote:
> Two new vulnerabilities have been dicovered and fixed in lemonldap-
> ng:
>  - an open redirection only when configuration is edited by hand and
>doesn't follow OIDC specifications
>  - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol:
>A little-know feature of OIDC allows the OpenID Provider to fetch
> the
>Authorization request parameters itself by indicating a
> request_uri
>parameter. This feature is now restricted to a white list using
> this
>patch
> 

--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,13 @@
+lemonldap-ng (2.16.1+ds-deb12u2) bullseye; urgency=medium

As Salvatore pointed out, the suite is wrong in the header.

+
+  A little-know feature of OIDC allows the OpenID Provider to fetch the

s/little-know//

Please go ahead.

Regards,

Adam

Bug#1053219: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u2

[Salvatore Bonaccorso]

Hi Yadd,

On Fri, Sep 29, 2023 at 05:37:25PM +0400, Yadd wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: lemonldap...@packages.debian.org, y...@debian.org
> Control: affects -1 + src:lemonldap-ng
> 
> [ Reason ]
> Two new vulnerabilities have been dicovered and fixed in lemonldap-ng:
>  - an open redirection only when configuration is edited by hand and
>doesn't follow OIDC specifications
>  - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol:
>A little-know feature of OIDC allows the OpenID Provider to fetch the
>Authorization request parameters itself by indicating a request_uri
>parameter. This feature is now restricted to a white list using this
>patch
> 
> [ Impact ]
> One low and one medium security issue.
> 
> [ Tests ]
> Patches includes test updates
> 
> [ Risks ]
> Outside of test changes, patches are not so big and the test coverage
> provided by upstream is good, so risk is moderate.
> 
> [ Checklist ]
>   [X] *all* changes are documented in the d/changelog
>   [X] I reviewed all changes and I approve them
>   [X] attach debdiff against the package in (old)stable
>   [X] the issue is verified as fixed in unstable
> 
> [ Changes ]
> - open redirection patch: just rejects requests with `redirect_uri` if
>   relying party configuration has no declared redirect URIs.
> - SSRF patch:
>   * add new configuration parameter to list authorized "request_uris"
>   * change the algorithm that manage request_uri parameter
> 
> Cheers,
> Xavier

> diff --git a/debian/NEWS b/debian/NEWS
> index b8955920b..5295a3cbb 100644
> --- a/debian/NEWS
> +++ b/debian/NEWS
> @@ -1,3 +1,13 @@
> +lemonldap-ng (2.16.1+ds-deb12u2) bullseye; urgency=medium


bookworm?

(but that said I guess that can be considered minor if time is tight
to get the upload in, but as well disclaimer, not part of the release
team)

Regards,
Salvatore

Bug#1053219: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u2

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: lemonldap...@packages.debian.org, y...@debian.org
Control: affects -1 + src:lemonldap-ng

[ Reason ]
Two new vulnerabilities have been dicovered and fixed in lemonldap-ng:
 - an open redirection only when configuration is edited by hand and
   doesn't follow OIDC specifications
 - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol:
   A little-know feature of OIDC allows the OpenID Provider to fetch the
   Authorization request parameters itself by indicating a request_uri
   parameter. This feature is now restricted to a white list using this
   patch

[ Impact ]
One low and one medium security issue.

[ Tests ]
Patches includes test updates

[ Risks ]
Outside of test changes, patches are not so big and the test coverage
provided by upstream is good, so risk is moderate.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
- open redirection patch: just rejects requests with `redirect_uri` if
  relying party configuration has no declared redirect URIs.
- SSRF patch:
  * add new configuration parameter to list authorized "request_uris"
  * change the algorithm that manage request_uri parameter

Cheers,
Xavier
diff --git a/debian/NEWS b/debian/NEWS
index b8955920b..5295a3cbb 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,13 @@
+lemonldap-ng (2.16.1+ds-deb12u2) bullseye; urgency=medium
+
+  A little-know feature of OIDC allows the OpenID Provider to fetch the
+  Authorization request parameters itself by indicating a request_uri
+  parameter.
+  By default, this feature is now restricted to a white list. See
+  Relying-Party security option to fill this field.
+
+ -- Yadd   Fri, 29 Sep 2023 17:15:03 +0400
+
 lemonldap-ng (2.0.9+ds-1) unstable; urgency=medium
 
   CVE-2020-24660
diff --git a/debian/changelog b/debian/changelog
index cd4c8a023..148164a94 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+lemonldap-ng (2.16.1+ds-deb12u2) bookworm; urgency=medium
+
+  * Fix open redirection when OIDC RP has no redirect uris
+  * Fix Server-Side-Request-Forgery issue in OIDC (CVE-2023-44469)
+
+ -- Yadd   Fri, 29 Sep 2023 17:18:12 +0400
+
 lemonldap-ng (2.16.1+ds-deb12u1) bookworm; urgency=medium
 
   * Apply login control to auth-slave requests
diff --git a/debian/patches/SSRF-issue.patch b/debian/patches/SSRF-issue.patch
new file mode 100644
index 0..3c6ca8b51
--- /dev/null
+++ b/debian/patches/SSRF-issue.patch
@@ -0,0 +1,795 @@
+Description: fix SSRF vulnerability
+ Issue described here: 
https://security.lauritz-holtmann.de/post/sso-security-ssrf/
+Author: Maxime Besson 
+Origin: upstream, 
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998
+Forwarded: not-needed
+Applied-Upstream: 2.17.1, 
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs
+Reviewed-By: Yadd 
+Last-Update: 2023-09-22
+
+--- a/doc/sources/admin/idpopenidconnect.rst
 b/doc/sources/admin/idpopenidconnect.rst
+@@ -247,6 +247,11 @@
+   This feature only works if you have configured a form-based 
authentication module.
+-  **Allow OAuth2.0 Client Credentials Grant** (since version ``2.0.11``): 
Allow the use of the
+   :ref:`Client Credentials Grant ` by this 
client.
++   -  **Allowed URLs for fetching Request Object**: (since version 
``2.17.1``):
++  which URLs may be called by the portal to fetch the request object (see
++  `request_uri
++  
`__
++  in OIDC specifications). These URLs may use wildcards 
(``https://app.example.com/*``).
+-  **Authentication level**: Required authentication level to access this 
application
+-  **Access rule**: Lets you specify a :doc:`Perl rule` to 
restrict access to this client
+ 
+--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
 b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
+@@ -4656,6 +4656,7 @@
+ oidcRPMetaDataOptionsComment  => { type => 'longtext' 
},
+ oidcRPMetaDataOptionsOfflineSessionExpiration => { type => 'int' },
+ oidcRPMetaDataOptionsRedirectUris => { type => 'text', },
++oidcRPMetaDataOptionsRequestUris  => { type => 'text', },
+ oidcRPMetaDataOptionsExtraClaims  => {
+ type=> 'keyTextContainer',
+ keyTest => qr/^[\x21\x23-\x5B\x5D-\x7E]+$/,
+--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/CTrees.pm
 b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/CTrees.pm
+@@ -255,6 +255,7 @@
+