[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#929611: marked as done (stretch-pu: package lemonldap-ng/1.9.7-3+deb9u2)

Your message dated Sat, 07 Sep 2019 14:37:11 +0100
with message-id <17351b82f829eb6917f78885cb849c4060b0a4a6.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 9.10 point release
has caused the Debian Bug report #929611,
regarding stretch-pu: package lemonldap-ng/1.9.7-3+deb9u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
929611: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929611
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi all,

Fix for CVE-2019-12046 (#928944) introduced a regression in cross-domain
feature. It has been fixed by upstream and tested by Guilhem Moulin
<guilhem@debian.org>. The proposed debdiff includes a patch that fix
this regression and fix also a little bug fixed also by upstream (do not
push Access-Control-Allow-Origin on Ajax requests).

Discussion on this regression is at the end of #928944 issue.

Cheers,
Xavier

-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (600, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff --git a/debian/changelog b/debian/changelog
index a1fe37b..930945e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+lemonldap-ng (1.9.7-3+deb9u2) stretch; urgency=medium
+
+  * Fix CDA regression introduced in 1.9.7-3+deb9u1
+
+ -- Xavier Guimard <yadd@debian.org>  Mon, 27 May 2019 10:35:48 +0200
+
 lemonldap-ng (1.9.7-3+deb9u1) stretch-security; urgency=medium
 
   * Add patch to fix token security (Closes: #928944, CVE-2019-12046)
diff --git a/debian/patches/CDA-regression.patch b/debian/patches/CDA-regression.patch
new file mode 100644
index 0000000..242ce9c
--- /dev/null
+++ b/debian/patches/CDA-regression.patch
@@ -0,0 +1,62 @@
+Description: CDA regression fix
+ Fix for #928944 (CVE-2019-12046) introduced a regression in cross-domain
+ feature. This diff fix it and fix also a little issue when portal is called
+ using an Ajax request: it must not send Access-Control-Allow-Origin header.
+ (https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1519)
+Author: Clément Oudot <clement@oodo.net>
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/deff50f072c64898d1204daa28c01fdcc7275ea4
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1756
+Bug-Debian: https://bugs.debian.org/928944
+Forwarded: not-needed
+Reviewed-By: Guilhem Moulin <guilhem@debian.org>
+Last-Update: 2019-05-27
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
+@@ -1049,7 +1049,7 @@
+ 
+ }
+ 
+-## @method void updateSession(hashRef infos, string id)
++## @method void updateSession(hashRef infos, string id, string kind)
+ # Update session stored.
+ # If no id is given, try to get it from cookie.
+ # If the session is available, update datas with $info.
+@@ -1057,9 +1057,10 @@
+ # server local cache, if there are several LL::NG servers.
+ # @param infos hash reference of information to update
+ # @param id Session ID
++# @param kind Session kind
+ # @return nothing
+ sub updateSession {
+-    my ( $self, $infos, $id ) = @_;
++    my ( $self, $infos, $id, $kind ) = @_;
+ 
+     # Return if no infos to update
+     return () unless ( ref $infos eq 'HASH' and %$infos );
+@@ -1084,7 +1085,7 @@
+         }
+ 
+         # Update session in global storage
+-        if ( my $apacheSession = $self->getApacheSession( $id, 1 ) ) {
++        if ( my $apacheSession = $self->getApacheSession( $id, 1, undef, $kind ) ) {
+ 
+             # Store updateTime
+             $infos->{updateTime} = strftime( "%Y%m%d%H%M%S", localtime() );
+@@ -1569,7 +1570,6 @@
+             print $self->header(
+                 -status                        => '401 Unauthorizated',
+                 '-WWW-Authenticate'            => "SSO $self->{portal}",
+-                '-Access-Control-Allow-Origin' => '*',
+             );
+             $self->quit;
+         }
+@@ -2744,7 +2744,7 @@
+                     $cdaInfos->{cookie_name} = $self->{cookieName} . "http";
+                 }
+ 
+-                $self->updateSession( $cdaInfos, $cdaSession->id );
++                $self->updateSession( $cdaInfos, $cdaSession->id, 'CDA' );
+ 
+                 $self->{urldc} .=
+                     ( $self->{urldc} =~ /\?/ ? '&' : '?' )
diff --git a/debian/patches/series b/debian/patches/series
index b13b6df..6551f40 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ avoid-modify-sources.patch
 replace-mouse-by-moose.patch
 Avoid-developer-tests.patch
 CVE-2019-12046.patch
+CDA-regression.patch

--- End Message ---
--- Begin Message --- 
Version: 9.10

Hi,

The fixes referenced by each of these bugs were included in today's
stretch point release (9.10).

Regards,

Adam

--- End Message ---
Reply to: