Bug#1006371: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u1

To: Yadd <yadd@debian.org>, 1006371@bugs.debian.org
Subject: Bug#1006371: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Tue, 15 Mar 2022 20:44:11 +0000
Message-id: <[🔎] f7af8387200c56c335ce680cf7212692bb91cc66.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 1006371@bugs.debian.org
In-reply-to: <164571385109.1628233.4460311641973873346.reportbug@debian007.xnr.fr>
References: <164571385109.1628233.4460311641973873346.reportbug@debian007.xnr.fr> <164571385109.1628233.4460311641973873346.reportbug@debian007.xnr.fr>

Control: tags -1 + confirmed

On Thu, 2022-02-24 at 15:44 +0100, Yadd wrote:
> lemonldap-ng is vulnerable to password bypass (impact critical) in a
> very
> unlikely setup (probability very low). CVE-2021-40874
> 
> [ Impact ]
> In such configuration, a remote lemonldap-ng system that queries the
> main lemonldap-ng system using internal lemonldap-ng protocol instead
> of
> SAML/OpenID-Connect, accepts user with _wrong password; if and only
> if_
> main lemonldap-ng system is configured to use both Kerberos and LDAP
> authentication.
> 

Please go ahead.

Regards,

Adam

Reply to:

Prev by Date: Bug#1006504: bullseye-pu: package bash/5.1-6~deb11u1
Next by Date: Processed: Re: Bug#1006493: bullseye-pu: htmldoc/1.9.11-4+deb11u2
Previous by thread: Bug#1006504: bullseye-pu: package bash/5.1-6~deb11u1
Next by thread: Processed: Re: Bug#1006371: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u1
Index(es):
- Date
- Thread