[Bug 1829016] Re: CVE-2019-12046: anonymous session allowed when tokens are stored in session DB

[Xavier Guimard]

Is there a security team in Ubuntu ?

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-12046

** Tags added: community-security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1829016

Title:
  CVE-2019-12046: anonymous session allowed when tokens are stored in
  session DB

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lemonldap-ng/+bug/1829016/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1829016] Re: CVE-2019-12046: anonymous session allowed when tokens are stored in session DB

[Xavier Guimard]

Hello,

bug is easy to fix, at least for 18.04 (just to import Debian package).
Is there a problem with this upgrade ?

** Description changed:

  Hi all,
  
  during an internal audit, one of lemonldap-ng's developers discovered an
  attack vector. It opens 3 security issues:
-  - [high] for 2.0.0 ≤ version < 2.0.4: when CSRF tokens are
-enabled (default) and tokens are stored in session DB (not default,
-used with poor load-balancers), the token can be used to open an
-anonymous short-life session (2mn). It allows one to access to all
-aplications without additional rules
-  - [medium] for every versions < 2.0.4 or 1.9.19 when SAML/OIDC tokens are
-stored in sessions DB (not default), tokens can be used to have an
-anonymous session
-  - [low] for every versions < 2.0.4 or 1.9.19: when self-registration
-is allowed, mail token can be used to have an anonymous session.
+  - [high] for 2.0.0 ≤ version < 2.0.4: when CSRF tokens are
+    enabled (default) and tokens are stored in session DB (not default,
+    used with poor load-balancers), the token can be used to open an
+    anonymous short-life session (2mn). It allows one to access to all
+    aplications without additional rules
+  - [high] for every versions < 2.0.4 or 1.9.19 when SAML/OIDC tokens are
+    stored in sessions DB (not default), tokens can be used to have an
+    anonymous session
+  - [low] for every versions < 2.0.4 or 1.9.19: when self-registration
+    is allowed, mail token can be used to have an anonymous session.
  
  You can find Debian patchs here:
-  * 1.9.x series (Bionix/Cosmic): 
https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng/blob/stretch-security/debian/patches/CVE-2019-12046.patch
-  * 2.0.x series (Disco): 
https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng/blob/master/debian/patches/CVE-2019-12046.patch
+  * 1.9.x series (Bionix/Cosmic): 
https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng/blob/stretch-security/debian/patches/CVE-2019-12046.patch
+  * 2.0.x series (Disco): 
https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng/blob/master/debian/patches/CVE-2019-12046.patch
  
  1.9.x patch can be backported to 1.4.x series (Xenial), not fully
  tested.
  
  For more, see:
-  - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944
-  - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1742
-  - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1743
-  - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1744
+  - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944
+  - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1742
+  - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1743
+  - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1744
  
  Cheers,
  Xavier (yadd) 

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1829016

Title:
  CVE-2019-12046: anonymous session allowed when tokens are stored in
  session DB

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lemonldap-ng/+bug/1829016/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1829016] Re: CVE-2019-12046: anonymous session allowed when tokens are stored in session DB

[Xavier Guimard]

Debian Version 1.3.3-1+deb8u1 (LTS) fixes also this bug for 1.3.x
versions

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1829016

Title:
  CVE-2019-12046: anonymous session allowed when tokens are stored in
  session DB

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lemonldap-ng/+bug/1829016/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1829016] Re: CVE-2019-12046: anonymous session allowed when tokens are stored in session DB

[Steve Beattie]

Making public as the issues are public elsewhere.

** Information type changed from Private Security to Public Security

** Changed in: lemonldap-ng (Ubuntu)
   Status: New => Confirmed

** Changed in: lemonldap-ng (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1829016

Title:
  CVE-2019-12046: anonymous session allowed when tokens are stored in
  session DB

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lemonldap-ng/+bug/1829016/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs