[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#991421: unblock: lemonldap-ng/2.0.11+ds-4

Hi,

On Fri, Jul 23, 2021 at 08:00:25AM +0200, Yadd wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: security@debian.org
> 
> Please unblock package lemonldap-ng
> 
> [ Reason ]
> lemonldap-ng 2.0.11+ds-3 has several vulnerabilities fixed in 2.0.12.
> This update fixes:
>  * Session cache corruption can lead to authorization bypass or spoofing
>    (Closes: CVE-2021-35472)
>  * OAuth2 handler does not verify access token validity
>    (Closes: CVE-2021-35473)
>  * XSS on register form
>  * Bad behavior which displays TOTP secret to connected user and debug logs
> 
> [ Impact ]
> One high vulnerability (CVE-2021-35472) and medium others

Additionaly, this one did affect as well buster and fixes were
released today with DSA 4943-1.

Regards,
Salvatore
Reply to: