Bug#949702: buster-pu: package lemonldap-ng/2.0.2+ds-7+deb10u3

To: Xavier Guimard <yadd@debian.org>, 949702@bugs.debian.org
Subject: Bug#949702: buster-pu: package lemonldap-ng/2.0.2+ds-7+deb10u3
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Thu, 05 Mar 2020 19:06:17 +0000
Message-id: <[🔎] ac402504a098cbf88dcdea87eaa27bc4127c512d.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 949702@bugs.debian.org
In-reply-to: <157981540574.189508.9938265692702877278.reportbug@deb007.xnr.fr>
References: <157981540574.189508.9938265692702877278.reportbug@deb007.xnr.fr> <157981540574.189508.9938265692702877278.reportbug@deb007.xnr.fr>

Control: tags -1 + confirmed

On Thu, 2020-01-23 at 22:36 +0100, Xavier Guimard wrote:
> lemonldap-ng is vulnerable to several security issues. This
> cumulative patch fixes them:
>  - CVE-2019-19791: bad default configuration which does not really
>    protect SOAP/REST endpoints
>  - When 2FA is used, the grantSession plugin does not filter
> successful connections
>  - OIDC relying party restriction introduced in 2.0.0 does not work
> when a previous federation was granted in the same session
> 

--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,17 @@
+lemonldap-ng (2.0.2+ds-7+deb10u3) buster-security; urgency=high

That should just be "buster".

Please go ahead.

Regards,

Adam

Reply to:

Prev by Date: Bug#952792: marked as done (RM: chef/13.8.7-6)
Next by Date: Processed: Re: Bug#949702: buster-pu: package lemonldap-ng/2.0.2+ds-7+deb10u3
Previous by thread: Bug#952792: marked as done (RM: chef/13.8.7-6)
Next by thread: Processed: Re: Bug#949702: buster-pu: package lemonldap-ng/2.0.2+ds-7+deb10u3
Index(es):
- Date
- Thread