Bug#991421: unblock: lemonldap-ng/2.0.11+ds-4
Hi,
On Fri, Jul 23, 2021 at 08:00:25AM +0200, Yadd wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: security@debian.org
>
> Please unblock package lemonldap-ng
>
> [ Reason ]
> lemonldap-ng 2.0.11+ds-3 has several vulnerabilities fixed in 2.0.12.
> This update fixes:
> * Session cache corruption can lead to authorization bypass or spoofing
> (Closes: CVE-2021-35472)
> * OAuth2 handler does not verify access token validity
> (Closes: CVE-2021-35473)
> * XSS on register form
> * Bad behavior which displays TOTP secret to connected user and debug logs
>
> [ Impact ]
> One high vulnerability (CVE-2021-35472) and medium others
Additionaly, this one did affect as well buster and fixes were
released today with DSA 4943-1.
Regards,
Salvatore
Reply to: