Bug#960395: buster-pu: package lemonldap-ng/2.0.2+ds-7+deb10u4
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I introduced a bug in nginx configuration while fixing CVE-2019-19791.
Here is the fix.
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 3eb7087d9..e4b3abe17 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+lemonldap-ng (2.0.2+ds-7+deb10u4) buster; urgency=medium
+
+ * Fix nginx configuration regression introduced by CVE-2019-19791 fix
+ (Closes: #960392)
+
+ -- Xavier Guimard <yadd@debian.org> Tue, 12 May 2020 10:59:43 +0200
+
lemonldap-ng (2.0.2+ds-7+deb10u3) buster; urgency=medium
* Fix default configuration to prevent unwanted access to admin endpoints
diff --git a/debian/patches/CVE-2019-19791.patch b/debian/patches/CVE-2019-19791.patch
index 908e49f2c..4eeda1017 100644
--- a/debian/patches/CVE-2019-19791.patch
+++ b/debian/patches/CVE-2019-19791.patch
@@ -108,7 +108,16 @@ Last-Update: 2019-12-20
# Note that Content-Security-Policy header is generated by portal itself
--- a/_example/etc/portal-nginx.conf
+++ b/_example/etc/portal-nginx.conf
-@@ -42,6 +42,31 @@
+@@ -1,3 +1,8 @@
++# FastCGI backend definition
++upstream llng_portal_upstream {
++ server unix:__FASTCGISOCKDIR__/llng-fastcgi.sock;
++}
++
+ server {
+ listen __PORT__;
+ server_name auth.__DNSDOMAIN__;
+@@ -42,6 +47,31 @@
#uwsgi_param SCRIPT_FILENAME $document_root$sc;
#uwsgi_param SCRIPT_NAME $sc;
@@ -140,7 +149,7 @@ Last-Update: 2019-12-20
}
index index.psgi;
-@@ -56,26 +81,6 @@
+@@ -56,26 +86,6 @@
alias __PORTALSTATICDIR__;
}
Reply to: