pkg-perl-maintainers team mailing list archive
-
pkg-perl-maintainers team
-
Mailing list archive
-
Message #03836
[Bug 1829016] Re: CVE-2019-12046: anonymous session allowed when tokens are stored in session DB
Hello,
bug is easy to fix, at least for 18.04 (just to import Debian package).
Is there a problem with this upgrade ?
** Description changed:
Hi all,
during an internal audit, one of lemonldap-ng's developers discovered an
attack vector. It opens 3 security issues:
- - [high] for 2.0.0 ≤ version < 2.0.4: when CSRF tokens are
- enabled (default) and tokens are stored in session DB (not default,
- used with poor load-balancers), the token can be used to open an
- anonymous short-life session (2mn). It allows one to access to all
- aplications without additional rules
- - [medium] for every versions < 2.0.4 or 1.9.19 when SAML/OIDC tokens are
- stored in sessions DB (not default), tokens can be used to have an
- anonymous session
- - [low] for every versions < 2.0.4 or 1.9.19: when self-registration
- is allowed, mail token can be used to have an anonymous session.
+ - [high] for 2.0.0 ≤ version < 2.0.4: when CSRF tokens are
+ enabled (default) and tokens are stored in session DB (not default,
+ used with poor load-balancers), the token can be used to open an
+ anonymous short-life session (2mn). It allows one to access to all
+ aplications without additional rules
+ - [high] for every versions < 2.0.4 or 1.9.19 when SAML/OIDC tokens are
+ stored in sessions DB (not default), tokens can be used to have an
+ anonymous session
+ - [low] for every versions < 2.0.4 or 1.9.19: when self-registration
+ is allowed, mail token can be used to have an anonymous session.
You can find Debian patchs here:
- * 1.9.x series (Bionix/Cosmic): https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng/blob/stretch-security/debian/patches/CVE-2019-12046.patch
- * 2.0.x series (Disco): https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng/blob/master/debian/patches/CVE-2019-12046.patch
+ * 1.9.x series (Bionix/Cosmic): https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng/blob/stretch-security/debian/patches/CVE-2019-12046.patch
+ * 2.0.x series (Disco): https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng/blob/master/debian/patches/CVE-2019-12046.patch
1.9.x patch can be backported to 1.4.x series (Xenial), not fully
tested.
For more, see:
- - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944
- - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1742
- - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1743
- - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1744
+ - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944
+ - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1742
+ - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1743
+ - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1744
Cheers,
Xavier (yadd) <yadd@xxxxxxxxxx>
--
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to lemonldap-ng in Ubuntu.
https://bugs.launchpad.net/bugs/1829016
Title:
CVE-2019-12046: anonymous session allowed when tokens are stored in
session DB
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lemonldap-ng/+bug/1829016/+subscriptions
