Bug#949702: buster-pu: package lemonldap-ng/2.0.2+ds-7+deb10u3
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
lemonldap-ng is vulnerable to several security issues. This cumulative
patch fixes them:
- CVE-2019-19791: bad default configuration which does not really
protect SOAP/REST endpoints
- When 2FA is used, the grantSession plugin does not filter successful
connections
- OIDC relying party restriction introduced in 2.0.0 does not work when
a previous federation was granted in the same session
Cheers,
Xavier
diff --git a/debian/NEWS b/debian/NEWS
index 454e18b..58fe7cf 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,17 @@
+lemonldap-ng (2.0.2+ds-7+deb10u3) buster-security; urgency=high
+
+ This version fixes 3 security issues. However, you must verify 2 things:
+ * if you enabled SOAP/REST plugins, verify in your portal web configuration
+ file that they are well protected (see new default configuration files:
+ /etc/lemonldap-ng/portal-apache2.X.conf and
+ /etc/lemonldap-ng/portal-nginx.conf)
+ * if you enabled OpenID-Connect identity provider, your relaying parties
+ must have a redirection uri. You just have to save a new configuration
+ using the manager and automatic tests will fail if one relying party is
+ misconfigured
+
+ -- Xavier Guimard <yadd@debian.org> Fri, 20 Dec 2019 18:12:54 +0100
+
lemonldap-ng (2.0.0+ds-1) unstable; urgency=medium
2.0 is a major release, many things have been changed. You must read
diff --git a/debian/changelog b/debian/changelog
index 0c99af8..e30c7ef 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+lemonldap-ng (2.0.2+ds-7+deb10u3) buster; urgency=medium
+
+ * Fix default configuration to prevent unwanted access to admin endpoints
+ (Closes: CVE-2019-19791)
+ * Fix the GrantSession plugin which could not prohibit logon when a 2FA was
+ used
+ * Fix for OIDC: any redirection where allowed when relaying party was
+ configured without redirect_uri
+ * Update debian/NEWS
+
+ -- Xavier Guimard <yadd@debian.org> Thu, 23 Jan 2020 22:28:01 +0100
+
lemonldap-ng (2.0.2+ds-7+deb10u2) buster-security; urgency=high
* Add patch to fix OIDC vulnerabilities (Closes: CVE-2019-15941)
diff --git a/debian/patches/CVE-2019-19791.patch b/debian/patches/CVE-2019-19791.patch
new file mode 100644
index 0000000..908e49f
--- /dev/null
+++ b/debian/patches/CVE-2019-19791.patch
@@ -0,0 +1,219 @@
+Description: default configuration didn't really protect admin endpoint
+ These files are used to provide default LLNG files
+Author: LLNG Authors <lemonldap-ng-dev@ow2.org>
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1943
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1943
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2019-12-20
+
+--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/PSGI/Request.pm
++++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/PSGI/Request.pm
+@@ -27,9 +27,9 @@
+ if ( $self->env->{X_ORIGINAL_URI} );
+ $self->env->{PATH_INFO} =~ s|//+|/|g;
+
+- if ( my $tmp = $self->script_name ) {
+- $self->env->{PATH_INFO} =~ s|^$tmp|/|;
+- }
++ #if ( my $tmp = $self->script_name ) {
++ # $self->env->{PATH_INFO} =~ s|^$tmp|/|;
++ #}
+ $self->env->{PATH_INFO} ||= '/';
+ $self->{uri} = uri_unescape( $self->env->{REQUEST_URI} );
+ $self->{uri} =~ s|^//+|/|g;
+--- a/_example/etc/manager-apache2.4.conf
++++ b/_example/etc/manager-apache2.4.conf
+@@ -34,10 +34,10 @@
+ # (configuration, sessions, notifications) as manager.html, sessions.html,
+ # notifications.html and uncomment the 2 following lines:
+ # DirectoryIndex manager.html
+- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$"
++ # RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"
+
+ # REST URLs
+- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:static|doc|lib|javascript|favicon).*"
++ RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib|javascript|favicon).*"
+ RewriteRule "^/(.+)$" "/manager.fcgi/$1" [PT]
+
+ # 2) FastCGI engine
+--- a/_example/etc/manager-apache2.X.conf
