Version in base suite: 2.0.2+ds-7+deb10u2 Base version: lemonldap-ng_2.0.2+ds-7+deb10u2 Target version: lemonldap-ng_2.0.2+ds-7+deb10u3 Base file: /srv/ftp-master.debian.org/ftp/pool/main/l/lemonldap-ng/lemonldap-ng_2.0.2+ds-7+deb10u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/l/lemonldap-ng/lemonldap-ng_2.0.2+ds-7+deb10u3.dsc NEWS | 14 ++ changelog | 12 + patches/CVE-2019-19791.patch | 219 ++++++++++++++++++++++++++++++++++++ patches/grantsession-with-2fa.patch | 26 ++++ patches/oidc-redirection-test.patch | 52 ++++++++ patches/series | 3 6 files changed, 326 insertions(+) diff -Nru lemonldap-ng-2.0.2+ds/debian/NEWS lemonldap-ng-2.0.2+ds/debian/NEWS --- lemonldap-ng-2.0.2+ds/debian/NEWS 2019-09-05 19:04:48.000000000 +0000 +++ lemonldap-ng-2.0.2+ds/debian/NEWS 2020-03-06 19:47:32.000000000 +0000 @@ -1,3 +1,17 @@ +lemonldap-ng (2.0.2+ds-7+deb10u3) buster; urgency=medium + + This version fixes 3 security issues. However, you must verify 2 things: + * if you enabled SOAP/REST plugins, verify in your portal web configuration + file that they are well protected (see new default configuration files: + /etc/lemonldap-ng/portal-apache2.X.conf and + /etc/lemonldap-ng/portal-nginx.conf) + * if you enabled OpenID-Connect identity provider, your relaying parties + must have a redirection uri. You just have to save a new configuration + using the manager and automatic tests will fail if one relying party is + misconfigured + + -- Xavier Guimard Fri, 20 Dec 2019 18:12:54 +0100 + lemonldap-ng (2.0.0+ds-1) unstable; urgency=medium 2.0 is a major release, many things have been changed. You must read diff -Nru lemonldap-ng-2.0.2+ds/debian/changelog lemonldap-ng-2.0.2+ds/debian/changelog --- lemonldap-ng-2.0.2+ds/debian/changelog 2019-09-05 19:46:45.000000000 +0000 +++ lemonldap-ng-2.0.2+ds/debian/changelog 2020-03-06 19:47:32.000000000 +0000 @@ -1,3 +1,15 @@ +lemonldap-ng (2.0.2+ds-7+deb10u3) buster; urgency=medium + + * Fix default configuration to prevent unwanted access to admin endpoints + (Closes: CVE-2019-19791) + * Fix the GrantSession plugin which could not prohibit logon when a 2FA was + used + * Fix for OIDC: any redirection where allowed when relaying party was + configured without redirect_uri + * Update debian/NEWS + + -- Xavier Guimard Fri, 06 Mar 2020 20:47:32 +0100 + lemonldap-ng (2.0.2+ds-7+deb10u2) buster-security; urgency=high * Add patch to fix OIDC vulnerabilities (Closes: CVE-2019-15941) diff -Nru lemonldap-ng-2.0.2+ds/debian/patches/CVE-2019-19791.patch lemonldap-ng-2.0.2+ds/debian/patches/CVE-2019-19791.patch --- lemonldap-ng-2.0.2+ds/debian/patches/CVE-2019-19791.patch 1970-01-01 00:00:00.000000000 +0000 +++ lemonldap-ng-2.0.2+ds/debian/patches/CVE-2019-19791.patch 2020-03-06 19:47:32.000000000 +0000 @@ -0,0 +1,219 @@ +Description: default configuration didn't really protect admin endpoint + These files are used to provide default LLNG files +Author: LLNG Authors +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1943 +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1943 +Forwarded: not-needed +Reviewed-By: Xavier Guimard +Last-Update: 2019-12-20 + +--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/PSGI/Request.pm ++++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/PSGI/Request.pm +@@ -27,9 +27,9 @@ + if ( $self->env->{X_ORIGINAL_URI} ); + $self->env->{PATH_INFO} =~ s|//+|/|g; + +- if ( my $tmp = $self->script_name ) { +- $self->env->{PATH_INFO} =~ s|^$tmp|/|; +- } ++ #if ( my $tmp = $self->script_name ) { ++ # $self->env->{PATH_INFO} =~ s|^$tmp|/|; ++ #} + $self->env->{PATH_INFO} ||= '/'; + $self->{uri} = uri_unescape( $self->env->{REQUEST_URI} ); + $self->{uri} =~ s|^//+|/|g; +--- a/_example/etc/manager-apache2.4.conf ++++ b/_example/etc/manager-apache2.4.conf +@@ -34,10 +34,10 @@ + # (configuration, sessions, notifications) as manager.html, sessions.html, + # notifications.html and uncomment the 2 following lines: + # DirectoryIndex manager.html +- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$" ++ # RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$" + + # REST URLs +- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:static|doc|lib|javascript|favicon).*" ++ RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib|javascript|favicon).*" + RewriteRule "^/(.+)$" "/manager.fcgi/$1" [PT] + + # 2) FastCGI engine +--- a/_example/etc/manager-apache2.X.conf ++++ b/_example/etc/manager-apache2.X.conf +@@ -28,10 +28,10 @@ + # (configuration, sessions, notifications) as manager.html, sessions.html, + # notifications.html and uncomment the 2 following lines: + # DirectoryIndex manager.html +- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$" ++ # RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$" + + # REST URLs +- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:static|doc|lib|javascript|favicon).*" ++ RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib|javascript|favicon).*" + RewriteRule "^/(.+)$" "/manager.fcgi/$1" [PT] + + # 2) FastCGI engine +--- a/_example/etc/manager-apache2.conf ++++ b/_example/etc/manager-apache2.conf +@@ -28,10 +28,10 @@ + # (configuration, sessions, notifications) as manager.html, sessions.html, + # notifications.html and uncomment the 2 following lines: + # DirectoryIndex manager.html +- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$" ++ # RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$" + + # REST URLs +- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:static|doc|lib|javascript|favicon).*" ++ RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib|javascript|favicon).*" + RewriteRule "^/(.+)$" "/manager.fcgi/$1" [PT] + + # 2) FastCGI engine +--- a/_example/etc/portal-apache2.4.conf ++++ b/_example/etc/portal-apache2.4.conf +@@ -30,8 +30,8 @@ + # For performances, you can put static html files: simply put the HTML + # result (example: /oauth2/checksession.html) as static file. Then + # uncomment the following line. +- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$" +- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$" ++ # RewriteCond "%{REQUEST_URI}" "!\.html$" ++ RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$" + RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT] + + # Note that Content-Security-Policy header is generated by portal itself +--- a/_example/etc/portal-apache2.X.conf ++++ b/_example/etc/portal-apache2.X.conf +@@ -31,8 +31,8 @@ + # For performances, you can put static html files: simply put the HTML + # result (example: /oauth2/checksession.html) as static file. Then + # uncomment the following line. +- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$" +- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$" ++ # RewriteCond "%{REQUEST_URI}" "!\.html$" ++ RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$" + RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT] + + # Note that Content-Security-Policy header is generated by portal itself +--- a/_example/etc/portal-apache2.conf ++++ b/_example/etc/portal-apache2.conf +@@ -26,8 +26,8 @@ + # For performances, you can put static html files: simply put the HTML + # result (example: /oauth2/checksession.html) as static file. Then + # uncomment the following line. +- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$" +- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$" ++ # RewriteCond "%{REQUEST_URI}" "!\.html$" ++ RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$" + RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT] + + # Note that Content-Security-Policy header is generated by portal itself +--- a/_example/etc/portal-nginx.conf ++++ b/_example/etc/portal-nginx.conf +@@ -42,6 +42,31 @@ + #uwsgi_param SCRIPT_FILENAME $document_root$sc; + #uwsgi_param SCRIPT_NAME $sc; + ++ # REST/SOAP functions for sessions management (disabled by default) ++ location ~ ^/index.psgi/adminSessions { ++ fastcgi_pass llng_portal_upstream; ++ deny all; ++ } ++ ++ # REST/SOAP functions for sessions access (disabled by default) ++ location ~ ^/index.psgi/sessions { ++ fastcgi_pass llng_portal_upstream; ++ deny all; ++ } ++ ++ # REST/SOAP functions for configuration access (disabled by default) ++ location ~ ^/index.psgi/config { ++ fastcgi_pass llng_portal_upstream; ++ deny all; ++ } ++ ++ # REST/SOAP functions for notification insertion (disabled by default) ++ location ~ ^/index.psgi/notification { ++ fastcgi_pass llng_portal_upstream; ++ deny all; ++ } ++ ++ + } + + index index.psgi; +@@ -56,26 +81,6 @@ + alias __PORTALSTATICDIR__; + } + +- # REST/SOAP functions for sessions management (disabled by default) +- location /index.psgi/adminSessions { +- deny all; +- } +- +- # REST/SOAP functions for sessions access (disabled by default) +- location /index.psgi/sessions { +- deny all; +- } +- +- # REST/SOAP functions for configuration access (disabled by default) +- location /index.psgi/config { +- deny all; +- } +- +- # REST/SOAP functions for notification insertion (disabled by default) +- location /index.psgi/notification { +- deny all; +- } +- + # DEBIAN + # If install was made with USEDEBIANLIBS (official releases), uncomment this + location /javascript/ { +--- a/doc/pages/documentation/current/configlocation.html ++++ b/doc/pages/documentation/current/configlocation.html +@@ -316,8 +316,8 @@ + # For performances, you can put static html files: simply put the HTML + # result (example: /oauth2/checksession.html) as static file. Then + # uncomment the following line. +- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$" +- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$" ++ # RewriteCond "%{REQUEST_URI}" "!\.html$" ++ RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$" + RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT] +   + # Note that Content-Security-Policy header is generated by portal itself +@@ -392,10 +392,10 @@ + # (configuration, sessions, notifications) as manager.html, sessions.html, + # notifications.html and uncomment the 2 following lines: + # DirectoryIndex manager.html +- # RewriteCond "%{REQUEST_FILENAME}" "!\.html$" ++ # RewriteCond "%{REQUEST_URI}" "!\.html$" +   + # REST URLs +- RewriteCond "%{REQUEST_FILENAME}" "!^/(?:static|doc|lib).*" ++ RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib).*" + RewriteRule "^/(.+)$" "/psgi/manager-server.fcgi/$1" [PT] +   + Alias /psgi/ /var/lib/lemonldap-ng/manager/psgi/ +--- a/doc/pages/documentation/current/performances.html ++++ b/doc/pages/documentation/current/performances.html +@@ -424,8 +424,8 @@ +

+ 
RewriteRule "^/$" "/psgi/manager-server.fcgi" [PT]
+ # DirectoryIndex manager.html
+-# RewriteCond "%{REQUEST_FILENAME}" "!\.html$"
+-RewriteCond "%{REQUEST_FILENAME}" "!^/(?:static|doc|lib).*"
++# RewriteCond "%{REQUEST_URI}" "!\.html$"
++RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib).*"
+ RewriteRule "^/(.+)$" "/psgi/manager-server.fcgi/$1" [PT]
+ +

+@@ -433,8 +433,8 @@ +

+ 
# RewriteRule "^/$" "/psgi/manager-server.fcgi" [PT]
+ DirectoryIndex manager.html
+-RewriteCond "%{REQUEST_FILENAME}" "!\.html$"
+-RewriteCond "%{REQUEST_FILENAME}" "!^/(?:static|doc|lib).*"
++RewriteCond "%{REQUEST_URI}" "!\.html$"
++RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib).*"
+ RewriteRule "^/(.+)$" "/psgi/manager-server.fcgi/$1" [PT]
+ +

diff -Nru lemonldap-ng-2.0.2+ds/debian/patches/grantsession-with-2fa.patch lemonldap-ng-2.0.2+ds/debian/patches/grantsession-with-2fa.patch --- lemonldap-ng-2.0.2+ds/debian/patches/grantsession-with-2fa.patch 1970-01-01 00:00:00.000000000 +0000 +++ lemonldap-ng-2.0.2+ds/debian/patches/grantsession-with-2fa.patch 2020-03-06 19:47:32.000000000 +0000 @@ -0,0 +1,26 @@ +Description: grantSession cannot prevent session establishment when 2FA is in use +Author: Maxime Besson +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/3ee708d +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1965 +Forwarded: not-needed +Reviewed-By: Xavier Guimard +Last-Update: 2019-12-20 + +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm +@@ -97,7 +97,6 @@ + $req->id( delete $req->sessionInfo->{_2fRealSession} ); + $req->urldc( delete $req->sessionInfo->{_2fUrldc} ); + $req->{sessionInfo}->{_utime} = delete $req->{sessionInfo}->{_2fUtime}; +- $self->p->rebuildCookies($req); + $req->mustRedirect(1); + $self->userLogger->notice( $self->prefix + . '2F verification for ' +@@ -112,6 +111,7 @@ + [ + @{ $self->p->afterData }, + $self->p->validSession, ++ 'rebuildCookies', + @{ $self->p->endAuth }, + sub { PE_OK } + ] diff -Nru lemonldap-ng-2.0.2+ds/debian/patches/oidc-redirection-test.patch lemonldap-ng-2.0.2+ds/debian/patches/oidc-redirection-test.patch --- lemonldap-ng-2.0.2+ds/debian/patches/oidc-redirection-test.patch 1970-01-01 00:00:00.000000000 +0000 +++ lemonldap-ng-2.0.2+ds/debian/patches/oidc-redirection-test.patch 2020-03-06 19:47:32.000000000 +0000 @@ -0,0 +1,52 @@ +Description: + When LL::NG is configured as OIDC provider and we declare an OIDC RP without + configuring oidcRPMetaDataOptionsRedirectUris, the redirection to redirect_uri + set by the RP is always granted. + . + The OpenID Connect core specification [1] says: + . + redirect_uri + REQUIRED. Redirection URI to which the response will be sent. This URI + MUST exactly match one of the Redirection URI values for the Client + pre-registered at the OpenID Provider + . + To avoid breaking existing federations, the fix consists to refuse + configuration update without valid redirections. An entry in debian/NEWS + has to explain that configuration must be checked. + . + [1]: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest +Author: Clément Oudot +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/17e77d90 +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/2040 +Forwarded: not-needed +Reviewed-By: Xavier Guimard +Last-Update: 2019-12-20 + +--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Tests.pm ++++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Tests.pm +@@ -630,6 +630,25 @@ + return 1; + }, + ++ # OIDC redirect URI must not be empty ++ oidcRPRedirectURINotEmpty => sub { ++ return 1 ++ unless ( $conf->{oidcRPMetaDataOptions} ++ and %{ $conf->{oidcRPMetaDataOptions} } ); ++ my @msg; ++ my $res = 1; ++ foreach my $oidcRpId ( keys %{ $conf->{oidcRPMetaDataOptions} } ) { ++ unless ( $conf->{oidcRPMetaDataOptions}->{$oidcRpId} ++ ->{oidcRPMetaDataOptionsRedirectUris} ) ++ { ++ push @msg, ++ "$oidcRpId OpenID Connect RP has no redirect URI defined"; ++ $res = 0; ++ next; ++ } ++ } ++ return ( $res, join( ', ', @msg ) ); ++ }, + }; + } + diff -Nru lemonldap-ng-2.0.2+ds/debian/patches/series lemonldap-ng-2.0.2+ds/debian/patches/series --- lemonldap-ng-2.0.2+ds/debian/patches/series 2019-09-05 19:40:23.000000000 +0000 +++ lemonldap-ng-2.0.2+ds/debian/patches/series 2020-03-06 19:47:32.000000000 +0000 @@ -5,3 +5,6 @@ update-translations.diff CVE-2019-12046.patch CVE-2019-15941-and-other-OIDC-fixes.patch +CVE-2019-19791.patch +grantsession-with-2fa.patch +oidc-redirection-test.patch