Ubuntu
lemonldap-ng package

  1. Bug #1829016
  2. Comment #0

Comment 0 for bug 1829016

Revision history for this message
Xavier Guimard (x-guimard) wrote :

Hi all,

during an internal audit, one of lemonldap-ng's developers discovered an
attack vector. It opens 3 security issues:
 - [high] for 2.0.0 ≤ version < 2.0.4: when CSRF tokens are
   enabled (default) and tokens are stored in session DB (not default,
   used with poor load-balancers), the token can be used to open an
   anonymous short-life session (2mn). It allows one to access to all
   aplications without additional rules
 - [medium] for every versions < 2.0.4 or 1.9.19 when SAML/OIDC tokens are
   stored in sessions DB (not default), tokens can be used to have an
   anonymous session
 - [low] for every versions < 2.0.4 or 1.9.19: when self-registration
   is allowed, mail token can be used to have an anonymous session.

You can find Debian patchs here:
 * 1.9.x series (Bionix/Cosmic): https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng/blob/stretch-security/debian/patches/CVE-2019-12046.patch
 * 2.0.x series (Disco): https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng/blob/master/debian/patches/CVE-2019-12046.patch

1.9.x patch can be backported to 1.4.x series (Xenial), not fully tested.

For more, see:
 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944
 - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1742
 - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1743
 - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1744

Cheers,
Xavier (yadd) <email address hidden>