Version in base suite: 2.16.1+ds-deb12u5

Base version: lemonldap-ng_2.16.1+ds-deb12u5
Target version: lemonldap-ng_2.16.1+ds-deb12u6
Base file: /srv/ftp-master.debian.org/ftp/pool/main/l/lemonldap-ng/lemonldap-ng_2.16.1+ds-deb12u5.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/l/lemonldap-ng/lemonldap-ng_2.16.1+ds-deb12u6.dsc

 changelog                    |    6 ++++++
 patches/CVE-2025-31510.patch |   33 +++++++++++++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 40 insertions(+)

diff -Nru lemonldap-ng-2.16.1+ds/debian/changelog lemonldap-ng-2.16.1+ds/debian/changelog
--- lemonldap-ng-2.16.1+ds/debian/changelog	2025-02-02 11:04:04.000000000 +0000
+++ lemonldap-ng-2.16.1+ds/debian/changelog	2025-04-01 11:39:12.000000000 +0000
@@ -1,3 +1,9 @@
+lemonldap-ng (2.16.1+ds-deb12u6) bookworm-security; urgency=high
+
+  * Fix XSS vulnerability in Choice module (Closes: CVE-2025-31510)
+
+ -- Yadd <yadd@debian.org>  Tue, 01 Apr 2025 13:39:12 +0200
+
 lemonldap-ng (2.16.1+ds-deb12u5) bookworm; urgency=medium
 
   * Fix CSRF on 2FA registration interface (Closes: CVE-2024-52948)
diff -Nru lemonldap-ng-2.16.1+ds/debian/patches/CVE-2025-31510.patch lemonldap-ng-2.16.1+ds/debian/patches/CVE-2025-31510.patch
--- lemonldap-ng-2.16.1+ds/debian/patches/CVE-2025-31510.patch	1970-01-01 00:00:00.000000000 +0000
+++ lemonldap-ng-2.16.1+ds/debian/patches/CVE-2025-31510.patch	2025-04-01 11:39:12.000000000 +0000
@@ -0,0 +1,33 @@
+Description: fix XSS/HTML Injection through tab parameter (Choice)
+ An input validation vulnerability has been identified in the tab parameter
+ when authentication is set to Choice.
+ This issue allows for the injection of malicious content, including HTML,
+ iframes, or JavaScript, with varying impacts depending on the applied
+ Content Security Policy (CSP) configuration.
+Author: Yadd <yadd@debian.org>
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/a790b15e9
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3341
+Forwarded: not-needed
+Applied-Upstream: 2.16.5, commit:a790b15e9
+Last-Update: 2025-03-29
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
+@@ -596,12 +596,16 @@
+             if ( $self->conf->{authentication} eq 'Choice'
+                 and my $authLoop = $self->_buildAuthLoop($req) )
+             {
++                my $tab = $req->param("tab");
++                if ($tab) {
++                    $tab = undef unless grep { $_->{key} eq $tab } @$authLoop;
++                }
+                 %templateParams = (
+                     %templateParams,
+                     AUTH_LOOP            => $authLoop,
+                     CHOICE_PARAM         => $self->conf->{authChoiceParam},
+                     CHOICE_VALUE         => $req->data->{_authChoice},
+-                    DISPLAY_TAB          => scalar( $req->param("tab") ),
++                    DISPLAY_TAB          => $tab,
+                     DISPLAY_FORM         => 0,
+                     DISPLAY_OPENID_FORM  => 0,
+                     DISPLAY_YUBIKEY_FORM => 0,
diff -Nru lemonldap-ng-2.16.1+ds/debian/patches/series lemonldap-ng-2.16.1+ds/debian/patches/series
--- lemonldap-ng-2.16.1+ds/debian/patches/series	2025-02-02 10:57:52.000000000 +0000
+++ lemonldap-ng-2.16.1+ds/debian/patches/series	2025-04-01 11:39:12.000000000 +0000
@@ -15,3 +15,4 @@
 fix-xss-in-upgrade-plugin.patch
 CVE-2024-52948.patch
 fix-test-when-ldap-server-exists.patch
+CVE-2025-31510.patch