Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: lemonldap...@packages.debian.org, y...@debian.org
Control: affects -1 + src:lemonldap-ng
[ Reason ]
Two new vulnerabilities have been dicovered and fixed in lemonldap-ng:
- an open redirection due to incorrect escape handling
- an open redirection only when configuration is edited by hand and
doesn't follow OIDC specifications
- a server-side-request-forgery (CVE-2023-44469) in OIDC protocol:
A little-know feature of OIDC allows the OpenID Provider to fetch the
Authorization request parameters itself by indicating a request_uri
parameter. This feature is now restricted to a white list using this
patch
[ Impact ]
Two low and one medium security issue.
[ Tests ]
Patches includes test updates
[ Risks ]
Outside of test changes, patches are not so big and the test coverage
provided by upstream is good, so risk is moderate.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
- open redirection patch: use `URI->new($url)->as_string` in each
redirections
- OIDC open redirection patch: just rejects requests with `redirect_uri` if
relying party configuration has no declared redirect URIs.
- SSRF patch:
* add new configuration parameter to list authorized "request_uris"
* change the algorithm that manage request_uri parameter
Cheers,
Yadd
diff --git a/debian/NEWS b/debian/NEWS
index c4d7ee951..ba4a14a12 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,13 @@
+lemonldap-ng (2.0.11+ds-4+deb11u5) bullseye; urgency=medium
+
+ A little-know feature of OIDC allows the OpenID Provider to fetch the
+ Authorization request parameters itself by indicating a request_uri
+ parameter.
+ By default, this feature is now restricted to a white list. See
+ Relying-Party security option to fill this field.
+
+ -- Yadd Fri, 29 Sep 2023 17:38:51 +0400
+
lemonldap-ng (2.0.11+ds-4+deb11u4) bullseye; urgency=medium
AuthBasic now enforces 2FA activation (CVE-2023-28862):
diff --git a/debian/changelog b/debian/changelog
index 5d2c62ac0..35d5599a4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+lemonldap-ng (2.0.11+ds-4+deb11u5) bullseye; urgency=medium
+
+ * Fix open redirection when OIDC RP has no redirect uris
+ * Fix open redirection due to incorrect escape handling
+ * Fix Server-Side-Request-Forgery issue in OIDC (CVE-2023-44469)
+
+ -- Yadd Fri, 29 Sep 2023 16:35:14 +0400
+
lemonldap-ng (2.0.11+ds-4+deb11u4) bullseye; urgency=medium
* Fix 2FA issue when using AuthBasic handler (CVE-2023-28862)
@@ -19,7 +27,7 @@ lemonldap-ng (2.0.11+ds-4+deb11u2) bullseye; urgency=medium
lemonldap-ng (2.0.11+ds-4+deb11u1) bullseye; urgency=medium
- * Fix auth process in password-testing plugins (Closes: CVE-2021-20874)
+ * Fix auth process in password-testing plugins (Closes: #1005302,
CVE-2021-40874)
-- Yadd Thu, 24 Feb 2022 15:16:09 +0100
diff --git a/debian/clean b/debian/clean
index 73f167814..cdb4a5ae4 100644
--- a/debian/clean
+++ b/debian/clean
@@ -1,3 +1,4 @@
+doc/pages/documentation/current/.buildinfo
lemonldap-ng-manager/site/htdocs/static/js/conftree.js
lemonldap-ng-manager/site/htdocs/static/struct.json
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
diff --git a/debian/patches/SSRF-issue.patch b/debian/patches/SSRF-issue.patch
new file mode 100644
index 0..dce756430
--- /dev/null
+++ b/debian/patches/SSRF-issue.patch
@@ -0,0 +1,627 @@
+Description: fix SSRF vulnerability
+ Issue described here:
https://security.lauritz-holtmann.de/post/sso-security-ssrf/
+Author: Maxime Besson
+Origin: upstream,
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998
+Forwarded: not-needed
+Applied-Upstream: 2.17.1,
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs
+Reviewed-By: Yadd
+Last-Update: 2023-09-23
+
+--- a/doc/sources/admin/idpopenidconnect.rst
b/doc/sources/admin/idpopenidconnect.rst
+@@ -278,6 +278,11 @@
+ the Session Browser.
+- **Allow OAuth2.0 Password Grant** (since version ``2.0.8``): Allow the
use of the :ref:`Resource Owner Password Credentials Grant
` by this client. This feature only works if you
have configured a form-based authentication module.
+- **Allow OAuth2.0 Client Credentials Grant** (since version ``2.0.11``):
Allow the use of the :ref:`Resource Owner Password Credentials Grant
` by this client.
++ - **Allowed URLs for fetching Request Object**: (since version ``2.17.1``):
++ which URLs may be called by the portal to fetch the request object (see
++ `request_uri
++