Debian alert DLA-3979-1 (lemonldap-ng)
| From: | Guilhem Moulin <guilhem@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 3979-1] lemonldap-ng security update | |
| Date: | Sat, 30 Nov 2024 22:21:22 +0100 | |
| Message-ID: | <Z0uB0kuEuSJ9FZLf@debian.org> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-3979-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin November 30, 2024 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : lemonldap-ng Version : 2.0.11+ds-4+deb11u6 CVE ID : CVE-2024-48933 CVE-2024-52946 CVE-2024-52947 Debian Bug : 1084979 Multiple vulnerabilities were discovered in Lemonldap::NG, an OpenID-Connect, CAS and SAML compatible Web-SSO system, which could lead to injection of arbitrary scripts or authorization bypass. CVE-2024-48933 Cross-site scripting (XSS) vulnerability which allows remote attackers to inject arbitrary web script or HTML into the login page via a username if ‘userControl’ has been set to a non-default value that allows special HTML characters. CVE-2024-52946 Improper Check during session refresh which allows an authenticated user to raise their authentication level if the admin configured an "Adaptative authentication rule" with an increment instead of an absolute value. CVE-2024-52947 Cross-site scripting (XSS) vulnerability which allows remote attackers to inject arbitrary web script or HTML via the ‘url’ parameter of the upgrade session confirmation page (upgradeSession) if the "Upgrade session" plugin has been enabled by an admin. For Debian 11 bullseye, these problems have been fixed in version 2.0.11+ds-4+deb11u6. We recommend that you upgrade your lemonldap-ng packages. For the detailed security status of lemonldap-ng please refer to its security tracker page at: https://security-tracker.debian.org/tracker/lemonldap-ng Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmdLgdIACgkQ05pJnDwh pVL86w/+OsuLY5iNOGfrimk53GEy7vBIliVrZUR7FXaDPgZV9BN56ofKqpr/oLlO kxFtTGRBBGnrOfjs0QWIZ+lA1fhnekyImTeNjNGfsIvmxAk6dHobtkBzBOI2a8Oq Ba2dSKbbMaJUkU5pX2ndAoHWJ5VL1LRhl58f2X55eg0ljbTCuEsHFLD13ktMKx3e AwgGlRfXc/3zBwJAtO4X3EBGZpsiVNCUl2MYFbN8NvqUuiML1C5w2H+NfXSp2Q9P ly5atMQ6kasHBozhi+59xYM4lyW0GEKvHeNIc9VDMr8ePapGxmnKiZqH/IJXK/C3 IblkpSklqHHNjJY34+HzA980QTo1Wl/ffYjhqw56B2i/Mc6WgkP3/3a4+QWT4u/g ic+R5+LAB79ASYPgpGMmj8BbistpDk9Lw3qz5HqskXThLxTTWAHsSWiDzo+umAnd 441mBzmB1JAm2mYAoGHBfZqFDrAMJQwzo8jI4yVD0bunCB7adJq0H6iCyAtQkL1v LWTi4awlIJVSlYu2keQr4vNtFev+sN7eGSxqJvGX+pX0l0VUNCZ3+1asKNrjCO/p MYBnC/KM1ajaMu0a26NqPmL0+as5P/qsBYti/zjyYQYId4O0xqjU1zHnLkMFQbHr IJGAb1ZKzAUlerNkkrCgeT9/moww5fOHOYtOSCRy1QR5uZuQR7c= =4BmU -----END PGP SIGNATURE-----