Le mercredi 14 août 2024, 19:54:15 UTC Bastien Roucariès a écrit : Dear adam Debdiff joined > Le mercredi 14 août 2024, 19:53:13 UTC Adam D. Barratt a écrit : > > COntrol: tags -1 + moreinfo > > > > On Mon, 2024-08-05 at 17:56 +0000, Bastien Roucariès wrote: > > > CVE-2022-39369 > > > > > > [ Impact ] > > > Service Hostname Discovery Exploitation > > > > diff -Nru fusiondirectory-1.3/debian/#control# fusiondirectory-1.3/debian/#control# > > --- fusiondirectory-1.3/debian/#control# 1970-01-01 00:00:00.000000000 +0000 > > +++ fusiondirectory-1.3/debian/#control# 2024-07-11 18:02:29.000000000 +0000 > > > > Why is this in the debdiff? > Agreed wil redo > > > > Regards, > > > > Adam > > > >
diff -Nru fusiondirectory-1.3/debian/changelog fusiondirectory-1.3/debian/changelog
--- fusiondirectory-1.3/debian/changelog 2020-12-07 11:25:31.000000000 +0000
+++ fusiondirectory-1.3/debian/changelog 2024-07-11 18:02:29.000000000 +0000
@@ -1,3 +1,15 @@
+fusiondirectory (1.3-4+deb11u1) bullseye; urgency=medium
+
+ * Non-maintainer upload.
+
+ [ Tobias Frost ]
+ * Backport compatibility with php-cas version addressing CVE 2022-39369.
+
+ [ Abhijith PA ]
+ * Fix CVE-2022-36179, CVE-2022-36180.
+
+ -- Bastien Roucariès <rouca@debian.org> Thu, 11 Jul 2024 18:02:29 +0000
+
fusiondirectory (1.3-4) unstable; urgency=medium
* debian/patches:
diff -Nru fusiondirectory-1.3/debian/control fusiondirectory-1.3/debian/control
--- fusiondirectory-1.3/debian/control 2020-12-07 11:25:31.000000000 +0000
+++ fusiondirectory-1.3/debian/control 2024-07-11 18:02:29.000000000 +0000
@@ -35,7 +35,7 @@
libxml-twig-perl,
openssl,
php,
- php-cas,
+ php-cas (>= 1.3.8-1+deb11u1~),
php-cli,
php-curl,
php-fpdf,
@@ -56,6 +56,7 @@
Breaks:
fusiondirectory-plugin-dashboard (<< 1.0.8.7),
fusiondirectory-plugin-dashboard-schema (<< 1.0.8.7),
+ fusiondirectory-schema (<< 1.3-4+deb11u1~)
Replaces:
fusiondirectory-plugin-dashboard (<< 1.0.8.7),
fusiondirectory-plugin-dashboard-schema (<< 1.0.8.7),
diff -Nru fusiondirectory-1.3/debian/NEWS fusiondirectory-1.3/debian/NEWS
--- fusiondirectory-1.3/debian/NEWS 1970-01-01 00:00:00.000000000 +0000
+++ fusiondirectory-1.3/debian/NEWS 2024-07-11 18:02:29.000000000 +0000
@@ -0,0 +1,30 @@
+fusiondirectory (1.3-4+deb11u1) bullseye; urgency=medium
+
+ If you are using CAS for authentication:
+ To address CVE-2022-39369 in php-cas - the library used for CAS - had
+ to introduce an API breaking change which requires some additional
+ configuration in fusiondirectory.
+
+ The php-cas package introducing the fix for bullseye is version
+ 1.3.8-1+deb11u1. After installing the php-cas update, a CAS enabled
+ fusiondirectory installation will no longer work until those steps are
+ done:
+
+ - make sure to install the updated fusiondirectory-schema package for
+ bullseye.
