[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#696516: marked as done (unblock: lemonldap-ng/1.1.2-5+deb70u1)

Your message dated Tue, 25 Dec 2012 12:26:11 +0000
with message-id <ec1b048dca705c33963ae45801fa8fb1@mail.adsl.funky-badger.org>
and subject line Re: Bug#696516: unblock: lemonldap-ng/1.1.2-5+deb70u1
has caused the Debian Bug report #696516,
regarding unblock: lemonldap-ng/1.1.2-5+deb70u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
696516: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696516
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package lemonldap-ng

Hi all,

We'd like to have an unblock to push lemonldap-ng_1.1.2-5+deb70u1
This release will contain :
* the security fix to close #696329
* the pt_BR.po file to close #693366

Best regards,
Xavier

unblock lemonldap-ng/1.1.2-5+deb70u1

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (800, 'testing'), (700, 'stable'), (600, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru lemonldap-ng-1.1.2/debian/changelog lemonldap-ng-1.1.2/debian/changelog
--- lemonldap-ng-1.1.2/debian/changelog	2012-03-24 17:59:00.000000000 +0100
+++ lemonldap-ng-1.1.2/debian/changelog	2012-12-21 06:03:04.000000000 +0100
@@ -1,3 +1,10 @@
+lemonldap-ng (1.1.2-5+deb70u1) testing-proposed-updates; urgency=high
+
+  * Fix for CVE-2012-6426 (Closes: #696329)
+  * Brazilian translation (Closes: #693366)
+
+ -- Xavier Guimard <x.guimard@free.fr>  Thu, 20 Dec 2012 06:41:50 +0100
+
 lemonldap-ng (1.1.2-5) unstable; urgency=low
 
   * Remove some mistakes reported by
diff -Nru lemonldap-ng-1.1.2/debian/patches/series lemonldap-ng-1.1.2/debian/patches/series
--- lemonldap-ng-1.1.2/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ lemonldap-ng-1.1.2/debian/patches/series	2012-12-19 22:16:19.000000000 +0100
@@ -0,0 +1 @@
+verify-saml-signatures.patch
diff -Nru lemonldap-ng-1.1.2/debian/patches/verify-saml-signatures.patch lemonldap-ng-1.1.2/debian/patches/verify-saml-signatures.patch
--- lemonldap-ng-1.1.2/debian/patches/verify-saml-signatures.patch	1970-01-01 01:00:00.000000000 +0100
+++ lemonldap-ng-1.1.2/debian/patches/verify-saml-signatures.patch	2012-12-19 22:21:48.000000000 +0100
@@ -0,0 +1,146 @@
+Description: Verify SAML signature
+ Due to a bad use of Lasso library, SAML signatures are never checked, even if
+ we force signature check.
+ [CVE-2012-6426]
+Author: Clément OUDOT <coudot@linagora.com>
+Bug: http://jira.ow2.org/browse/LEMONLDAP-570
+Bug-Debian: http://bugs.debian.org/696329
+Forwarded: yes
+Reviewed-By: Xavier Guimard <x.guimard@free.fr>
+Last-Update: 2012-12-19
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
+@@ -2218,6 +2218,21 @@
+     return $self->checkLassoError($@);
+ }
+ 
++## @method boolean forceSignatureVerification(Lasso::Profile profile)
++# Modify Lasso signature hint to force signature verification
++# @param profile Lasso profile object
++# @return result
++sub forceSignatureVerification {
++    my ( $self, $profile ) = splice @_;
++
++    eval {
++        Lasso::Profile::set_signature_verify_hint( $profile,
++            Lasso::Constants::PROFILE_SIGNATURE_VERIFY_HINT_FORCE );
++    };
++
++    return $self->checkLassoError($@);
++}
++
+ ## @method string getAuthnContext(string context)
+ # Convert configuration string into SAML2 AuthnContextClassRef string
+ # @param context configuration string
+@@ -3223,6 +3238,10 @@
+ 
+ Modify Lasso signature hint to disable signature verification
+ 
++=head2 forceSignatureVerification
++
++Modify Lasso signature hint to force signature verification
++
+ =head2 getAuthnContext
+ 
+ Convert configuration string into SAML2 AuthnContextClassRef string
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
+@@ -125,7 +125,18 @@
+               ->{samlIDPMetaDataOptionsCheckSSOMessageSignature};
+ 
+             if ($checkSSOMessageSignature) {
+-                unless ( $self->checkSignatureStatus($login) ) {
++
++                $self->forceSignatureVerification($login);
++
++                if ($artifact) {
++                    $result = $self->processArtResponseMsg( $login, $response );
++                }
++                else {
++                    $result =
++                      $self->processAuthnResponseMsg( $login, $response );
++                }
++
++                unless ($result) {
+                     $self->lmLog( "Signature is not valid", 'error' );
+                     return PE_SAML_SIGNATURE_ERROR;
+                 }
+@@ -406,7 +417,12 @@
+               ->{samlIDPMetaDataOptionsCheckSLOMessageSignature};
+ 
+             if ($checkSLOMessageSignature) {
+-                unless ( $self->checkSignatureStatus($logout) ) {
++
++                $self->forceSignatureVerification($logout);
++
++                $result = $self->processLogoutResponseMsg( $logout, $response );
++
++                unless ($result) {
+                     $self->lmLog( "Signature is not valid", 'error' );
+                     return PE_SAML_SIGNATURE_ERROR;
+                 }
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
+@@ -150,7 +150,17 @@
+               ->{samlSPMetaDataOptionsCheckSSOMessageSignature};
+ 
+             if ($checkSSOMessageSignature) {
+-                unless ( $self->checkSignatureStatus($login) ) {
++
++                $self->forceSignatureVerification($login);
++
++                if ($artifact) {
++                    $result = $self->processArtResponseMsg( $login, $request );
++                }
++                else {
++                    $result = $self->processAuthnRequestMsg( $login, $request );
++                }
++
++                unless ($result) {
+                     $self->lmLog( "Signature is not valid", 'error' );
+                     return PE_SAML_SIGNATURE_ERROR;
+                 }
+@@ -278,7 +288,10 @@
+               ->{samlSPMetaDataOptionsCheckSLOMessageSignature};
+ 
+             if ($checkSLOMessageSignature) {
+-                unless ( $self->checkSignatureStatus($logout) ) {
++
++                $self->forceSignatureVerification($logout);
++
++                unless ( $self->processLogoutRequestMsg( $logout, $request ) ) {
+                     $self->lmLog( "Signature is not valid", 'error' );
+                     $self->sendSLOErrorResponse( $logout, $method );
+                 }
+@@ -1201,7 +1214,17 @@
+               ->{samlSPMetaDataOptionsCheckSSOMessageSignature};
+ 
+             if ($checkSSOMessageSignature) {
+-                unless ( $self->checkSignatureStatus($login) ) {
++
++                $self->forceSignatureVerification($login);
++
++                if ($artifact) {
++                    $result = $self->processArtResponseMsg( $login, $request );
++                }
++                else {
++                    $result = $self->processAuthnRequestMsg( $login, $request );
++                }
++
++                unless ($result) {
+                     $self->lmLog( "Signature is not valid", 'error' );
+                     return PE_SAML_SIGNATURE_ERROR;
+                 }
+@@ -1864,7 +1887,10 @@
+               ->{samlSPMetaDataOptionsCheckSLOMessageSignature};
+ 
+             if ($checkSLOMessageSignature) {
+-                unless ( $self->checkSignatureStatus($logout) ) {
++
++                $self->forceSignatureVerification($logout);
++
++                unless ( $self->processLogoutRequestMsg( $logout, $request ) ) {
+                     $self->lmLog( "Signature is not valid", 'error' );
+                     $self->sendSLOErrorResponse( $logout, $method );
+                 }
diff -Nru lemonldap-ng-1.1.2/debian/po/pt_BR.po lemonldap-ng-1.1.2/debian/po/pt_BR.po
--- lemonldap-ng-1.1.2/debian/po/pt_BR.po	1970-01-01 01:00:00.000000000 +0100
+++ lemonldap-ng-1.1.2/debian/po/pt_BR.po	2012-12-20 07:10:41.000000000 +0100
@@ -0,0 +1,145 @@
+# Debconf translations for lemonldap-ng.
+# Copyright (C) 2012 THE lemonldap-ng'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the lemonldap-ng package.
+# Adriano Rafael Gomes <adrianorg@gmail.com>, 2012.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: lemonldap-ng 1.2.2-1\n"
+"Report-Msgid-Bugs-To: lemonldap-ng@packages.debian.org\n"
+"POT-Creation-Date: 2010-12-04 23:10+0100\n"
+"PO-Revision-Date: 2012-11-15 18:04-0200\n"
+"Last-Translator: Adriano Rafael Gomes <adrianorg@gmail.com>\n"
+"Language-Team: Brazilian Portuguese <debian-l10n-portuguese@lists.debian."
+"org>\n"
+"Language: pt_BR\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: string
+#. Description
+#: ../liblemonldap-ng-conf-perl.templates:1001
+msgid "LDAP server:"
+msgstr "Servidor LDAP:"
+
+#. Type: string
+#. Description
+#: ../liblemonldap-ng-conf-perl.templates:1001
+msgid ""
+"Set here name or IP address of the LDAP server that has to be used by "
+"Lemonldap::NG. You can modify this value later using the Lemonldap::NG "
+"manager."
+msgstr ""
+"Informe aqui o nome ou endereço IP do servidor LDAP que deve ser usado pelo "
+"Lemonldap::NG. Você pode modificar esse valor mais tarde usando o "
+"gerenciador do Lemonldap::NG."
+
+#. Type: string
+#. Description
+#: ../liblemonldap-ng-conf-perl.templates:2001
+msgid "Lemonldap::NG DNS domain:"
+msgstr "Domínio DNS do Lemonldap::NG:"
+
+#. Type: string
+#. Description
+#: ../liblemonldap-ng-conf-perl.templates:2001
+msgid ""
+"Set here the main domain protected by Lemonldap::NG. You can modify this "
+"value later using the Lemonldap::NG manager."
+msgstr ""
+"Informe aqui o domínio principal protegido pelo Lemonldap::NG. Você pode "
+"modificar esse valor mais tarde usando o gerenciador do Lemonldap::NG."
+
+#. Type: string
+#. Description
+#: ../liblemonldap-ng-conf-perl.templates:3001
+msgid "Lemonldap::NG portal:"
+msgstr "Portal do Lemonldap::NG:"
+
+#. Type: string
+#. Description
+#: ../liblemonldap-ng-conf-perl.templates:3001
+msgid ""
+"Set here the Lemonldap::NG portal URL. You can modify this value later using "
+"the Lemonldap::NG manager."
+msgstr ""
+"Informe aqui a URL do portal do Lemonldap::NG. Você pode modificar esse "
+"valor mais tarde usando o gerenciador do Lemonldap::NG."
+
+#. Type: string
+#. Description
+#: ../liblemonldap-ng-conf-perl.templates:4001
+msgid "LDAP server port:"
+msgstr "Porta do servidor LDAP:"
+
+#. Type: string
+#. Description
+#: ../liblemonldap-ng-conf-perl.templates:4001
+msgid ""
+"Set here the port used by the LDAP server. You can modify this value later "
+"using the Lemonldap::NG manager."
+msgstr ""
+"Informe aqui a porta usada pelo servidor LDAP. Você pode modificar esse "
+"valor mais tarde usando o gerenciador do Lemonldap::NG."
+
+#. Type: string
+#. Description
+#: ../liblemonldap-ng-conf-perl.templates:5001
+msgid "LDAP search base:"
+msgstr "Base de busca LDAP:"
+
+#. Type: string
+#. Description
+#: ../liblemonldap-ng-conf-perl.templates:5001
+msgid ""
+"Set here the search base to use in LDAP queries. You can modify this value "
+"later using the Lemonldap::NG manager."
+msgstr ""
+"Informe aqui a base de busca (\"search base\") para usar nas pesquisas LDAP. "
+"Você pode modificar esse valor mais tarde usando o gerenciador do Lemonldap::"
+"NG."
+
+#. Type: string
+#. Description
+#: ../liblemonldap-ng-conf-perl.templates:6001
+msgid "LDAP account:"
+msgstr "Conta LDAP:"
+
+#. Type: string
+#. Description
+#: ../liblemonldap-ng-conf-perl.templates:6001
+msgid ""
+"Set here the account that Lemonldap::NG has to use for its LDAP requests. "
+"Leaving it blank causes Lemonldap::NG to use anonymous connections. You can "
+"modify this value later using the Lemonldap::NG manager."
+msgstr ""
+"Informe aqui a conta que o Lemonldap::NG deve usar para suas requisições "
+"LDAP. Deixá-la em branco faz com que o Lemonldap::NG use conexões anônimas. "
+"Você pode modificar esse valor mais tarde usando o gerenciador do Lemonldap::"
+"NG."
+
+#. Type: string
+#. Description
+#: ../liblemonldap-ng-conf-perl.templates:7001
+msgid "LDAP password:"
+msgstr "Senha LDAP:"
+
+#. Type: string
+#. Description
+#: ../liblemonldap-ng-conf-perl.templates:7001
+msgid ""
+"Set here the password for the Lemonldap::NG LDAP account. You can modify "
+"this value later using the Lemonldap::NG manager."
+msgstr ""
+"Informe aqui a senha para a conta LDAP do Lemonldap::NG. Você pode modificar "
+"esse valor mais tarde usando o gerenciador do Lemonldap::NG."
+
+#. Type: boolean
+#. Description
+#: ../liblemonldap-ng-conf-perl.templates:8001
+msgid ""
+"Lemonldap::NG configuration files have changed, try to migrate your files?"
+msgstr ""
+"Os arquivos de configuração do Lemonldap::NG mudaram, tentar migrar os seus "
+"arquivos?"

--- End Message ---
--- Begin Message --- 
On 24.12.2012 20:24, gregor herrmann wrote:

On Mon, 24 Dec 2012 20:04:32 +0000, Adam D. Barratt wrote:


>>It looks like #696329 isn't fixed in unstable yet? What's the
>>progress
>>on that? In general we'd expect fixes going via t-p-u to have been
>>applied to unstable first where appropriate, to give them some more 
>>exposure / testing.
[...]
>gregoa has done it just now (there were many other changes to check). 

Thanks. Please go ahead.


Thank you.
Upload (as clarified on IRC) as 1.1.2-5+deb7u1.


Approved; thanks.

Regards,

Adam

--- End Message ---
Reply to: