[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1791-1] lemonldap-ng security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : lemonldap-ng
Version        : 1.9.7-3+deb9u1
CVE ID         : CVE-2019-12046
Debian Bug     : 928944

An attack vector was discovered by the lemonldap-ng developers. When the
SAML or CAS service provider is enabled and the administrator has chosen
to store the SAML/CAS tokens in the session database, an attacker can
open an anonymous session to connect to any protected application that
does not have specific access rules.

For Debian 8 "Jessie", this problem has been fixed in version
1.9.7-3+deb9u1.

We recommend that you upgrade your lemonldap-ng packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAlzgWMoACgkQ9tdMp8mZ
7ulbHw//cn6jbBcJn442RxLpbpiBx6cs+pisV+4Oo3rj3TrmuJn4m9oHqDIQb0PX
lyXKILHguM9Gj+1/iIBLY8gQzawkcJ79dJdnnMoyW+Tu/sUOqToH1YfRuCCyqGDT
bx2HhOI+3/1/0jRdXizVMUjta4XTJz4scdtljlnaXZ/7IEf4QN6K92tNwSjB7YCf
mMLamdD1OTnofLvqKVj2bEcWrC2qkrnz91aMHo1P6PkKEGq9MLWsetF6WOGPKhx0
GHrzbJJUy8zoo1XgR/mhbn9iqYSWozfGlN/ux82Zmwi5v8wXYKd9VqlvvUGL/eHS
5/pPErUXDUxQDaGWs5UbY/DXJlEEadPnVVtvrpCh75MbsrCyVlfdMmx9JKSonpFO
UJlyyv9/Wlwi/xPIJB2YgASSLq+uP1eix5zZq+r0nYxUN3oH/1YiGzYDJyzz1kBn
vk+zkFrQtV7g0zAnC0cf0rpv75HToeJ1dkaVxw/DcXcpK9pquNOXBHQAdVZ5giTV
GIyhPAYMFmP1H8jahhIevv5m8VMEj7LbtA0XvA9DDqgDeLEyzJQ00/8BtPo7Ayrr
kOOgyjJ0eoJooYa8Ki72OoYlWP+2IYw9ZGBqJs6MiHYAUH+M4IfL9R/OntqMtdDj
wVdNmncpB6sFmrjQLrGdL8uF/+xGTJzSFaLALTdgjyIs2ituY9s=
=ZJwK
-----END PGP SIGNATURE-----
Reply to: