Your message dated Sat, 01 Aug 2020 12:51:28 +0100 with message-id <43535efb498a168cf81452ca0c326f004f46adc6.camel@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 10.5 point release has caused the Debian Bug report #960395, regarding buster-pu: package lemonldap-ng/2.0.2+ds-7+deb10u4 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 960395: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960395 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package lemonldap-ng/2.0.2+ds-7+deb10u4
- From: Xavier Guimard <yadd@debian.org>
- Date: Tue, 12 May 2020 11:07:26 +0200
- Message-id: <158927444611.2537342.7709451290075710390.reportbug@deb007.xnr.fr>
Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu Hi, I introduced a bug in nginx configuration while fixing CVE-2019-19791. Here is the fix. Cheers, Xavierdiff --git a/debian/changelog b/debian/changelog index 3eb7087d9..e4b3abe17 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +lemonldap-ng (2.0.2+ds-7+deb10u4) buster; urgency=medium + + * Fix nginx configuration regression introduced by CVE-2019-19791 fix + (Closes: #960392) + + -- Xavier Guimard <yadd@debian.org> Tue, 12 May 2020 10:59:43 +0200 + lemonldap-ng (2.0.2+ds-7+deb10u3) buster; urgency=medium * Fix default configuration to prevent unwanted access to admin endpoints diff --git a/debian/patches/CVE-2019-19791.patch b/debian/patches/CVE-2019-19791.patch index 908e49f2c..4eeda1017 100644 --- a/debian/patches/CVE-2019-19791.patch +++ b/debian/patches/CVE-2019-19791.patch @@ -108,7 +108,16 @@ Last-Update: 2019-12-20 # Note that Content-Security-Policy header is generated by portal itself --- a/_example/etc/portal-nginx.conf +++ b/_example/etc/portal-nginx.conf -@@ -42,6 +42,31 @@ +@@ -1,3 +1,8 @@ ++# FastCGI backend definition ++upstream llng_portal_upstream { ++ server unix:__FASTCGISOCKDIR__/llng-fastcgi.sock; ++} ++ + server { + listen __PORT__; + server_name auth.__DNSDOMAIN__; +@@ -42,6 +47,31 @@ #uwsgi_param SCRIPT_FILENAME $document_root$sc; #uwsgi_param SCRIPT_NAME $sc; @@ -140,7 +149,7 @@ Last-Update: 2019-12-20 } index index.psgi; -@@ -56,26 +81,6 @@ +@@ -56,26 +86,6 @@ alias __PORTALSTATICDIR__; }
--- End Message ---
--- Begin Message ---
- To: 931678-done@bugs.debian.org, 947351-done@bugs.debian.org, 947758-done@bugs.debian.org, 948652-done@bugs.debian.org, 953763-done@bugs.debian.org, 954020-done@bugs.debian.org, 954716-done@bugs.debian.org, 959661-done@bugs.debian.org, 959890-done@bugs.debian.org, 960020-done@bugs.debian.org, 960376-done@bugs.debian.org, 960395-done@bugs.debian.org, 960575-done@bugs.debian.org, 960600-done@bugs.debian.org, 960804-done@bugs.debian.org, 960806-done@bugs.debian.org, 960836-done@bugs.debian.org, 960885-done@bugs.debian.org, 960974-done@bugs.debian.org, 961019-done@bugs.debian.org, 961212-done@bugs.debian.org, 961275-done@bugs.debian.org, 961379-done@bugs.debian.org, 961439-done@bugs.debian.org, 961441-done@bugs.debian.org, 961514-done@bugs.debian.org, 961803-done@bugs.debian.org, 961833-done@bugs.debian.org, 961921-done@bugs.debian.org, 961936-done@bugs.debian.org, 961944-done@bugs.debian.org, 961978-done@bugs.debian.org, 962059-done@bugs.debian.org, 962067-done@bugs.debian.org, 962160-done@bugs.debian.org, 962227-done@bugs.debian.org, 962237-done@bugs.debian.org, 962255-done@bugs.debian.org, 962306-done@bugs.debian.org, 962982-done@bugs.debian.org, 963024-done@bugs.debian.org, 963267-done@bugs.debian.org, 963591-done@bugs.debian.org, 963595-done@bugs.debian.org, 963694-done@bugs.debian.org, 963796-done@bugs.debian.org, 963940-done@bugs.debian.org, 963986-done@bugs.debian.org, 964146-done@bugs.debian.org, 964158-done@bugs.debian.org, 964228-done@bugs.debian.org, 964338-done@bugs.debian.org, 964346-done@bugs.debian.org, 964350-done@bugs.debian.org, 964397-done@bugs.debian.org, 964412-done@bugs.debian.org, 964417-done@bugs.debian.org, 964422-done@bugs.debian.org, 964435-done@bugs.debian.org, 964574-done@bugs.debian.org, 964589-done@bugs.debian.org, 964712-done@bugs.debian.org, 964714-done@bugs.debian.org, 964715-done@bugs.debian.org, 964726-done@bugs.debian.org, 964740-done@bugs.debian.org, 964792-done@bugs.debian.org, 964807-done@bugs.debian.org, 964808-done@bugs.debian.org, 964860-done@bugs.debian.org, 964868-done@bugs.debian.org, 964898-done@bugs.debian.org, 964986-done@bugs.debian.org, 965116-done@bugs.debian.org, 965117-done@bugs.debian.org, 965257-done@bugs.debian.org, 965377-done@bugs.debian.org, 966151-done@bugs.debian.org, 966213-done@bugs.debian.org, 966247-done@bugs.debian.org, 966272-done@bugs.debian.org, 966310-done@bugs.debian.org
- Subject: Closing bugs for fixes included in 10.5 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 01 Aug 2020 12:51:28 +0100
- Message-id: <43535efb498a168cf81452ca0c326f004f46adc6.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 10.5 Hi, Each of these bugs relates to an update that was included in today's stable point release. Regards, Adam
--- End Message ---