Bug#1006377: buster-pu: package lemonldap-ng/2.0.2+ds-7+deb10u7
Control: tags -1 + confirmed
On Thu, 2022-02-24 at 16:36 +0100, Yadd wrote:
> lemonldap-ng is vulnerable to password bypass (impact critical) in a
> very
> unlikely setup (probability very low). CVE-2021-40874
>
> [ Impact ]
> In such configuration, a remote lemonldap-ng system that queries the
> main lemonldap-ng system using internal lemonldap-ng protocol instead
> of
> SAML/OpenID-Connect, accepts user with _wrong password; if and only
> if_
> main lemonldap-ng system is configured to use both Kerberos and LDAP
> authentication.
>
Please go ahead.
Regards,
Adam
Reply to: