--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u2
- From: Yadd <yadd@debian.org>
- Date: Sun, 11 Sep 2022 15:13:43 +0200
- Message-id: <166290202339.2695730.8139594463220377065.reportbug@debian007.xnr.fr>
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-perl-maintainers@alioth-lists.debian.net
[ Reason ]
lemonldap-ng before version 2.0.15 has an issue that may maintain
a session active on a Lemonldap::NG's handler if user has a continuous
activity on this handler after session expiration or deletion
(CVE-2022-37186), if and only if user activity is tracked by handlers
(disabled by defaut)
[ Impact ]
Medium vulnerability
[ Tests ]
Test passed, non new tested backported here
[ Risks ]
No risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Handler's calls to session API now have a "nocache" option for writing.
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index f6be653a8..c276c65c0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+lemonldap-ng (2.0.11+ds-4+deb11u2) bullseye; urgency=medium
+
+ * Add patch to improve session destroy propagation (Closes: CVE-2022-37186)
+
+ -- Yadd <yadd@debian.org> Sun, 11 Sep 2022 09:28:30 +0200
+
lemonldap-ng (2.0.11+ds-4+deb11u1) bullseye; urgency=medium
* Fix auth process in password-testing plugins (Closes: CVE-2021-20874)
diff --git a/debian/patches/CVE-2022-37186.patch b/debian/patches/CVE-2022-37186.patch
new file mode 100644
index 000000000..12e80c4d7
--- /dev/null
+++ b/debian/patches/CVE-2022-37186.patch
@@ -0,0 +1,31 @@
+Description: Improve session destroy propagation
+Author: Yadd <yadd@debian.org>
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/59c781b3
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2758
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-09-11
+
+--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Store.pm
++++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Store.pm
+@@ -56,7 +56,7 @@
+
+ # Get session from cache
+ my $id = $session->{data}->{_session_id};
+- if ( $self->cache->get($id) ) {
++ if ( !$self->{args}->{noCache} and $self->cache->get($id) ) {
+ $session->{serialized} = $self->cache->get($id);
+ return;
+ }
+--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Session.pm
++++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Session.pm
+@@ -213,7 +213,8 @@
+ return 0;
+ }
+
+- my $data = $self->_tie_session($tieOptions);
++ my $data = $self->_tie_session(
++ { ( $tieOptions ? %$tieOptions : () ), noCache => 1 } );
+
+ if ($data) {
+ foreach ( keys %$infos ) {
diff --git a/debian/patches/series b/debian/patches/series
index 644277be7..9d8952af0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@ fix-trusted-domain-regex.patch
fix-xss-on-register-form.patch
dont-display-totp-secret.patch
CVE-2021-40874.patch
+CVE-2022-37186.patch
--- End Message ---