++++ b/_example/etc/manager-apache2.X.conf
+@@ -28,10 +28,10 @@
+ # (configuration, sessions, notifications) as manager.html, sessions.html,
+ # notifications.html and uncomment the 2 following lines:
+ # DirectoryIndex manager.html
+- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$"
++ # RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"
+
+ # REST URLs
+- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:static|doc|lib|javascript|favicon).*"
++ RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib|javascript|favicon).*"
+ RewriteRule "^/(.+)$" "/manager.fcgi/$1" [PT]
+
+ # 2) FastCGI engine
+--- a/_example/etc/manager-apache2.conf
++++ b/_example/etc/manager-apache2.conf
+@@ -28,10 +28,10 @@
+ # (configuration, sessions, notifications) as manager.html, sessions.html,
+ # notifications.html and uncomment the 2 following lines:
+ # DirectoryIndex manager.html
+- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$"
++ # RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"
+
+ # REST URLs
+- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:static|doc|lib|javascript|favicon).*"
++ RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib|javascript|favicon).*"
+ RewriteRule "^/(.+)$" "/manager.fcgi/$1" [PT]
+
+ # 2) FastCGI engine
+--- a/_example/etc/portal-apache2.4.conf
++++ b/_example/etc/portal-apache2.4.conf
+@@ -30,8 +30,8 @@
+ # For performances, you can put static html files: simply put the HTML
+ # result (example: /oauth2/checksession.html) as static file. Then
+ # uncomment the following line.
+- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$"
+- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$"
++ # RewriteCond "%{REQUEST_URI}" "!\.html$"
++ RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$"
+ RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
+
+ # Note that Content-Security-Policy header is generated by portal itself
+--- a/_example/etc/portal-apache2.X.conf
++++ b/_example/etc/portal-apache2.X.conf
+@@ -31,8 +31,8 @@
+ # For performances, you can put static html files: simply put the HTML
+ # result (example: /oauth2/checksession.html) as static file. Then
+ # uncomment the following line.
+- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$"
+- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$"
++ # RewriteCond "%{REQUEST_URI}" "!\.html$"
++ RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$"
+ RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
+
+ # Note that Content-Security-Policy header is generated by portal itself
+--- a/_example/etc/portal-apache2.conf
++++ b/_example/etc/portal-apache2.conf
+@@ -26,8 +26,8 @@
+ # For performances, you can put static html files: simply put the HTML
+ # result (example: /oauth2/checksession.html) as static file. Then
+ # uncomment the following line.
+- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$"
+- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$"
++ # RewriteCond "%{REQUEST_URI}" "!\.html$"
++ RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$"
+ RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
+
+ # Note that Content-Security-Policy header is generated by portal itself
+--- a/_example/etc/portal-nginx.conf
++++ b/_example/etc/portal-nginx.conf
+@@ -42,6 +42,31 @@
+ #uwsgi_param SCRIPT_FILENAME $document_root$sc;
+ #uwsgi_param SCRIPT_NAME $sc;
+
++ # REST/SOAP functions for sessions management (disabled by default)
++ location ~ ^/index.psgi/adminSessions {
++ fastcgi_pass llng_portal_upstream;
++ deny all;
++ }
++
++ # REST/SOAP functions for sessions access (disabled by default)
++ location ~ ^/index.psgi/sessions {
++ fastcgi_pass llng_portal_upstream;
++ deny all;
++ }
++
++ # REST/SOAP functions for configuration access (disabled by default)
++ location ~ ^/index.psgi/config {
++ fastcgi_pass llng_portal_upstream;
++ deny all;
++ }
++
++ # REST/SOAP functions for notification insertion (disabled by default)
++ location ~ ^/index.psgi/notification {
++ fastcgi_pass llng_portal_upstream;
++ deny all;
++ }
++
++
+ }
+
+ index index.psgi;
+@@ -56,26 +81,6 @@
+ alias __PORTALSTATICDIR__;
+ }
+
+- # REST/SOAP functions for sessions management (disabled by default)
+- location /index.psgi/adminSessions {
+- deny all;
+- }
+-
+- # REST/SOAP functions for sessions access (disabled by default)
+- location /index.psgi/sessions {
+- deny all;
+- }
+-
+- # REST/SOAP functions for configuration access (disabled by default)
+- location /index.psgi/config {
+- deny all;
+- }
+-
+- # REST/SOAP functions for notification insertion (disabled by default)
+- location /index.psgi/notification {
+- deny all;
+- }
+-
+ # DEBIAN
+ # If install was made with USEDEBIANLIBS (official releases), uncomment this
+ location /javascript/ {
+--- a/doc/pages/documentation/current/configlocation.html
++++ b/doc/pages/documentation/current/configlocation.html
+@@ -316,8 +316,8 @@
+ <span class="co1"># For performances, you can put static html files: simply put the HTML</span>
+ <span class="co1"># result (example: /oauth2/checksession.html) as static file. Then</span>
+ <span class="co1"># uncomment the following line.</span>
+- <span class="co1"># RewriteCond "%{REQUEST_FILENAME}" "!\.html$"</span>
+- <span class="kw1">RewriteCond</span> <span class="st0">"%{REQUEST_FILENAME}"</span> <span class="st0">"!^/(?:(?:static|javascript|favicon).*|.*<span class="es0">\.</span>fcgi)$"</span>
++ <span class="co1"># RewriteCond "%{REQUEST_URI}" "!\.html$"</span>
++ <span class="kw1">RewriteCond</span> <span class="st0">"%{REQUEST_URI}"</span> <span class="st0">"!^/(?:(?:static|javascript|favicon).*|.*<span class="es0">\.</span>fcgi)$"</span>
+ <span class="kw1">RewriteRule</span> <span class="st0">"^/(.+)$"</span> <span class="st0">"/index.fcgi/$1"</span> [PT]
+
+ <span class="co1"># Note that Content-Security-Policy header is generated by portal itself</span>
+@@ -392,10 +392,10 @@
+ <span class="co1"># (configuration, sessions, notifications) as manager.html, sessions.html,</span>
+ <span class="co1"># notifications.html and uncomment the 2 following lines:</span>
+ <span class="co1"># DirectoryIndex manager.html</span>
+- <span class="co1"># RewriteCond "%{REQUEST_FILENAME}" "!\.html$"</span>
++ <span class="co1"># RewriteCond "%{REQUEST_URI}" "!\.html$"</span>
+
+ <span class="co1"># REST URLs</span>
+- <span class="kw1">RewriteCond</span> <span class="st0">"%{REQUEST_FILENAME}"</span> <span class="st0">"!^/(?:static|doc|lib).*"</span>
++ <span class="kw1">RewriteCond</span> <span class="st0">"%{REQUEST_URI}"</span> <span class="st0">"!^/(?:static|doc|lib).*"</span>
+ <span class="kw1">RewriteRule</span> <span class="st0">"^/(.+)$"</span> <span class="st0">"/psgi/manager-server.fcgi/$1"</span> [PT]
+
+ <span class="kw1">Alias</span> /psgi/ /var/lib/lemonldap-ng/manager/psgi/
+--- a/doc/pages/documentation/current/performances.html
++++ b/doc/pages/documentation/current/performances.html
+@@ -424,8 +424,8 @@
+ </p>
+ <pre class="code apache"><span class="kw1">RewriteRule</span> <span class="st0">"^/$"</span> <span class="st0">"/psgi/manager-server.fcgi"</span> [PT]
+ <span class="co1"># DirectoryIndex manager.html</span>
+-<span class="co1"># RewriteCond "%{REQUEST_FILENAME}" "!\.html$"</span>
+-<span class="kw1">RewriteCond</span> <span class="st0">"%{REQUEST_FILENAME}"</span> <span class="st0">"!^/(?:static|doc|lib).*"</span>
++<span class="co1"># RewriteCond "%{REQUEST_URI}" "!\.html$"</span>
++<span class="kw1">RewriteCond</span> <span class="st0">"%{REQUEST_URI}"</span> <span class="st0">"!^/(?:static|doc|lib).*"</span>
+ <span class="kw1">RewriteRule</span> <span class="st0">"^/(.+)$"</span> <span class="st0">"/psgi/manager-server.fcgi/$1"</span> [PT]</pre>
+
+ <p>
+@@ -433,8 +433,8 @@
+ </p>
+ <pre class="code apache"><span class="co1"># RewriteRule "^/$" "/psgi/manager-server.fcgi" [PT]</span>
+ <span class="kw1">DirectoryIndex</span> manager.html
