[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1053219: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u2

Control: tags -1 confirmed

On Fri, 2023-09-29 at 17:37 +0400, Yadd wrote:
> Two new vulnerabilities have been dicovered and fixed in lemonldap-
> ng:
>  - an open redirection only when configuration is edited by hand and
>    doesn't follow OIDC specifications
>  - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol:
>    A little-know feature of OIDC allows the OpenID Provider to fetch
> the
>    Authorization request parameters itself by indicating a
> request_uri
>    parameter. This feature is now restricted to a white list using
> this
>    patch
> 

--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,13 @@
+lemonldap-ng (2.16.1+ds-deb12u2) bullseye; urgency=medium

As Salvatore pointed out, the suite is wrong in the header.

+
+  A little-know feature of OIDC allows the OpenID Provider to fetch the

s/little-know/&n/

Please go ahead.

Regards,

Adam
Reply to: