Version in base suite: 2.16.1+ds-deb12u3

Base version: lemonldap-ng_2.16.1+ds-deb12u3
Target version: lemonldap-ng_2.16.1+ds-deb12u4
Base file: /srv/ftp-master.debian.org/ftp/pool/main/l/lemonldap-ng/lemonldap-ng_2.16.1+ds-deb12u3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/l/lemonldap-ng/lemonldap-ng_2.16.1+ds-deb12u4.dsc

 changelog                               |    7 +++
 patches/fix-auth-level-escalation.patch |   72 ++++++++++++++++++++++++++++++++
 patches/fix-xss-in-upgrade-plugin.patch |   21 +++++++++
 patches/series                          |    2 
 4 files changed, 102 insertions(+)

diff -Nru lemonldap-ng-2.16.1+ds/debian/changelog lemonldap-ng-2.16.1+ds/debian/changelog
--- lemonldap-ng-2.16.1+ds/debian/changelog	2024-10-15 18:59:06.000000000 +0000
+++ lemonldap-ng-2.16.1+ds/debian/changelog	2024-11-19 17:44:18.000000000 +0000
@@ -1,3 +1,10 @@
+lemonldap-ng (2.16.1+ds-deb12u4) bookworm; urgency=medium
+
+  * Fix authentication privilege (Closes: CVE-2024-52946)
+  * Fix XSS in "Upgrade" plugin (Closes: CVE-2024-52947)
+
+ -- Yadd <yadd@debian.org>  Tue, 19 Nov 2024 18:44:18 +0100
+
 lemonldap-ng (2.16.1+ds-deb12u3) bookworm; urgency=medium
 
   * Fix XSS issue (Closes: #1084979, CVE-2024-48933)
diff -Nru lemonldap-ng-2.16.1+ds/debian/patches/fix-auth-level-escalation.patch lemonldap-ng-2.16.1+ds/debian/patches/fix-auth-level-escalation.patch
--- lemonldap-ng-2.16.1+ds/debian/patches/fix-auth-level-escalation.patch	1970-01-01 00:00:00.000000000 +0000
+++ lemonldap-ng-2.16.1+ds/debian/patches/fix-auth-level-escalation.patch	2024-11-18 17:32:35.000000000 +0000
@@ -0,0 +1,72 @@
+Description: Do not run adaptativeAuthenticationLevel during refresh
+Author: Maxime Besson <maxime.besson@worteks.com>
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/5df0f833
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3255
+Forwarded: not-needed
+Applied-Upstream: 2.20.1, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/5df0f833
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2024-11-09
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/AdaptativeAuthenticationLevel.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/AdaptativeAuthenticationLevel.pm
+@@ -35,6 +35,8 @@
+ sub adaptAuthenticationLevel {
+     my ( $self, $sub, $req ) = @_;
+ 
++    return $sub->($req) if $req->refresh;
++
+     my $userid = $req->sessionInfo->{ $self->conf->{whatToTrace} }
+       || $req->sessionInfo->{uid};
+     $self->logger->debug("Check adaptative authentication rules for $userid");
+--- a/lemonldap-ng-portal/t/61-AdaptativeAuthenticationLevel.t
++++ b/lemonldap-ng-portal/t/61-AdaptativeAuthenticationLevel.t
+@@ -42,20 +42,23 @@
+ count(1);
+ $id = expectCookie($res);
+ 
++my $session = getSession($id)->data;
++is( $session->{uid}, 'dwho', 'uid found' ) or explain( $json, "uid='dwho'" );
++is( $session->{authenticationLevel}, 3, 'Authentication level upgraded' );
++count(2);
++
+ ok(
+     $res = $client->_get(
+-        '/session/my/global', cookie => "lemonldap=$id"
++        '/refresh', cookie => "lemonldap=$id"
+     ),
+     'Get session'
+ );
+ count(1);
+-$json = expectJSON($res);
+ 
+-ok( $json->{uid} eq 'dwho', 'uid found' ) or explain( $json, "uid='dwho'" );
+-ok( $json->{authenticationLevel} == 3, 'Authentication level upgraded' );
+-ok( scalar keys %$json == 10, 'Ten exported attributes found' )
+-  or explain( scalar keys %$json, Dumper $json );
+-count(3);
++$session = getSession($id)->data;
++is( $session->{uid}, 'dwho', 'uid found' ) or explain( $json, "uid='dwho'" );
++is( $session->{authenticationLevel}, 3, 'Authentication level upgraded' );
++count(2);
+ 
+ ok( $client->logout($id), 'Logout' );
+ count(1);
+@@ -72,16 +75,8 @@
+ count(1);
+ $id = expectCookie($res);
+ 
+-ok(
+-    $res = $client->_get(
+-        '/session/my/global', cookie => "lemonldap=$id"
+-    ),
+-    'Get session'
+-);
+-count(1);
+-$json = expectJSON($res);
+-
+-ok( $json->{authenticationLevel} == 5, 'Authentication level upgraded' );
++$session = getSession($id)->data;
++ok( $session->{authenticationLevel} == 5, 'Authentication level upgraded' );
+ count(1);
+ 
+ ok( $client->logout($id), 'Logout' );
diff -Nru lemonldap-ng-2.16.1+ds/debian/patches/fix-xss-in-upgrade-plugin.patch lemonldap-ng-2.16.1+ds/debian/patches/fix-xss-in-upgrade-plugin.patch
--- lemonldap-ng-2.16.1+ds/debian/patches/fix-xss-in-upgrade-plugin.patch	1970-01-01 00:00:00.000000000 +0000
+++ lemonldap-ng-2.16.1+ds/debian/patches/fix-xss-in-upgrade-plugin.patch	2024-11-18 17:32:35.000000000 +0000
@@ -0,0 +1,21 @@
+Description: Check XSS in ::Plugins::Upgrade 
+Author: Maxime Besson <maxime.besson@worteks.com>
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/614
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3257
+Forwarded: not-needed
+Applied-Upstream: 2.20.1, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/600ba2c0b3d4bb0a4dd2eb9d8b612edcca8805dc
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2024-11-09
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Upgrade.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Upgrade.pm
+@@ -79,6 +79,9 @@
+     $self->logger->debug(" -> Skip confirmation is enabled")
+       if $self->conf->{"skip${action}Confirmation"};
+ 
++    $url = '' if $self->p->checkXSSAttack('url', $url);
++    $forceUpgrade = '' if $self->p->checkXSSAttack('forceUpgrade', $forceUpgrade);
++
+     # Display form
+     return $self->p->sendHtml(
+         $req,
diff -Nru lemonldap-ng-2.16.1+ds/debian/patches/series lemonldap-ng-2.16.1+ds/debian/patches/series
--- lemonldap-ng-2.16.1+ds/debian/patches/series	2024-10-15 18:59:06.000000000 +0000
+++ lemonldap-ng-2.16.1+ds/debian/patches/series	2024-11-18 17:32:35.000000000 +0000
@@ -10,3 +10,5 @@
 fix-open-redirection-without-OIDC-redirect-uris.patch
 SSRF-issue.patch
 CVE-2024-48933.patch
+fix-auth-level-escalation.patch
+fix-xss-in-upgrade-plugin.patch