Bug#991421: unblock: lemonldap-ng/2.0.11+ds-4
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: security@debian.org
Please unblock package lemonldap-ng
[ Reason ]
lemonldap-ng 2.0.11+ds-3 has several vulnerabilities fixed in 2.0.12.
This update fixes:
* Session cache corruption can lead to authorization bypass or spoofing
(Closes: CVE-2021-35472)
* OAuth2 handler does not verify access token validity
(Closes: CVE-2021-35473)
* XSS on register form
* Bad behavior which displays TOTP secret to connected user and debug logs
[ Impact ]
One high vulnerability (CVE-2021-35472) and medium others
[ Tests ]
New upstream test not imported here. Current tests passed (both build
and autopkgtest)
[ Risks ]
Low risk. lemonldap-ng is developed following BDD/TDD, so most features
are tested.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
(Anything else the release team should know.)
unblock lemonldap-ng/2.0.11+ds-4
diff --git a/debian/changelog b/debian/changelog
index d3c338880..a56d54279 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+lemonldap-ng (2.0.11+ds-4) unstable; urgency=high
+
+ * Import security fixes from 2.0.12
+ * Session cache corruption can lead to authorization bypass or spoofing
+ (Closes: CVE-2021-35472)
+ * OAuth2 handler does not verify access token validity
+ (Closes: CVE-2021-35473)
+ * Fix XSS on register form
+ * Don't display TOTP secret to connected user, neither in logs
+
+ -- Yadd <yadd@debian.org> Thu, 22 Jul 2021 22:13:38 +0200
+
lemonldap-ng (2.0.11+ds-3) unstable; urgency=medium
* Add Breaks+Replaces in lemonldap-ng-handler for
diff --git a/debian/patches/CVE-2021-35472.patch b/debian/patches/CVE-2021-35472.patch
new file mode 100644
index 000000000..16a4e4c10
--- /dev/null
+++ b/debian/patches/CVE-2021-35472.patch
@@ -0,0 +1,30 @@
+Description: fix session cache corruption
+Author: Yadd <yadd@debian.org>
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/b6a1f946
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2539
+Forwarded: not-needed
+Last-Update: 2021-06-25
+
+--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
++++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
+@@ -139,7 +139,9 @@
+ }
+
+ # Try to recover cookie and user session
+- if ( $id = $class->fetchId($req)
++ $id = $class->fetchId($req);
++ $class->data( {} ) unless($id);
++ if ( $id
+ and $session = $class->retrieveSession( $req, $id ) )
+ {
+
+--- a/lemonldap-ng-portal/t/75-2F-Registers.t
++++ b/lemonldap-ng-portal/t/75-2F-Registers.t
+@@ -439,6 +439,7 @@
+ ),
+ 'Push U2F signature'
+ );
++ $id = expectCookie($res);
+ ok(
+ $res = $client->_get(
+ '/2fregisters',
diff --git a/debian/patches/CVE-2021-35473.patch b/debian/patches/CVE-2021-35473.patch
new file mode 100644
index 000000000..535252b03
--- /dev/null
+++ b/debian/patches/CVE-2021-35473.patch
@@ -0,0 +1,69 @@
+Description: Add missing access token expiration check in OAuth2 handler
+Author: Maxime Besson <maxime.besson@worteks.com>
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/23a8a100
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2549
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-06-25
+
+--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/OAuth2.pm
++++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/OAuth2.pm
+@@ -10,16 +10,17 @@
+
+ # Retrieve regular session if this is not an offline access token
+ unless ($offlineId) {
+- my $data = {
+- %{
+- $class->Lemonldap::NG::Handler::Main::retrieveSession( $req,
+- $id )
+- },
+- $class->_getTokenAttributes($req)
+- };
++ my $data =
++ $class->Lemonldap::NG::Handler::Main::retrieveSession( $req, $id );
++ if ( ref($data) eq "HASH" ) {
++ $data = { %{$data}, $class->_getTokenAttributes($req) };
+
+- # Update cache
+- $class->data($data);
++ # Update cache
++ $class->data($data);
++ }
++ else {
++ $req->data->{oauth2_error} = 'invalid_token';
++ }
+ return $data;
+ }
+
+@@ -87,6 +88,10 @@
+
+ # Get access token session
+ my $infos = $class->getOIDCInfos($access_token);
++ unless ($infos) {
++ $req->data->{oauth2_error} = 'invalid_token';
++ return;
++ }
+
+ # Store scope and rpid for future session attributes
+ if ( $infos->{rp} ) {
+@@ -141,6 +146,20 @@
+ unless ( $oidcSession->error ) {
+ $class->logger->debug("Get OIDC session $id");
+
++ # Verify that session is valid
++ unless ( $oidcSession->data->{_utime} ) {
++ $class->logger->error("_utime missing from Access Token session");
++ return;
++ }
++
++ my $ttl = $class->tsv->{timeout} - time + $oidcSession->data->{_utime};
++ $class->logger->debug( "Session TTL = " . $ttl );
++
++ if ( time - $oidcSession->data->{_utime} > $class->tsv->{timeout} ) {
++ $class->logger->info("Access Token session $id expired");
++ return;
++ }
++
+ $infos = { %{ $oidcSession->data } };
+ }
+ else {
diff --git a/debian/patches/dont-display-totp-secret.patch b/debian/patches/dont-display-totp-secret.patch
new file mode 100644
index 000000000..d9fd960fa
--- /dev/null
+++ b/debian/patches/dont-display-totp-secret.patch
@@ -0,0 +1,21 @@
+Description: don't display TOTP secret to connected user neither in logs
+Author: Maxime Besson
+Origin: upstream
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2543
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-06-25
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/TOTP.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/TOTP.pm
+@@ -226,10 +226,6 @@
+ return $self->p->sendError( $req, 'notAuthorized', 200 );
+ }
+
+- elsif ( $self->conf->{totp2fDisplayExistingSecret} ) {
+- $self->logger->debug("User secret = $secret");
+- }
+-
+ else {
+ return $self->p->sendError( $req, 'totpExistingKey', 200 );
+ }
diff --git a/debian/patches/fix-trusted-domain-regex.patch b/debian/patches/fix-trusted-domain-regex.patch
new file mode 100644
index 000000000..526b208db
--- /dev/null
+++ b/debian/patches/fix-trusted-domain-regex.patch
@@ -0,0 +1,46 @@
+Description: fix trusted domain regex
+Author: Yadd <yadd@debian.org>
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/3b8222ae8
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2535
+Forwarded: not-needed
+Last-Update: 2021-06-25
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm
+@@ -391,7 +391,7 @@
+ }
+ }
+
+- my $tmp = 'https?://' . $re->as_string . '(?::\d+)?(?:/|$)';
++ my $tmp = '^https?://' . $re->as_string . '(?::\d+)?(?:/|$)';
+ $self->trustedDomainsRe(qr/$tmp/);
+
+ }
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
+@@ -885,14 +885,14 @@
+ my $csp = $self->csp . "form-action " . $self->conf->{cspFormAction};
+ if ( my $url = $req->urldc ) {
+ $self->logger->debug("Required urldc : $url");
+- $url =~ s#(https?://[^/]+).*#$1#;
++ $url =~ s#^(https?://[^/]+).*#$1#;
+ $self->logger->debug("Set CSP form-action with urldc : $url");
+ $csp .= " $url";
+ }
+ my $url = $args{params}->{URL};
+ if ( defined $url ) {
+ $self->logger->debug("Required Params URL : $url");
+- if ( $url =~ s#(https?://[^/]+).*#$1# ) {
++ if ( $url =~ s#^(https?://[^/]+).*#$1# ) {
+ $self->logger->debug("Set CSP form-action with Params URL : $url");
+ $csp .= " $url";
+ }
+@@ -932,7 +932,7 @@
+ # Check if frames need to be embedded
+ my @url;
+ if ( $req->info ) {
+- @url = map { s#https?://([^/]+).*#$1#; $_ }
++ @url = map { s#^https?://([^/]+).*#$1#; $_ }
+ ( $req->info =~ /<iframe.*?src="(.*?)"/sg );
+ }
+ if (@url) {
diff --git a/debian/patches/fix-trusted-domain-wildcard.patch b/debian/patches/fix-trusted-domain-wildcard.patch
new file mode 100644
index 000000000..e7e73fee2
--- /dev/null
+++ b/debian/patches/fix-trusted-domain-wildcard.patch
@@ -0,0 +1,53 @@
+Description: Reject hashes in URL
+Author: Yadd <yadd@debian.org>
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/4b20e54b
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2477
+Forwarded: not-needed
+Last-Update: 2021-06-25
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
+@@ -333,6 +333,11 @@
+ "XSS attack detected (param: $name | value: $value)");
+ return $self->conf->{checkXSS};
+ }
++ if ( $value =~ m/#/ ) {
++ $self->userLogger->error(
++ "Browser parameters in URL (param: $name | value: $value)");
++ return $self->conf->{checkXSS};
++ }
+ return 0;
+ }
+
+--- /dev/null
++++ b/lemonldap-ng-portal/t/01-Reject-Hashes-in-URL.t
+@@ -0,0 +1,29 @@
++use Test::More;
++use strict;
++use IO::String;
++use MIME::Base64;
++
++require 't/test-lib.pm';
++
++my $res;
++
++my $client = LLNG::Manager::Test->new(
++ { ini => { logLevel => 'error', useSafeJail => 1 } } );
++
++ok(
++ $res = $client->_get(
++ '/',
++ query => 'url='
++ . encode_base64( 'http://bad.com#test.example.llng', '' )
++ ),
++ 'Try http://bad.com#test.example.llng'
++);
++expectReject($res);
++ok( $res->[2]->[0] =~ /37/, 'Rejected with PE_BADURL' )
++ or print STDERR Dumper( $res->[2]->[0] );
++
++count(2);
++
++clean_sessions();
++
++done_testing( count() );
diff --git a/debian/patches/fix-xss-on-register-form.patch b/debian/patches/fix-xss-on-register-form.patch
new file mode 100644
index 000000000..60fc9eaee
--- /dev/null
+++ b/debian/patches/fix-xss-on-register-form.patch
@@ -0,0 +1,400 @@
+Description: fix XSS on register form
+Author: Maxime Besson <maxime.besson@worteks.com>
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/d6968535
+ https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/297dc830a
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2495
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-06-25
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Mail2F.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Mail2F.pm
+@@ -82,8 +82,6 @@
+ }
+
+ # Build mail content
+- my %tplPrms;
+- $tplPrms{MAIN_LOGO} = $self->conf->{portalMainLogo};
+ my $tr = $self->translate($req);
+ my $subject = $self->conf->{mail2fSubject};
+
+@@ -104,12 +102,16 @@
+ $req,
+ 'mail_2fcode',
+ filter => $tr,
+- params => \%tplPrms
++ params => {
++ code => $code,
++ },
+ );
+ $html = 1;
+ }
+
+ # Replace variables in body
++ # FIXME: kept for compatibility with 2.0.0 mail templates
++ # in future versions this should only happen for plaintext emails
+ $body =~ s/\$code/$code/g;
+ $body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge;
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SMTP.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SMTP.pm
+@@ -49,6 +49,7 @@
+ # HTML::Template cache interferes with email translation (#1897)
+ $prm{cache} = 0 unless defined $prm{cache};
+ $prm{params}->{STATIC_PREFIX} = $self->p->staticPrefix;
++ $prm{params}->{MAIN_LOGO} = $self->conf->{portalMainLogo};
+ my %extra =
+ $self->p->can('tplParams')
+ ? $self->p->tplParams($req)
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CertificateResetByMail.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CertificateResetByMail.pm
+@@ -129,7 +129,7 @@
+
+ sub _certificateReset {
+ my ( $self, $req ) = @_;
+- my ( $mailToken, %tplPrms );
++ my ($mailToken);
+
+ # CertificatReset FORM => modifyCertificate()
+ if ( $req->method =~ /^POST$/i
+@@ -359,7 +359,6 @@
+ );
+
+ # Build mail content
+- $tplPrms{MAIN_LOGO} = $self->conf->{portalMainLogo};
+ my $tr = $self->translate($req);
+ my $subject = $self->conf->{certificateResetByMailStep1Subject};
+ unless ($subject) {
+@@ -380,12 +379,18 @@
+ $req,
+ 'mail_certificateConfirm',
+ filter => $tr,
+- params => \%tplPrms
++ params => {
++ expMailDate => $req->data->{expMailDate},
++ expMailTime => $req->data->{expMailTime},
++ url => $url,
++ },
+ );
+ $html = 1;
+ }
+
+ # Replace variables in body
++ # FIXME: kept for compatibility with 2.0.0 mail templates
++ # in future versions this should only happen for plaintext emails
+ $body =~ s/\$expMailDate/$req->data->{expMailDate}/ge;
+ $body =~ s/\$expMailTime/$req->data->{expMailTime}/ge;
+ $body =~ s/\$url/$url/g;
+@@ -420,7 +425,6 @@
+
+ sub modifyCertificate {
+ my ( $self, $req ) = @_;
+- my %tplPrms;
+ my $nbio;
+ my $x509;
+ my $notAfter;
+@@ -539,7 +543,6 @@
+ $req->{sessionInfo}->{ $self->conf->{mailSessionKey} } );
+
+ # Build mail content
+- $tplPrms{MAIN_LOGO} = $self->conf->{portalMainLogo};
+ my $tr = $self->translate($req);
+ my $subject = $self->conf->{certificateResetByMailStep2Subject};
+ unless ($subject) {
+@@ -560,12 +563,14 @@
+ $req,
+ 'mail_certificateReset',
+ filter => $tr,
+- params => \%tplPrms
++ params => {},
+ );
+ $html = 1;
+ }
+
+ # Replace variables in body
++ # FIXME: kept for compatibility with 2.0.0 mail templates
++ # in future versions this should only happen for plaintext emails
+ $body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge;
+
+ # Send mail
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm
+@@ -91,7 +91,7 @@
+
+ sub _reset {
+ my ( $self, $req ) = @_;
+- my ( $mailToken, %tplPrms );
++ my ($mailToken);
+
+ # PASSWORD CHANGE FORM => changePwd()
+ if (
+@@ -323,7 +323,6 @@
+ );
+
+ # Build mail content
+- $tplPrms{MAIN_LOGO} = $self->conf->{portalMainLogo};
+ my $tr = $self->translate($req);
+ my $subject = $self->conf->{mailConfirmSubject};
+ unless ($subject) {
+@@ -344,12 +343,18 @@
+ $req,
+ 'mail_confirm',
+ filter => $tr,
+- params => \%tplPrms
++ params => {
++ expMailDate => $req->data->{expMailDate},
++ expMailTime => $req->data->{expMailTime},
++ url => $url,
++ },
+ );
+ $html = 1;
+ }
+
+ # Replace variables in body
++ # FIXME: kept for compatibility with 2.0.0 mail templates
++ # in future versions this should only happen for plaintext emails
+ $body =~ s/\$expMailDate/$req->data->{expMailDate}/ge;
+ $body =~ s/\$expMailTime/$req->data->{expMailTime}/ge;
+ $body =~ s/\$url/$url/g;
+@@ -496,7 +501,6 @@
+ $req->{sessionInfo}->{ $self->conf->{mailSessionKey} } );
+
+ # Build mail content
+- $tplPrms{MAIN_LOGO} = $self->conf->{portalMainLogo};
+ my $tr = $self->translate($req);
+ my $subject = $self->conf->{mailSubject};
+ unless ($subject) {
+@@ -505,6 +509,8 @@
+ }
+ my $body;
+ my $html;
++ my $password = $req->data->{newpassword};
++
+ if ( $self->conf->{mailBody} ) {
+
+ # We use a specific text message, no html
+@@ -517,13 +523,16 @@
+ $req,
+ 'mail_password',
+ filter => $tr,
+- params => \%tplPrms
++ params => {
++ %tplPrms, password => $password,
++ },
+ );
+ $html = 1;
+ }
+
+ # Replace variables in body
+- my $password = $req->data->{newpassword};
++ # FIXME: kept for compatibility with 2.0.0 mail templates
++ # in future versions this should only happen for plaintext emails
+ $body =~ s/\$password/$password/g;
+ $body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge;
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Register.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Register.pm
+@@ -114,7 +114,6 @@
+ # Parameters check
+ sub _register {
+ my ( $self, $req ) = @_;
+- my %tplPrms;
+
+ # Check if it's a first access
+ unless ( ( $req->method =~ /^POST$/i and $req->param('mail') )
+@@ -301,7 +300,6 @@
+ );
+
+ # Build mail content
+- $tplPrms{MAIN_LOGO} = $self->conf->{portalMainLogo};
+ my $tr = $self->translate($req);
+ my $subject = $self->conf->{registerConfirmSubject};
+ unless ($subject) {
+@@ -316,10 +314,17 @@
+ $req,
+ 'mail_register_confirm',
+ filter => $tr,
+- params => \%tplPrms
++ params => {
++ expMailDate => $req->data->{expMailDate},
++ expMailTime => $req->data->{expMailTime},
++ url => $url,
++ %{ $req->data->{registerInfo} || {} },
++ },
+ );
+
+ # Replace variables in body
++ # FIXME: kept for compatibility with 2.0.0 mail templates
++ # in future versions this should only happen for plaintext emails
+ $body =~ s/\$expMailDate/$req->data->{expMailDate}/g;
+ $body =~ s/\$expMailTime/$req->data->{expMailTime}/g;
+ $body =~ s/\$url/$url/g;
+@@ -361,7 +366,6 @@
+ }
+
+ # Build mail content
+- $tplPrms{MAIN_LOGO} = $self->conf->{portalMainLogo};
+ my $tr = $self->translate($req);
+ my $subject = $self->conf->{registerDoneSubject};
+ unless ($subject) {
+@@ -371,14 +375,6 @@
+ my $body;
+ my $html = 1;
+
+- # Use HTML template
+- $body = $self->loadMailTemplate(
+- $req,
+- 'mail_register_done',
+- filter => $tr,
+- params => \%tplPrms
+- );
+-
+ # Build portal url
+ my $url = $self->conf->{portal};
+ $url =~ s#/*$##;
+@@ -390,7 +386,20 @@
+ ( $req_url ? ( url => $req_url ) : () ),
+ );
+
++ # Use HTML template
++ $body = $self->loadMailTemplate(
++ $req,
++ 'mail_register_done',
++ filter => $tr,
++ params => {
++ url => $url,
++ %{ $req->data->{registerInfo} || {} },
++ },
++ );
++
+ # Replace variables in body
++ # FIXME: kept for compatibility with 2.0.0 mail templates
++ # in future versions this should only happen for plaintext emails
+ $body =~ s/\$url/$url/g;
+ $body =~ s/\$(\w+)/$req->data->{registerInfo}->{$1}/ge;
+
+--- a/lemonldap-ng-portal/site/templates/common/mail_2fcode.tpl
++++ b/lemonldap-ng-portal/site/templates/common/mail_2fcode.tpl
+@@ -1,10 +1,10 @@
+ <TMPL_INCLUDE NAME="mail_header.tpl">
+
+ <span>
+-<span trspan="hello">Hello</span> $cn,<br />
++<span trspan="hello">Hello</span> <TMPL_VAR NAME="session_cn" ESCAPE=HTML>,<br />
+ <br />
+ <span trspan="yourLoginCodeIs">Your login code is</span>
+-<b>$code</b><br/>
++<b><TMPL_VAR NAME="code" ESCAPE=HTML></b><br/>
+ </span>
+
+ <TMPL_INCLUDE NAME="mail_footer.tpl">
+--- a/lemonldap-ng-portal/site/templates/common/mail_certificateConfirm.tpl
++++ b/lemonldap-ng-portal/site/templates/common/mail_certificateConfirm.tpl
+@@ -1,10 +1,10 @@
+ <TMPL_INCLUDE NAME="mail_header.tpl">
+
+ <p>
+-<span trspan="hello">Hello</span> $cn,<br />
++<span trspan="hello">Hello</span> <TMPL_VAR NAME="session_cn" ESCAPE=HTML>,<br />
+ <br />
+ <span><img src="cid:arrow:../common/bullet_go.png" alt="go"/></span>
+-<a href="$url" style="text-decoration:none;color:orange;">
++<a href="<TMPL_VAR NAME="url" ESCAPE=HTML>" style="text-decoration:none;color:orange;">
+ <span trspan="click2ResetCertificate">Click here to reset your certificate</span>
+ </a>
+ </p>
+--- a/lemonldap-ng-portal/site/templates/common/mail_certificateReset.tpl
++++ b/lemonldap-ng-portal/site/templates/common/mail_certificateReset.tpl
+@@ -1,7 +1,7 @@
+ <TMPL_INCLUDE NAME="mail_header.tpl">
+
+ <p>
+-<span trspan="hello">Hello</span> $cn,<br />
++<span trspan="hello">Hello</span> <TMPL_VAR NAME="session_cn" ESCAPE=HTML>,<br />
+ <br />
+ <span trspan="resetCertificateOK">Your certificate has been successfully reset!</span>
+ </p>
+--- a/lemonldap-ng-portal/site/templates/common/mail_confirm.tpl
++++ b/lemonldap-ng-portal/site/templates/common/mail_confirm.tpl
+@@ -1,10 +1,10 @@
+ <TMPL_INCLUDE NAME="mail_header.tpl">
+
+ <p>
+-<span trspan="hello">Hello</span> $cn,<br />
++<span trspan="hello">Hello</span> <TMPL_VAR NAME="session_cn" ESCAPE=HTML>,<br />
+ <br />
+ <span><img src="cid:arrow:../common/bullet_go.png" alt="go"/></span>
+-<a href="$url" style="text-decoration:none;color:orange;">
++<a href="<TMPL_VAR NAME="url" ESCAPE=HTML>" style="text-decoration:none;color:orange;">
+ <span trspan="click2Reset">Click here to reset your password</span>
+ </a>
+ </p>
+--- a/lemonldap-ng-portal/site/templates/common/mail_footer.tpl
++++ b/lemonldap-ng-portal/site/templates/common/mail_footer.tpl
+@@ -4,7 +4,7 @@
+ <p>
+ <span trspan="autoMail">This mail was sent automatically</span><br />
+ <span trspan="requestIssuedFromIP">The request was issued from IP</span>
+-$ipAddr
++<TMPL_VAR NAME="session_ipAddr" ESCAPE=HTML>
+ </p>
+ </div>
+
+--- a/lemonldap-ng-portal/site/templates/common/mail_password.tpl
++++ b/lemonldap-ng-portal/site/templates/common/mail_password.tpl
+@@ -1,12 +1,12 @@
+ <TMPL_INCLUDE NAME="mail_header.tpl">
+
+ <p>
+-<span trspan="hello">Hello</span> $cn,<br />
++<span trspan="hello">Hello</span> <TMPL_VAR NAME="session_cn" ESCAPE=HTML>,<br />
+ <br />
+ <TMPL_IF NAME="RESET">
+ <span trspan="newPwdIs">Your new password is</span>
+ <span><img src="cid:key:../common/key.png" alt="key"/></span>
+-<b>$password</b>
++<b><TMPL_VAR NAME="password" ESCAPE=HTML></b>
+ <TMPL_ELSE>
+ <span trspan="pwdChanged">Your password has been successfully changed!</span>
+ </TMPL_IF>
+--- a/lemonldap-ng-portal/site/templates/common/mail_register_confirm.tpl
++++ b/lemonldap-ng-portal/site/templates/common/mail_register_confirm.tpl
+@@ -1,10 +1,10 @@
+ <TMPL_INCLUDE NAME="mail_header.tpl">
+
+ <p>
+-<span trspan="hello">Hello</span> $firstname $lastname,<br />
++<span trspan="hello">Hello</span> <TMPL_VAR NAME="firstname" ESCAPE=HTML> <TMPL_VAR NAME="lastname" ESCAPE=HTML>,<br />
+ <br />
+ <span><img src="cid:arrow:../common/bullet_go.png" alt="go"/></span>
+-<a href="$url" style="text-decoration:none;color:orange;">
++<a href="<TMPL_VAR NAME="url" ESCAPE=HTML>" style="text-decoration:none;color:orange;">
+ <span trspan="click2Register">Click here to confirm your account registration</span>
+ </a>
+ </p>
+--- a/lemonldap-ng-portal/site/templates/common/mail_register_done.tpl
++++ b/lemonldap-ng-portal/site/templates/common/mail_register_done.tpl
+@@ -1,19 +1,19 @@
+ <TMPL_INCLUDE NAME="mail_header.tpl">
+
+ <p>
+-<span trspan="hello">Hello</span> $firstname $lastname,<br />
++<span trspan="hello">Hello</span> <TMPL_VAR NAME="firstname" ESCAPE=HTML> <TMPL_VAR NAME="lastname" ESCAPE=HTML>,<br />
+ <br />
+ <span trspan="accountCreated">Your account was successfully created.</span>
+ <br />
+ <br />
+ <span trspan="yourLoginIs">Your login is</span>
+ <span><img src="cid:key:../common/bullet_go.png" alt="go"/></span>
+-<b>$login</b>
++<b><TMPL_VAR NAME="login" ESCAPE=HTML></b>
+ <br />
+ <span trspan="pwdIs">Your password is</span>
+ <span><img src="cid:key:../common/key.png" alt="key"/></span>
+-<b>$password</b>
++<b><TMPL_VAR NAME="password" ESCAPE=HTML></b>
+ </p>
+-<p><a href="$url"><span trspan="goToPortal">Click here to access to portal</span></a></p>
++<p><a href="<TMPL_VAR NAME="url" ESCAPE=HTML>"><span trspan="goToPortal">Click here to access to portal</span></a></p>
+
+ <TMPL_INCLUDE NAME="mail_footer.tpl">
diff --git a/debian/patches/series b/debian/patches/series
index b1a4d299e..a1245fc76 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,9 @@ javascript-path.patch
Avoid-developer-tests.patch
fix-for-pod2man.diff
replace-api-doc-by-link.diff
+CVE-2021-35472.patch
+CVE-2021-35473.patch
+fix-trusted-domain-wildcard.patch
+fix-trusted-domain-regex.patch
+fix-xss-on-register-form.patch
+dont-display-totp-secret.patch
Reply to: