Version in base suite: 2.16.1+ds-deb12u2 Base version: lemonldap-ng_2.16.1+ds-deb12u2 Target version: lemonldap-ng_2.16.1+ds-deb12u3 Base file: /srv/ftp-master.debian.org/ftp/pool/main/l/lemonldap-ng/lemonldap-ng_2.16.1+ds-deb12u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/l/lemonldap-ng/lemonldap-ng_2.16.1+ds-deb12u3.dsc NEWS | 13 ++++ changelog | 6 ++ patches/CVE-2024-48933.patch | 117 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 4 files changed, 137 insertions(+) diff -Nru lemonldap-ng-2.16.1+ds/debian/NEWS lemonldap-ng-2.16.1+ds/debian/NEWS --- lemonldap-ng-2.16.1+ds/debian/NEWS 2023-09-29 13:18:12.000000000 +0000 +++ lemonldap-ng-2.16.1+ds/debian/NEWS 2024-10-15 18:59:06.000000000 +0000 @@ -1,3 +1,16 @@ +lemonldap-ng (2.16.1+ds-deb12u3) bookworm; urgency=medium + + Custom templates maybe vulnerable to XSS injection when default allowed + characters have been changed. To fix this, replace every + + + + by + + + + -- Yadd Tue, 15 Oct 2024 19:27:47 +0200 + lemonldap-ng (2.16.1+ds-deb12u2) bookworm; urgency=medium A feature of OIDC allows the OpenID Provider to fetch the Authorization diff -Nru lemonldap-ng-2.16.1+ds/debian/changelog lemonldap-ng-2.16.1+ds/debian/changelog --- lemonldap-ng-2.16.1+ds/debian/changelog 2023-09-29 13:18:12.000000000 +0000 +++ lemonldap-ng-2.16.1+ds/debian/changelog 2024-10-15 18:59:06.000000000 +0000 @@ -1,3 +1,9 @@ +lemonldap-ng (2.16.1+ds-deb12u3) bookworm; urgency=medium + + * Fix XSS issue (Closes: #1084979, CVE-2024-48933) + + -- Yadd Tue, 15 Oct 2024 20:59:06 +0200 + lemonldap-ng (2.16.1+ds-deb12u2) bookworm; urgency=medium * Fix open redirection when OIDC RP has no redirect uris diff -Nru lemonldap-ng-2.16.1+ds/debian/patches/CVE-2024-48933.patch lemonldap-ng-2.16.1+ds/debian/patches/CVE-2024-48933.patch --- lemonldap-ng-2.16.1+ds/debian/patches/CVE-2024-48933.patch 1970-01-01 00:00:00.000000000 +0000 +++ lemonldap-ng-2.16.1+ds/debian/patches/CVE-2024-48933.patch 2024-10-15 18:59:06.000000000 +0000 @@ -0,0 +1,117 @@ +Description: Fix XSS vulnerability + A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.19.3 + allows remote attackers to inject arbitrary web script or HTML into the + login page via a username if userControl has been set to a non-default + value that allows special HTML characters. +Author: Maxime Besson +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3232 +Bug-Debian: https://bugs.debian.org/1084979 +Forwarded: not-needed +Applied-Upstream: 2.20.0, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/606 +Reviewed-By: Yadd +Last-Update: 2024-10-15 + +--- a/lemonldap-ng-portal/site/coffee/portal.coffee ++++ b/lemonldap-ng-portal/site/coffee/portal.coffee +@@ -295,12 +295,9 @@ + if datas['choicetab'] + authMenuTabs.tabs "option", "active", $('#authMenu a[href="#' + datas['choicetab'] + '"]').parent().index() + +- if datas['login'] +- $("input[type=password]:first").focus() +- else +- # If there are no auto-focused fields, focus on first visible input +- if $("input[autofocus]").length == 0 +- $("input[type!=hidden]:first").focus(); ++ # If there are no auto-focused fields, focus on first visible input ++ if $("input[autofocus]").length == 0 ++ $("input[type!=hidden]:first").focus() + + # Open links in new windows if required + if datas['newwindow'] +--- a/lemonldap-ng-portal/site/templates/bootstrap/checkuser.tpl ++++ b/lemonldap-ng-portal/site/templates/bootstrap/checkuser.tpl +@@ -11,7 +11,7 @@ +
+ +
+- " trplaceholder="user" aria-required="true"/> ++ " trplaceholder="user" aria-required="true"/> + +
+
+--- a/lemonldap-ng-portal/site/templates/bootstrap/globallogout.tpl ++++ b/lemonldap-ng-portal/site/templates/bootstrap/globallogout.tpl +@@ -6,7 +6,7 @@ +
+ +
+-
ACTIVE SSO SESSIONS:
++
ACTIVE SSO SESSIONS:
+ + + +--- a/lemonldap-ng-portal/site/templates/bootstrap/gpgform.tpl ++++ b/lemonldap-ng-portal/site/templates/bootstrap/gpgform.tpl +@@ -5,7 +5,7 @@ +
+ +
+- " trplaceholder="mail" required aria-required="true" /> ++ " trplaceholder="mail" required aria-required="true" /> + + +
+--- a/lemonldap-ng-portal/site/templates/bootstrap/password.tpl ++++ b/lemonldap-ng-portal/site/templates/bootstrap/password.tpl +@@ -17,11 +17,11 @@ + + +
+- ++ +
+ +
+- ++ +
+
+ +--- a/lemonldap-ng-portal/site/templates/bootstrap/standardform.tpl ++++ b/lemonldap-ng-portal/site/templates/bootstrap/standardform.tpl +@@ -10,21 +10,21 @@ +
+ +
+- " trplaceholder="login" required aria-required="true"/> ++ " trplaceholder="login" required aria-required="true" autofocus /> +
+
+
+ +
+ +- ++ autofocus /> + +
+ +
+
+ +- ++ autofocus /> + +
+ +--- a/lemonldap-ng-portal/site/templates/common/script.tpl ++++ b/lemonldap-ng-portal/site/templates/common/script.tpl +@@ -20,7 +20,6 @@ + { + "displaytab":"", + "choicetab":"", +- "login":"", + "newwindow":, + "appslistorder":"", + "activeTimer":, diff -Nru lemonldap-ng-2.16.1+ds/debian/patches/series lemonldap-ng-2.16.1+ds/debian/patches/series --- lemonldap-ng-2.16.1+ds/debian/patches/series 2023-09-29 13:18:12.000000000 +0000 +++ lemonldap-ng-2.16.1+ds/debian/patches/series 2024-10-15 18:59:06.000000000 +0000 @@ -9,3 +9,4 @@ fix-open-redirection.patch fix-open-redirection-without-OIDC-redirect-uris.patch SSRF-issue.patch +CVE-2024-48933.patch