+
+ - update the fusiondirectory core schema in LDAP by running
+ fusiondirectory-insert-schema -m
+
+ - switch to using the new php-cas API by running
+ fusiondirectory-setup --set-config-CasLibraryBool=TRUE
+
+ - set the CAS ClientServiceName to the base URL of the fusiondirectory
+ installation, for example:
+ fusiondirectory-setup --set-config-CasClientServiceName="https://fusiondirectory.example.org/";
+
+ To troubleshoot php-cas problems, the property CasVerbose can be activated for
+ additional diagnostics:
+ fusiondirectory-setup --set-config-CasVerbose=TRUE
+
+ -- Bastien Roucariès <rouca@debian.org> Thu, 11 Jul 2024 18:08:39 +0000
diff -Nru fusiondirectory-1.3/debian/patches/0010-phpCAS_API_change.patch fusiondirectory-1.3/debian/patches/0010-phpCAS_API_change.patch
--- fusiondirectory-1.3/debian/patches/0010-phpCAS_API_change.patch 1970-01-01 00:00:00.000000000 +0000
+++ fusiondirectory-1.3/debian/patches/0010-phpCAS_API_change.patch 2024-07-11 18:02:29.000000000 +0000
@@ -0,0 +1,184 @@
+From: FusionDirectory Packagers <team+fusiondirectory@tracker.debian.org>
+Date: Thu, 11 Jul 2024 17:52:17 +0000
+Subject: Backport changes required for newer php-cas API
+
+Origin: https://github.com/fusiondirectory/fusiondirectory/commit/299a320a7fe905402aea85b899dbd5a9cab9324c
+Origin: https://github.com/fusiondirectory/fusiondirectory/commit/7ded986a5f5aabe2670cd176caeb9d76f8555dca
+Origin: https://github.com/fusiondirectory/fusiondirectory/commit/39019502aa36b211aa283fac3b922c3806c2fef5
+Last-Update: 2023-06-27 <YYYY-MM-DD, last update of the meta-information, optional>
+
+To adress CVE-2022-39369, php-cas needs an API change.
+This patches backports the required upstream changes to the buster version.
+The patch also adds the switch for php-cas verbose mode, for better troubleshooting.
+Last-Update: 2023-06-27 <YYYY-MM-DD, last update of the meta-information, optional>
+---
+ core/contrib/openldap/core-fd-conf.schema | 21 ++++++++++++-
+ core/html/index.php | 49 ++++++++++++++++++++++++------
+ core/plugins/config/class_configInLdap.inc | 29 +++++++++++++++++-
+ 3 files changed, 87 insertions(+), 12 deletions(-)
+
+diff --git a/core/contrib/openldap/core-fd-conf.schema b/core/contrib/openldap/core-fd-conf.schema
+index 840d1ff..8edcc20 100644
+--- a/core/contrib/openldap/core-fd-conf.schema
++++ b/core/contrib/openldap/core-fd-conf.schema
+@@ -452,6 +452,25 @@ attributetype ( 1.3.6.1.4.1.38414.8.21.5 NAME 'fdCasContext'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ SINGLE-VALUE)
+
++attributetype ( 1.3.6.1.4.1.38414.8.21.6 NAME 'fdCasVerbose'
++ DESC 'FusionDirectory - CAS verbose flag'
++ EQUALITY booleanMatch
++ SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
++ SINGLE-VALUE )
++
++attributetype ( 1.3.6.1.4.1.38414.8.21.7 NAME 'fdCasLibraryBool'
++ DESC 'FusionDirectory - CAS boolean to activate CAS library >= 1.6'
++ EQUALITY booleanMatch
++ SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
++ SINGLE-VALUE )
++
++attributetype ( 1.3.6.1.4.1.38414.8.21.8 NAME 'fdCasClientServiceName'
++ DESC 'FusionDirectory - CAS client service name'
++ EQUALITY caseExactIA5Match
++ SUBSTR caseExactIA5SubstringsMatch
++ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
++ SINGLE-VALUE)
++
+ # merged from dashboard-fd.schema - Needed by Fusion Directory for dashboard options
+
+ attributetype ( 1.3.6.1.4.1.38414.27.1.1 NAME 'fdDashboardPrefix'
+@@ -563,7 +582,7 @@ objectclass ( 1.3.6.1.4.1.38414.8.2.1 NAME 'fusionDirectoryConf'
+ fdPluginsMenuBlacklist $
+ fdAclTabOnObjects $ fdDepartmentCategories $
+ fdSslCaCertPath $ fdSslKeyPath $ fdSslCertPath $
+- fdCasActivated $ fdCasServerCaCertPath $ fdCasHost $ fdCasPort $ fdCasContext
++ fdCasActivated $ fdCasServerCaCertPath $ fdCasHost $ fdCasPort $ fdCasContext $ fdCasVerbose $fdCasLibraryBool $ fdCasClientServiceName
+ ) )
+
+ objectclass ( 1.3.6.1.4.1.38414.8.2.2 NAME 'fusionDirectoryPluginsConf'
+diff --git a/core/html/index.php b/core/html/index.php
+index 38918fb..8a8dfcb 100644
+--- a/core/html/index.php
++++ b/core/html/index.php
+@@ -121,13 +121,29 @@ if (isset($_REQUEST['signout']) && $_REQUEST['signout']) {
+ /* Move FD autoload after CAS autoload */
+ spl_autoload_unregister('__fusiondirectory_autoload');
+ spl_autoload_register('__fusiondirectory_autoload');
++
++ if ($config->get_cfg_value('CasVerbose') == 'TRUE') {
++ phpCAS::setVerbose(TRUE);
++ }
++
++ // Initialize CAS with proper library and call.
++ if ($config->get_cfg_value('CasLibraryBool') === 'TRUE') {
+ phpCAS::client(
+ CAS_VERSION_2_0,
+ $config->get_cfg_value('casHost', 'localhost'),
+- (int)($config->get_cfg_value('casPort', 443)),
+- $config->get_cfg_value('casContext', '')
++ (int) ($config->get_cfg_value('casPort', 443)),
++ $config->get_cfg_value('casContext'),
++ $config->get_cfg_value('CasClientServiceName')
+ );
+- // Set the CA certificate that is the issuer of the cert
++ } else {
++ phpCAS::client(
++ CAS_VERSION_2_0,
++ $config->get_cfg_value('casHost', 'localhost'),
++ (int) ($config->get_cfg_value('casPort', 443)),
++ $config->get_cfg_value('casContext')
++ );
++ }
++
+ phpCAS::setCasServerCACert($config->get_cfg_value('casServerCaCertPath'));
+ phpCas::logout();
+ }
+@@ -518,14 +534,27 @@ class Index {
+ $message = '';
+
+ //~ phpCAS::setDebug();
+-
++ if ($config->get_cfg_value('CasVerbose') == 'TRUE') {
++ phpCAS::setVerbose(TRUE);
++ }
++
+ // Initialize phpCAS
+- phpCAS::client(
+- CAS_VERSION_2_0,
+- $config->get_cfg_value('casHost', 'localhost'),
+- (int)($config->get_cfg_value('casPort', 443)),
+- $config->get_cfg_value('casContext', '')
+- );
++ if ($config->get_cfg_value('CasLibraryBool') === 'TRUE') {
++ phpCAS::client(
++ CAS_VERSION_2_0,
++ $config->get_cfg_value('casHost', 'localhost'),
++ (int) ($config->get_cfg_value('casPort', 443)),
++ $config->get_cfg_value('casContext'),
++ $config->get_cfg_value('CasClientServiceName')
++ );
++ } else {
++ phpCAS::client(
++ CAS_VERSION_2_0,
++ $config->get_cfg_value('casHost', 'localhost'),
++ (int) ($config->get_cfg_value('casPort', 443)),
++ $config->get_cfg_value('casContext')
++ );
++ }
+
+ // Set the CA certificate that is the issuer of the cert
+ phpCAS::setCasServerCACert($config->get_cfg_value('casServerCaCertPath'));
+diff --git a/core/plugins/config/class_configInLdap.inc b/core/plugins/config/class_configInLdap.inc
+index 5f19db7..fe9545c 100644
+--- a/core/plugins/config/class_configInLdap.inc
++++ b/core/plugins/config/class_configInLdap.inc
+@@ -277,6 +277,18 @@ class configInLdap extends simplePlugin
+ 'fdCasContext', FALSE,
+ '/cas'
+ ),
++ new BooleanAttribute(
++ _('Verbose error'), _('Activate verbose errors in phpCAS. Avoid in production.'),
++ 'fdCasVerbose', FALSE
++ ),
++ new BooleanAttribute(
++ _('Library CAS 1.6'), _('Activate if library CAS >= 1.6 is being used.'),
++ 'fdCasLibraryBool', FALSE
++ ),
++ new StringAttribute(
++ _('Client service'), _('The client service name'),
++ 'fdCasClientServiceName', FALSE
++ ),
+ )
+ ),
+ 'people_and_group' => array(
+@@ -548,6 +560,9 @@ class configInLdap extends simplePlugin
+ 'fdCasHost',
+ 'fdCasPort',
+ 'fdCasContext',
++ 'fdCasVerbose',
++ 'fdCasClientServiceName',
++ 'fdCasLibraryBool'
+ )
+ )
+ )
+@@ -570,7 +585,19 @@ class configInLdap extends simplePlugin
+ )
+ )
+ );
+- }
++
++ // CAS boolean case to allow the use of CAS library >= 1.6
++
++ $this->attributesAccess['fdCasLibraryBool']->setManagedAttributes(
++ array(
++ 'disable' => array (
++ FALSE => array (
++ 'fdCasClientServiceName',
++ )
++ )
++ )
++ );
++}
+
+ function compute_dn()
+ {
diff -Nru fusiondirectory-1.3/debian/patches/CVE-2022-36179_80.patch fusiondirectory-1.3/debian/patches/CVE-2022-36179_80.patch
--- fusiondirectory-1.3/debian/patches/CVE-2022-36179_80.patch 1970-01-01 00:00:00.000000000 +0000
+++ fusiondirectory-1.3/debian/patches/CVE-2022-36179_80.patch 2024-07-11 18:02:29.000000000 +0000
@@ -0,0 +1,45 @@
+From: FusionDirectory Packagers <team+fusiondirectory@tracker.debian.org>
+Date: Thu, 11 Jul 2024 17:52:17 +0000
+Subject: Fix for CVE-2022-36179, CVE-2022-36180
+
+Origin: https://github.com/fusiondirectory/fusiondirectory/commit/d84cf05573b52df98418adf3716daf365e8da745
+ https://github.com/fusiondirectory/fusiondirectory/commit/fadebb79b932a0260bdb8723eb23694a3ae62366
+Last-Update: 2023-05-19
+---
+ core/html/index.php | 4 ++++
+ core/include/class_session.inc | 7 +++++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/core/html/index.php b/core/html/index.php
+index 8a8dfcb..5be3422 100644
+--- a/core/html/index.php
++++ b/core/html/index.php
+@@ -424,6 +424,10 @@ class Index {
+
+ if ($success) {
+ /* Everything went well, redirect to main.php */
++
++ //Regenerate after login in order to avoid session fixation issues (vuln),
++ session_regenerate_id();
++
+ static::redirect();
+ }
+ }
+diff --git a/core/include/class_session.inc b/core/include/class_session.inc
+index 7367f1e..a9f6659 100644
+--- a/core/include/class_session.inc
++++ b/core/include/class_session.inc
+@@ -230,6 +230,13 @@ class session {
+ !! The garbage collector is a cron job on debian systems, the cronjob will fetch the timeout from
+ the php.ini, so if you use debian, you must hardcode session.gc_maxlifetime in your php.ini */
+ ini_set("session.gc_maxlifetime", 24 * 60 * 60);
++
++ /*
++ * Set HttpOnly in order to enhance security by disabling execution of javascript on cookies,
++ * allowing possible XSS attacks
++ */
++ ini_set("session.cookie_httponly", "1");
++
+ if ($id !== NULL) {
+ session_id($id);
+ }
diff -Nru fusiondirectory-1.3/debian/patches/series fusiondirectory-1.3/debian/patches/series
--- fusiondirectory-1.3/debian/patches/series 2020-12-07 11:25:31.000000000 +0000
+++ fusiondirectory-1.3/debian/patches/series 2024-07-11 18:02:29.000000000 +0000
@@ -2,3 +2,5 @@
2003_fusiondirectory-setup.patch
0001_CVE-2019-11187_stricter-ldap-error-check.patch
2001_fd-location-in-apache-conf.patch
+0010-phpCAS_API_change.patch
+CVE-2022-36179_80.patch
Attachment:
signature.asc
Description: This is a digitally signed message part.