Bug#934342: stretch-pu: package fusiondirectory/1.0.19-1+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I just uploaded two fusiondirectory fixes (one bug, one no-dsa CVE) for the next stretch point release:
+ * debian/patches:
+ + Add 0001_CVE-2019-11187_stricter-ldap-error-check.patch.
+ Perform stricter check on LDAP success/failure (CVE-2019-11187).
Considered severe issue by upstream, assessment by the security team say:
no-dsa issue. In theory, the flaw that got fixed could let someone into
the FusionDirectory WebUI with a wrong password.
+ * debian/control:
+ + Add to D (fusiondirectory): php-xml. (Closes: #931959).
The installer setup requires php-xml, also valid for fusiondirectory in stretch.
Greets,
Mike
-- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru fusiondirectory-1.0.19/debian/changelog fusiondirectory-1.0.19/debian/changelog
--- fusiondirectory-1.0.19/debian/changelog 2017-01-22 21:54:59.000000000 +0100
+++ fusiondirectory-1.0.19/debian/changelog 2019-08-08 12:01:12.000000000 +0200
@@ -1,3 +1,13 @@
+fusiondirectory (1.0.19-1+deb9u1) stretch; urgency=medium
+
+ * debian/patches:
+ + Add 0001_CVE-2019-11187_stricter-ldap-error-check.patch.
+ Perform stricter check on LDAP success/failure (CVE-2019-11187).
+ * debian/control:
+ + Add to D (fusiondirectory): php-xml. (Closes: #931959).
+
+ -- Mike Gabriel <sunweaver@debian.org> Thu, 08 Aug 2019 12:01:12 +0200
+
fusiondirectory (1.0.19-1) unstable; urgency=medium
[ Benoit Mortier ]
diff -Nru fusiondirectory-1.0.19/debian/control fusiondirectory-1.0.19/debian/control
--- fusiondirectory-1.0.19/debian/control 2017-01-22 21:52:35.000000000 +0100
+++ fusiondirectory-1.0.19/debian/control 2019-08-08 12:01:12.000000000 +0200
@@ -43,6 +43,7 @@
php-ldap,
php-recode,
schema2ldif,
+ php-xml,
smarty-gettext (>= 1.1),
smarty3,
${misc:Depends},
diff -Nru fusiondirectory-1.0.19/debian/patches/0001_CVE-2019-11187_stricter-ldap-error-check.patch fusiondirectory-1.0.19/debian/patches/0001_CVE-2019-11187_stricter-ldap-error-check.patch
--- fusiondirectory-1.0.19/debian/patches/0001_CVE-2019-11187_stricter-ldap-error-check.patch 1970-01-01 01:00:00.000000000 +0100
+++ fusiondirectory-1.0.19/debian/patches/0001_CVE-2019-11187_stricter-ldap-error-check.patch 2019-08-08 12:01:12.000000000 +0200
@@ -0,0 +1,32 @@
+From f2fd17d4ddead5d3b61ddebf5fd21e043bda30be Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come@opensides.be>
+Date: Mon, 29 Jul 2019 09:32:22 +0000
+Subject: [PATCH] Merge branch 'stricter-ldap-error-check' into '1.4-dev'
+
+:ambulance: fix(ldap) Use a stricter error check in ldap::success()
+
+See merge request fusiondirectory/fd!648
+
+(cherry picked from commit 29ca9876df28e45bb8f4f8960f3760c336936dfc)
+
+23936352 :ambulance: fix(ldap) Use a stricter error check in ldap::success()
+---
+ core/include/class_ldap.inc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/core/include/class_ldap.inc b/core/include/class_ldap.inc
+index e5b04c28..54090353 100644
+--- a/core/include/class_ldap.inc
++++ b/core/include/class_ldap.inc
+@@ -906,7 +906,7 @@ class LDAP
+ */
+ function success()
+ {
+- return preg_match('/Success/i', $this->error);
++ return (trim($this->error) === 'Success');
+ }
+
+ /*!
+--
+2.21.0
+
diff -Nru fusiondirectory-1.0.19/debian/patches/series fusiondirectory-1.0.19/debian/patches/series
--- fusiondirectory-1.0.19/debian/patches/series 2016-11-26 20:01:13.000000000 +0100
+++ fusiondirectory-1.0.19/debian/patches/series 2019-08-08 12:01:12.000000000 +0200
@@ -2,3 +2,4 @@
2001_fusiondirectory-apache.patch
2002_fusiondirectory-headers.patch
2003_fusiondirectory-setup.patch
+0001_CVE-2019-11187_stricter-ldap-error-check.patch
Reply to: