Processed: Re: Bug#1053220: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u5

[Debian Bug Tracking System]

Processing control commands:

> tags -1 confirmed
Bug #1053220 [release.debian.org] bullseye-pu: package 
lemonldap-ng/2.0.11+ds-4+deb11u5
Added tag(s) confirmed.

-- 
1053220: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053220
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1053220: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u5

[Adam D. Barratt]

Control: tags -1 confirmed

On Fri, 2023-09-29 at 17:45 +0400, Yadd wrote:
> Two new vulnerabilities have been dicovered and fixed in lemonldap-
> ng:
>  - an open redirection due to incorrect escape handling
>  - an open redirection only when configuration is edited by hand and
>doesn't follow OIDC specifications
>  - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol:
>A little-know feature of OIDC allows the OpenID Provider to fetch
> the
>Authorization request parameters itself by indicating a
> request_uri
>parameter. This feature is now restricted to a white list using
> this
>patch
> 

Please go ahead.

Regards,

Adam

Bug#1053220: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u5

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: lemonldap...@packages.debian.org, y...@debian.org
Control: affects -1 + src:lemonldap-ng

[ Reason ]
Two new vulnerabilities have been dicovered and fixed in lemonldap-ng:
 - an open redirection due to incorrect escape handling
 - an open redirection only when configuration is edited by hand and
   doesn't follow OIDC specifications
 - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol:
   A little-know feature of OIDC allows the OpenID Provider to fetch the
   Authorization request parameters itself by indicating a request_uri
   parameter. This feature is now restricted to a white list using this
   patch

[ Impact ]
Two low and one medium security issue.

[ Tests ]
Patches includes test updates

[ Risks ]
Outside of test changes, patches are not so big and the test coverage
provided by upstream is good, so risk is moderate.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
- open redirection patch: use `URI->new($url)->as_string` in each
  redirections
- OIDC open redirection patch: just rejects requests with `redirect_uri` if
  relying party configuration has no declared redirect URIs.
- SSRF patch:
  * add new configuration parameter to list authorized "request_uris"
  * change the algorithm that manage request_uri parameter

Cheers,
Yadd
diff --git a/debian/NEWS b/debian/NEWS
index c4d7ee951..ba4a14a12 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,13 @@
+lemonldap-ng (2.0.11+ds-4+deb11u5) bullseye; urgency=medium
+
+  A little-know feature of OIDC allows the OpenID Provider to fetch the
+  Authorization request parameters itself by indicating a request_uri
+  parameter.
+  By default, this feature is now restricted to a white list. See
+  Relying-Party security option to fill this field.
+
+ -- Yadd   Fri, 29 Sep 2023 17:38:51 +0400
+
 lemonldap-ng (2.0.11+ds-4+deb11u4) bullseye; urgency=medium
 
   AuthBasic now enforces 2FA activation (CVE-2023-28862):
diff --git a/debian/changelog b/debian/changelog
index 5d2c62ac0..35d5599a4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+lemonldap-ng (2.0.11+ds-4+deb11u5) bullseye; urgency=medium
+
+  * Fix open redirection when OIDC RP has no redirect uris
+  * Fix open redirection due to incorrect escape handling
+  * Fix Server-Side-Request-Forgery issue in OIDC (CVE-2023-44469)
+
+ -- Yadd   Fri, 29 Sep 2023 16:35:14 +0400
+
 lemonldap-ng (2.0.11+ds-4+deb11u4) bullseye; urgency=medium
 
   * Fix 2FA issue when using AuthBasic handler (CVE-2023-28862)
@@ -19,7 +27,7 @@ lemonldap-ng (2.0.11+ds-4+deb11u2) bullseye; urgency=medium
 
 lemonldap-ng (2.0.11+ds-4+deb11u1) bullseye; urgency=medium
 
-  * Fix auth process in password-testing plugins (Closes: CVE-2021-20874)
+  * Fix auth process in password-testing plugins (Closes: #1005302, 
CVE-2021-40874)
 
  -- Yadd   Thu, 24 Feb 2022 15:16:09 +0100
 
diff --git a/debian/clean b/debian/clean
index 73f167814..cdb4a5ae4 100644
--- a/debian/clean
+++ b/debian/clean
@@ -1,3 +1,4 @@
+doc/pages/documentation/current/.buildinfo
 lemonldap-ng-manager/site/htdocs/static/js/conftree.js
 lemonldap-ng-manager/site/htdocs/static/struct.json
 lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
diff --git a/debian/patches/SSRF-issue.patch b/debian/patches/SSRF-issue.patch
new file mode 100644
index 0..dce756430
--- /dev/null
+++ b/debian/patches/SSRF-issue.patch
@@ -0,0 +1,627 @@
+Description: fix SSRF vulnerability
+ Issue described here: 
https://security.lauritz-holtmann.de/post/sso-security-ssrf/
+Author: Maxime Besson 
+Origin: upstream, 
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998
+Forwarded: not-needed
+Applied-Upstream: 2.17.1, 
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs
+Reviewed-By: Yadd 
+Last-Update: 2023-09-23
+
+--- a/doc/sources/admin/idpopenidconnect.rst
 b/doc/sources/admin/idpopenidconnect.rst
+@@ -278,6 +278,11 @@
+   the Session Browser.
+- **Allow OAuth2.0 Password Grant** (since version ``2.0.8``): Allow the 
use of the :ref:`Resource Owner Password Credentials Grant 
` by this client. This feature only works if you 
have configured a form-based authentication module.
+- **Allow OAuth2.0 Client Credentials Grant** (since version ``2.0.11``): 
Allow the use of the :ref:`Resource Owner Password Credentials Grant 
` by this client.
++   - **Allowed URLs for fetching Request Object**: (since version ``2.17.1``):
++ which URLs may be called by the portal to fetch the request object (see
++ `request_uri
++