Version in base suite: 2.0.2+ds-7+deb10u2
Base version: lemonldap-ng_2.0.2+ds-7+deb10u2
Target version: lemonldap-ng_2.0.2+ds-7+deb10u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/l/lemonldap-ng/lemonldap-ng_2.0.2+ds-7+deb10u2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/l/lemonldap-ng/lemonldap-ng_2.0.2+ds-7+deb10u3.dsc
NEWS | 14 ++
changelog | 12 +
patches/CVE-2019-19791.patch | 219 ++++++++++++++++++++++++++++++++++++
patches/grantsession-with-2fa.patch | 26 ++++
patches/oidc-redirection-test.patch | 52 ++++++++
patches/series | 3
6 files changed, 326 insertions(+)
diff -Nru lemonldap-ng-2.0.2+ds/debian/NEWS lemonldap-ng-2.0.2+ds/debian/NEWS
--- lemonldap-ng-2.0.2+ds/debian/NEWS 2019-09-05 19:04:48.000000000 +0000
+++ lemonldap-ng-2.0.2+ds/debian/NEWS 2020-03-06 19:47:32.000000000 +0000
@@ -1,3 +1,17 @@
+lemonldap-ng (2.0.2+ds-7+deb10u3) buster; urgency=medium
+
+ This version fixes 3 security issues. However, you must verify 2 things:
+ * if you enabled SOAP/REST plugins, verify in your portal web configuration
+ file that they are well protected (see new default configuration files:
+ /etc/lemonldap-ng/portal-apache2.X.conf and
+ /etc/lemonldap-ng/portal-nginx.conf)
+ * if you enabled OpenID-Connect identity provider, your relaying parties
+ must have a redirection uri. You just have to save a new configuration
+ using the manager and automatic tests will fail if one relying party is
+ misconfigured
+
+ -- Xavier Guimard Fri, 20 Dec 2019 18:12:54 +0100
+
lemonldap-ng (2.0.0+ds-1) unstable; urgency=medium
2.0 is a major release, many things have been changed. You must read
diff -Nru lemonldap-ng-2.0.2+ds/debian/changelog lemonldap-ng-2.0.2+ds/debian/changelog
--- lemonldap-ng-2.0.2+ds/debian/changelog 2019-09-05 19:46:45.000000000 +0000
+++ lemonldap-ng-2.0.2+ds/debian/changelog 2020-03-06 19:47:32.000000000 +0000
@@ -1,3 +1,15 @@
+lemonldap-ng (2.0.2+ds-7+deb10u3) buster; urgency=medium
+
+ * Fix default configuration to prevent unwanted access to admin endpoints
+ (Closes: CVE-2019-19791)
+ * Fix the GrantSession plugin which could not prohibit logon when a 2FA was
+ used
+ * Fix for OIDC: any redirection where allowed when relaying party was
+ configured without redirect_uri
+ * Update debian/NEWS
+
+ -- Xavier Guimard Fri, 06 Mar 2020 20:47:32 +0100
+
lemonldap-ng (2.0.2+ds-7+deb10u2) buster-security; urgency=high
* Add patch to fix OIDC vulnerabilities (Closes: CVE-2019-15941)
diff -Nru lemonldap-ng-2.0.2+ds/debian/patches/CVE-2019-19791.patch lemonldap-ng-2.0.2+ds/debian/patches/CVE-2019-19791.patch
--- lemonldap-ng-2.0.2+ds/debian/patches/CVE-2019-19791.patch 1970-01-01 00:00:00.000000000 +0000
+++ lemonldap-ng-2.0.2+ds/debian/patches/CVE-2019-19791.patch 2020-03-06 19:47:32.000000000 +0000
@@ -0,0 +1,219 @@
+Description: default configuration didn't really protect admin endpoint
+ These files are used to provide default LLNG files
+Author: LLNG Authors
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1943
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1943
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard
+Last-Update: 2019-12-20
+
+--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/PSGI/Request.pm
++++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/PSGI/Request.pm
+@@ -27,9 +27,9 @@
+ if ( $self->env->{X_ORIGINAL_URI} );
+ $self->env->{PATH_INFO} =~ s|//+|/|g;
+
+- if ( my $tmp = $self->script_name ) {
+- $self->env->{PATH_INFO} =~ s|^$tmp|/|;
+- }
++ #if ( my $tmp = $self->script_name ) {
++ # $self->env->{PATH_INFO} =~ s|^$tmp|/|;
++ #}
+ $self->env->{PATH_INFO} ||= '/';
+ $self->{uri} = uri_unescape( $self->env->{REQUEST_URI} );
+ $self->{uri} =~ s|^//+|/|g;
+--- a/_example/etc/manager-apache2.4.conf
++++ b/_example/etc/manager-apache2.4.conf
+@@ -34,10 +34,10 @@
+ # (configuration, sessions, notifications) as manager.html, sessions.html,
+ # notifications.html and uncomment the 2 following lines:
+ # DirectoryIndex manager.html
+- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$"
++ # RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"
+
+ # REST URLs
+- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:static|doc|lib|javascript|favicon).*"
++ RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib|javascript|favicon).*"
+ RewriteRule "^/(.+)$" "/manager.fcgi/$1" [PT]
+
+ # 2) FastCGI engine
+--- a/_example/etc/manager-apache2.X.conf
++++ b/_example/etc/manager-apache2.X.conf
+@@ -28,10 +28,10 @@
+ # (configuration, sessions, notifications) as manager.html, sessions.html,
+ # notifications.html and uncomment the 2 following lines:
+ # DirectoryIndex manager.html
+- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$"
++ # RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"
+
+ # REST URLs
+- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:static|doc|lib|javascript|favicon).*"
++ RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib|javascript|favicon).*"
+ RewriteRule "^/(.+)$" "/manager.fcgi/$1" [PT]
+
+ # 2) FastCGI engine
+--- a/_example/etc/manager-apache2.conf
++++ b/_example/etc/manager-apache2.conf
+@@ -28,10 +28,10 @@
+ # (configuration, sessions, notifications) as manager.html, sessions.html,
+ # notifications.html and uncomment the 2 following lines:
+ # DirectoryIndex manager.html
+- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$"
++ # RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"
+
+ # REST URLs
+- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:static|doc|lib|javascript|favicon).*"
++ RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib|javascript|favicon).*"
+ RewriteRule "^/(.+)$" "/manager.fcgi/$1" [PT]
+
+ # 2) FastCGI engine
+--- a/_example/etc/portal-apache2.4.conf
++++ b/_example/etc/portal-apache2.4.conf
+@@ -30,8 +30,8 @@
+ # For performances, you can put static html files: simply put the HTML
+ # result (example: /oauth2/checksession.html) as static file. Then
+ # uncomment the following line.
+- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$"
+- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$"
++ # RewriteCond "%{REQUEST_URI}" "!\.html$"
++ RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$"
+ RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
+
+ # Note that Content-Security-Policy header is generated by portal itself
+--- a/_example/etc/portal-apache2.X.conf
++++ b/_example/etc/portal-apache2.X.conf
+@@ -31,8 +31,8 @@
+ # For performances, you can put static html files: simply put the HTML
+ # result (example: /oauth2/checksession.html) as static file. Then
+ # uncomment the following line.
+- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$"
+- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$"
++ # RewriteCond "%{REQUEST_URI}" "!\.html$"
++ RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$"
+ RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
+
+ # Note that Content-Security-Policy header is generated by portal itself
+--- a/_example/etc/portal-apache2.conf
++++ b/_example/etc/portal-apache2.conf
+@@ -26,8 +26,8 @@
+ # For performances, you can put static html files: simply put the HTML
+ # result (example: /oauth2/checksession.html) as static file. Then
+ # uncomment the following line.
+- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$"
+- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$"
++ # RewriteCond "%{REQUEST_URI}" "!\.html$"
++ RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$"
+ RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
+
+ # Note that Content-Security-Policy header is generated by portal itself
+--- a/_example/etc/portal-nginx.conf
++++ b/_example/etc/portal-nginx.conf
+@@ -42,6 +42,31 @@
+ #uwsgi_param SCRIPT_FILENAME $document_root$sc;
+ #uwsgi_param SCRIPT_NAME $sc;
+
++ # REST/SOAP functions for sessions management (disabled by default)
++ location ~ ^/index.psgi/adminSessions {
++ fastcgi_pass llng_portal_upstream;
++ deny all;
++ }
++
++ # REST/SOAP functions for sessions access (disabled by default)
++ location ~ ^/index.psgi/sessions {
++ fastcgi_pass llng_portal_upstream;
++ deny all;
++ }
++
++ # REST/SOAP functions for configuration access (disabled by default)
++ location ~ ^/index.psgi/config {
++ fastcgi_pass llng_portal_upstream;
++ deny all;
++ }
++
++ # REST/SOAP functions for notification insertion (disabled by default)
++ location ~ ^/index.psgi/notification {
++ fastcgi_pass llng_portal_upstream;
++ deny all;
++ }
++
++
+ }
+
+ index index.psgi;
+@@ -56,26 +81,6 @@
+ alias __PORTALSTATICDIR__;
+ }
+
+- # REST/SOAP functions for sessions management (disabled by default)
+- location /index.psgi/adminSessions {
+- deny all;
+- }
+-
+- # REST/SOAP functions for sessions access (disabled by default)
+- location /index.psgi/sessions {
+- deny all;
+- }
+-
+- # REST/SOAP functions for configuration access (disabled by default)
+- location /index.psgi/config {
+- deny all;
+- }
+-
+- # REST/SOAP functions for notification insertion (disabled by default)
+- location /index.psgi/notification {
+- deny all;
+- }
+-
+ # DEBIAN
+ # If install was made with USEDEBIANLIBS (official releases), uncomment this
+ location /javascript/ {
+--- a/doc/pages/documentation/current/configlocation.html
++++ b/doc/pages/documentation/current/configlocation.html
+@@ -316,8 +316,8 @@
+ # For performances, you can put static html files: simply put the HTML
+ # result (example: /oauth2/checksession.html) as static file. Then
+ # uncomment the following line.
+- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$"
+- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$"
++ # RewriteCond "%{REQUEST_URI}" "!\.html$"
++ RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$"
+ RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
+
+ # Note that Content-Security-Policy header is generated by portal itself
+@@ -392,10 +392,10 @@
+ # (configuration, sessions, notifications) as manager.html, sessions.html,
+ # notifications.html and uncomment the 2 following lines:
+ # DirectoryIndex manager.html
+- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$"
++ # RewriteCond "%{REQUEST_URI}" "!\.html$"
+
+ # REST URLs
+- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:static|doc|lib).*"
++ RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib).*"
+ RewriteRule "^/(.+)$" "/psgi/manager-server.fcgi/$1" [PT]
+
+ Alias /psgi/ /var/lib/lemonldap-ng/manager/psgi/
+--- a/doc/pages/documentation/current/performances.html
++++ b/doc/pages/documentation/current/performances.html
+@@ -424,8 +424,8 @@
+
+ RewriteRule "^/$" "/psgi/manager-server.fcgi" [PT]
+ # DirectoryIndex manager.html
+-# RewriteCond "%{REQUEST_FILENAME}" "!\.html$"
+-RewriteCond "%{REQUEST_FILENAME}" "!^/(?:static|doc|lib).*"
++# RewriteCond "%{REQUEST_URI}" "!\.html$"
++RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib).*"
+ RewriteRule "^/(.+)$" "/psgi/manager-server.fcgi/$1" [PT]
+
+
+@@ -433,8 +433,8 @@
+
+ # RewriteRule "^/$" "/psgi/manager-server.fcgi" [PT]
+ DirectoryIndex manager.html
+-RewriteCond "%{REQUEST_FILENAME}" "!\.html$"
+-RewriteCond "%{REQUEST_FILENAME}" "!^/(?:static|doc|lib).*"
++RewriteCond "%{REQUEST_URI}" "!\.html$"
++RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib).*"
+ RewriteRule "^/(.+)$" "/psgi/manager-server.fcgi/$1" [PT]
+
+
diff -Nru lemonldap-ng-2.0.2+ds/debian/patches/grantsession-with-2fa.patch lemonldap-ng-2.0.2+ds/debian/patches/grantsession-with-2fa.patch
--- lemonldap-ng-2.0.2+ds/debian/patches/grantsession-with-2fa.patch 1970-01-01 00:00:00.000000000 +0000
+++ lemonldap-ng-2.0.2+ds/debian/patches/grantsession-with-2fa.patch 2020-03-06 19:47:32.000000000 +0000
@@ -0,0 +1,26 @@
+Description: grantSession cannot prevent session establishment when 2FA is in use
+Author: Maxime Besson
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/3ee708d
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1965
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard
+Last-Update: 2019-12-20
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm
+@@ -97,7 +97,6 @@
+ $req->id( delete $req->sessionInfo->{_2fRealSession} );
+ $req->urldc( delete $req->sessionInfo->{_2fUrldc} );
+ $req->{sessionInfo}->{_utime} = delete $req->{sessionInfo}->{_2fUtime};
+- $self->p->rebuildCookies($req);
+ $req->mustRedirect(1);
+ $self->userLogger->notice( $self->prefix
+ . '2F verification for '
+@@ -112,6 +111,7 @@
+ [
+ @{ $self->p->afterData },
+ $self->p->validSession,
++ 'rebuildCookies',
+ @{ $self->p->endAuth },
+ sub { PE_OK }
+ ]
diff -Nru lemonldap-ng-2.0.2+ds/debian/patches/oidc-redirection-test.patch lemonldap-ng-2.0.2+ds/debian/patches/oidc-redirection-test.patch
--- lemonldap-ng-2.0.2+ds/debian/patches/oidc-redirection-test.patch 1970-01-01 00:00:00.000000000 +0000
+++ lemonldap-ng-2.0.2+ds/debian/patches/oidc-redirection-test.patch 2020-03-06 19:47:32.000000000 +0000
@@ -0,0 +1,52 @@
+Description:
+ When LL::NG is configured as OIDC provider and we declare an OIDC RP without
+ configuring oidcRPMetaDataOptionsRedirectUris, the redirection to redirect_uri
+ set by the RP is always granted.
+ .
+ The OpenID Connect core specification [1] says:
+ .
+ redirect_uri
+ REQUIRED. Redirection URI to which the response will be sent. This URI
+ MUST exactly match one of the Redirection URI values for the Client
+ pre-registered at the OpenID Provider
+ .
+ To avoid breaking existing federations, the fix consists to refuse
+ configuration update without valid redirections. An entry in debian/NEWS
+ has to explain that configuration must be checked.
+ .
+ [1]: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+Author: Clément Oudot
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/17e77d90
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/2040
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard
+Last-Update: 2019-12-20
+
+--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Tests.pm
++++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Tests.pm
+@@ -630,6 +630,25 @@
+ return 1;
+ },
+
++ # OIDC redirect URI must not be empty
++ oidcRPRedirectURINotEmpty => sub {
++ return 1
++ unless ( $conf->{oidcRPMetaDataOptions}
++ and %{ $conf->{oidcRPMetaDataOptions} } );
++ my @msg;
++ my $res = 1;
++ foreach my $oidcRpId ( keys %{ $conf->{oidcRPMetaDataOptions} } ) {
++ unless ( $conf->{oidcRPMetaDataOptions}->{$oidcRpId}
++ ->{oidcRPMetaDataOptionsRedirectUris} )
++ {
++ push @msg,
++ "$oidcRpId OpenID Connect RP has no redirect URI defined";
++ $res = 0;
++ next;
++ }
++ }
++ return ( $res, join( ', ', @msg ) );
++ },
+ };
+ }
+
diff -Nru lemonldap-ng-2.0.2+ds/debian/patches/series lemonldap-ng-2.0.2+ds/debian/patches/series
--- lemonldap-ng-2.0.2+ds/debian/patches/series 2019-09-05 19:40:23.000000000 +0000
+++ lemonldap-ng-2.0.2+ds/debian/patches/series 2020-03-06 19:47:32.000000000 +0000
@@ -5,3 +5,6 @@
update-translations.diff
CVE-2019-12046.patch
CVE-2019-15941-and-other-OIDC-fixes.patch
+CVE-2019-19791.patch
+grantsession-with-2fa.patch
+oidc-redirection-test.patch