+-<span class="kw1">RewriteCond</span> <span class="st0">"%{REQUEST_FILENAME}"</span> <span class="st0">"!<span class="es0">\.</span>html$"</span>
+-<span class="kw1">RewriteCond</span> <span class="st0">"%{REQUEST_FILENAME}"</span> <span class="st0">"!^/(?:static|doc|lib).*"</span>
++<span class="kw1">RewriteCond</span> <span class="st0">"%{REQUEST_URI}"</span> <span class="st0">"!<span class="es0">\.</span>html$"</span>
++<span class="kw1">RewriteCond</span> <span class="st0">"%{REQUEST_URI}"</span> <span class="st0">"!^/(?:static|doc|lib).*"</span>
+ <span class="kw1">RewriteRule</span> <span class="st0">"^/(.+)$"</span> <span class="st0">"/psgi/manager-server.fcgi/$1"</span> [PT]</pre>
+
+ <p>
diff --git a/debian/patches/grantsession-with-2fa.patch b/debian/patches/grantsession-with-2fa.patch
new file mode 100644
index 0000000..ac8b93f
--- /dev/null
+++ b/debian/patches/grantsession-with-2fa.patch
@@ -0,0 +1,26 @@
+Description: grantSession cannot prevent session establishment when 2FA is in use
+Author: Maxime Besson
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/3ee708d
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1965
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2019-12-20
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm
+@@ -97,7 +97,6 @@
+ $req->id( delete $req->sessionInfo->{_2fRealSession} );
+ $req->urldc( delete $req->sessionInfo->{_2fUrldc} );
+ $req->{sessionInfo}->{_utime} = delete $req->{sessionInfo}->{_2fUtime};
+- $self->p->rebuildCookies($req);
+ $req->mustRedirect(1);
+ $self->userLogger->notice( $self->prefix
+ . '2F verification for '
+@@ -112,6 +111,7 @@
+ [
+ @{ $self->p->afterData },
+ $self->p->validSession,
++ 'rebuildCookies',
+ @{ $self->p->endAuth },
+ sub { PE_OK }
+ ]
diff --git a/debian/patches/oidc-redirection-test.patch b/debian/patches/oidc-redirection-test.patch
new file mode 100644
index 0000000..cd4ea01
--- /dev/null
+++ b/debian/patches/oidc-redirection-test.patch
@@ -0,0 +1,52 @@
+Description: <short summary of the patch>
+ When LL::NG is configured as OIDC provider and we declare an OIDC RP without
+ configuring oidcRPMetaDataOptionsRedirectUris, the redirection to redirect_uri
+ set by the RP is always granted.
+ .
+ The OpenID Connect core specification [1] says:
+ .
+ redirect_uri
+ REQUIRED. Redirection URI to which the response will be sent. This URI
+ MUST exactly match one of the Redirection URI values for the Client
+ pre-registered at the OpenID Provider
+ .
+ To avoid breaking existing federations, the fix consists to refuse
+ configuration update without valid redirections. An entry in debian/NEWS
+ has to explain that configuration must be checked.
+ .
+ [1]: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+Author: Clément Oudot <clem.oudot@gmail.com>
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/17e77d90
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/2040
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2019-12-20
+
+--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Tests.pm
++++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Tests.pm
+@@ -630,6 +630,25 @@
+ return 1;
+ },
+
++ # OIDC redirect URI must not be empty
++ oidcRPRedirectURINotEmpty => sub {
++ return 1
++ unless ( $conf->{oidcRPMetaDataOptions}
++ and %{ $conf->{oidcRPMetaDataOptions} } );
++ my @msg;
++ my $res = 1;
++ foreach my $oidcRpId ( keys %{ $conf->{oidcRPMetaDataOptions} } ) {
++ unless ( $conf->{oidcRPMetaDataOptions}->{$oidcRpId}
++ ->{oidcRPMetaDataOptionsRedirectUris} )
++ {
++ push @msg,
++ "$oidcRpId OpenID Connect RP has no redirect URI defined";
++ $res = 0;
++ next;
++ }
++ }
++ return ( $res, join( ', ', @msg ) );
++ },
+ };
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index 3325284..6b883f8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,6 @@ fix-missing-userControl.diff
update-translations.diff
CVE-2019-12046.patch
CVE-2019-15941-and-other-OIDC-fixes.patch
+CVE-2019-19791.patch
+grantsession-with-2fa.patch
+oidc-redirection-test.patch
Reply to: