Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: secur...@debian.org
Please unblock package lemonldap-ng [ Reason ] lemonldap-ng 2.0.11+ds-3 has several vulnerabilities fixed in 2.0.12. This update fixes: * Session cache corruption can lead to authorization bypass or spoofing (Closes: CVE-2021-35472) * OAuth2 handler does not verify access token validity (Closes: CVE-2021-35473) * XSS on register form * Bad behavior which displays TOTP secret to connected user and debug logs [ Impact ] One high vulnerability (CVE-2021-35472) and medium others [ Tests ] New upstream test not imported here. Current tests passed (both build and autopkgtest) [ Risks ] Low risk. lemonldap-ng is developed following BDD/TDD, so most features are tested. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] (Anything else the release team should know.) unblock lemonldap-ng/2.0.11+ds-4
diff --git a/debian/changelog b/debian/changelog index d3c338880..a56d54279 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +lemonldap-ng (2.0.11+ds-4) unstable; urgency=high + + * Import security fixes from 2.0.12 + * Session cache corruption can lead to authorization bypass or spoofing + (Closes: CVE-2021-35472) + * OAuth2 handler does not verify access token validity + (Closes: CVE-2021-35473) + * Fix XSS on register form + * Don't display TOTP secret to connected user, neither in logs + + -- Yadd <y...@debian.org> Thu, 22 Jul 2021 22:13:38 +0200 + lemonldap-ng (2.0.11+ds-3) unstable; urgency=medium * Add Breaks+Replaces in lemonldap-ng-handler for diff --git a/debian/patches/CVE-2021-35472.patch b/debian/patches/CVE-2021-35472.patch new file mode 100644 index 000000000..16a4e4c10 --- /dev/null +++ b/debian/patches/CVE-2021-35472.patch @@ -0,0 +1,30 @@ +Description: fix session cache corruption +Author: Yadd <y...@debian.org> +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/b6a1f946 +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2539 +Forwarded: not-needed +Last-Update: 2021-06-25 + +--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm ++++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm +@@ -139,7 +139,9 @@ + } + + # Try to recover cookie and user session +- if ( $id = $class->fetchId($req) ++ $id = $class->fetchId($req); ++ $class->data( {} ) unless($id); ++ if ( $id + and $session = $class->retrieveSession( $req, $id ) ) + { + +--- a/lemonldap-ng-portal/t/75-2F-Registers.t ++++ b/lemonldap-ng-portal/t/75-2F-Registers.t +@@ -439,6 +439,7 @@ + ), + 'Push U2F signature' + ); ++ $id = expectCookie($res); + ok( + $res = $client->_get( + '/2fregisters', diff --git a/debian/patches/CVE-2021-35473.patch b/debian/patches/CVE-2021-35473.patch new file mode 100644 index 000000000..535252b03 --- /dev/null +++ b/debian/patches/CVE-2021-35473.patch @@ -0,0 +1,69 @@ +Description: Add missing access token expiration check in OAuth2 handler +Author: Maxime Besson <maxime.bes...@worteks.com> +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/23a8a100 +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2549 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2021-06-25 + +--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/OAuth2.pm ++++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/OAuth2.pm +@@ -10,16 +10,17 @@ + + # Retrieve regular session if this is not an offline access token + unless ($offlineId) { +- my $data = { +- %{ +- $class->Lemonldap::NG::Handler::Main::retrieveSession( $req, +- $id ) +- }, +- $class->_getTokenAttributes($req) +- }; ++ my $data = ++ $class->Lemonldap::NG::Handler::Main::retrieveSession( $req, $id ); ++ if ( ref($data) eq "HASH" ) { ++ $data = { %{$data}, $class->_getTokenAttributes($req) }; + +- # Update cache +- $class->data($data); ++ # Update cache ++ $class->data($data); ++ } ++ else { ++ $req->data->{oauth2_error} = 'invalid_token'; ++ } + return $data; + } + +@@ -87,6 +88,10 @@ + + # Get access token session + my $infos = $class->getOIDCInfos($access_token); ++ unless ($infos) { ++ $req->data->{oauth2_error} = 'invalid_token'; ++ return; ++ } + + # Store scope and rpid for future session attributes + if ( $infos->{rp} ) { +@@ -141,6 +146,20 @@ + unless ( $oidcSession->error ) { + $class->logger->debug("Get OIDC session $id"); + ++ # Verify that session is valid ++ unless ( $oidcSession->data->{_utime} ) { ++ $class->logger->error("_utime missing from Access Token session"); ++ return; ++ } ++ ++ my $ttl = $class->tsv->{timeout} - time + $oidcSession->data->{_utime}; ++ $class->logger->debug( "Session TTL = " . $ttl ); ++ ++ if ( time - $oidcSession->data->{_utime} > $class->tsv->{timeout} ) { ++ $class->logger->info("Access Token session $id expired"); ++ return; ++ } ++ + $infos = { %{ $oidcSession->data } }; + } + else { diff --git a/debian/patches/dont-display-totp-secret.patch b/debian/patches/dont-display-totp-secret.patch new file mode 100644 index 000000000..d9fd960fa --- /dev/null +++ b/debian/patches/dont-display-totp-secret.patch @@ -0,0 +1,21 @@ +Description: don't display TOTP secret to connected user neither in logs +Author: Maxime Besson +Origin: upstream +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2543 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2021-06-25 + +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/TOTP.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/TOTP.pm +@@ -226,10 +226,6 @@ + return $self->p->sendError( $req, 'notAuthorized', 200 ); + } + +- elsif ( $self->conf->{totp2fDisplayExistingSecret} ) { +- $self->logger->debug("User secret = $secret"); +- } +- + else { + return $self->p->sendError( $req, 'totpExistingKey', 200 ); + } diff --git a/debian/patches/fix-trusted-domain-regex.patch b/debian/patches/fix-trusted-domain-regex.patch new file mode 100644 index 000000000..526b208db --- /dev/null +++ b/debian/patches/fix-trusted-domain-regex.patch @@ -0,0 +1,46 @@ +Description: fix trusted domain regex +Author: Yadd <y...@debian.org> +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/3b8222ae8 +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2535 +Forwarded: not-needed +Last-Update: 2021-06-25 + +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm +@@ -391,7 +391,7 @@ + } + } + +- my $tmp = 'https?://' . $re->as_string . '(?::\d+)?(?:/|$)'; ++ my $tmp = '^https?://' . $re->as_string . '(?::\d+)?(?:/|$)'; + $self->trustedDomainsRe(qr/$tmp/); + + } +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm +@@ -885,14 +885,14 @@ + my $csp = $self->csp . "form-action " . $self->conf->{cspFormAction}; + if ( my $url = $req->urldc ) { + $self->logger->debug("Required urldc : $url"); +- $url =~ s#(https?://[^/]+).*#$1#; ++ $url =~ s#^(https?://[^/]+).*#$1#; + $self->logger->debug("Set CSP form-action with urldc : $url"); + $csp .= " $url"; + } + my $url = $args{params}->{URL}; + if ( defined $url ) { + $self->logger->debug("Required Params URL : $url"); +- if ( $url =~ s#(https?://[^/]+).*#$1# ) { ++ if ( $url =~ s#^(https?://[^/]+).*#$1# ) { + $self->logger->debug("Set CSP form-action with Params URL : $url"); + $csp .= " $url"; + } +@@ -932,7 +932,7 @@ + # Check if frames need to be embedded + my @url; + if ( $req->info ) { +- @url = map { s#https?://([^/]+).*#$1#; $_ } ++ @url = map { s#^https?://([^/]+).*#$1#; $_ } + ( $req->info =~ /<iframe.*?src="(.*?)"/sg ); + } + if (@url) { diff --git a/debian/patches/fix-trusted-domain-wildcard.patch b/debian/patches/fix-trusted-domain-wildcard.patch new file mode 100644 index 000000000..e7e73fee2 --- /dev/null +++ b/debian/patches/fix-trusted-domain-wildcard.patch @@ -0,0 +1,53 @@ +Description: Reject hashes in URL +Author: Yadd <y...@debian.org> +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/4b20e54b +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2477 +Forwarded: not-needed +Last-Update: 2021-06-25 + +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm +@@ -333,6 +333,11 @@ + "XSS attack detected (param: $name | value: $value)"); + return $self->conf->{checkXSS}; + } ++ if ( $value =~ m/#/ ) { ++ $self->userLogger->error( ++ "Browser parameters in URL (param: $name | value: $value)"); ++ return $self->conf->{checkXSS}; ++ } + return 0; + } + +--- /dev/null ++++ b/lemonldap-ng-portal/t/01-Reject-Hashes-in-URL.t +@@ -0,0 +1,29 @@ ++use Test::More; ++use strict; ++use IO::String; ++use MIME::Base64; ++ ++require 't/test-lib.pm'; ++ ++my $res; ++ ++my $client = LLNG::Manager::Test->new( ++ { ini => { logLevel => 'error', useSafeJail => 1 } } ); ++ ++ok( ++ $res = $client->_get( ++ '/', ++ query => 'url=' ++ . encode_base64( 'http://bad.com#test.example.llng', '' ) ++ ), ++ 'Try http://bad.com#test.example.llng' ++); ++expectReject($res); ++ok( $res->[2]->[0] =~ /37/, 'Rejected with PE_BADURL' ) ++ or print STDERR Dumper( $res->[2]->[0] ); ++ ++count(2); ++ ++clean_sessions(); ++ ++done_testing( count() ); diff --git a/debian/patches/fix-xss-on-register-form.patch b/debian/patches/fix-xss-on-register-form.patch new file mode 100644 index 000000000..60fc9eaee --- /dev/null +++ b/debian/patches/fix-xss-on-register-form.patch @@ -0,0 +1,400 @@ +Description: fix XSS on register form +Author: Maxime Besson <maxime.bes...@worteks.com> +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/d6968535 + https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/297dc830a +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2495 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2021-06-25 + +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Mail2F.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Mail2F.pm +@@ -82,8 +82,6 @@ + } + + # Build mail content +- my %tplPrms; +- $tplPrms{MAIN_LOGO} = $self->conf->{portalMainLogo}; + my $tr = $self->translate($req); + my $subject = $self->conf->{mail2fSubject}; + +@@ -104,12 +102,16 @@ + $req, + 'mail_2fcode', + filter => $tr, +- params => \%tplPrms ++ params => { ++ code => $code, ++ }, + ); + $html = 1; + } + + # Replace variables in body ++ # FIXME: kept for compatibility with 2.0.0 mail templates ++ # in future versions this should only happen for plaintext emails + $body =~ s/\$code/$code/g; + $body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge; + +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SMTP.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SMTP.pm +@@ -49,6 +49,7 @@ + # HTML::Template cache interferes with email translation (#1897) + $prm{cache} = 0 unless defined $prm{cache}; + $prm{params}->{STATIC_PREFIX} = $self->p->staticPrefix; ++ $prm{params}->{MAIN_LOGO} = $self->conf->{portalMainLogo}; + my %extra = + $self->p->can('tplParams') + ? $self->p->tplParams($req) +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CertificateResetByMail.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CertificateResetByMail.pm +@@ -129,7 +129,7 @@ + + sub _certificateReset { + my ( $self, $req ) = @_; +- my ( $mailToken, %tplPrms ); ++ my ($mailToken); + + # CertificatReset FORM => modifyCertificate() + if ( $req->method =~ /^POST$/i +@@ -359,7 +359,6 @@ + ); + + # Build mail content +- $tplPrms{MAIN_LOGO} = $self->conf->{portalMainLogo}; + my $tr = $self->translate($req); + my $subject = $self->conf->{certificateResetByMailStep1Subject}; + unless ($subject) { +@@ -380,12 +379,18 @@ + $req, + 'mail_certificateConfirm', + filter => $tr, +- params => \%tplPrms ++ params => { ++ expMailDate => $req->data->{expMailDate}, ++ expMailTime => $req->data->{expMailTime}, ++ url => $url, ++ }, + ); + $html = 1; + } + + # Replace variables in body ++ # FIXME: kept for compatibility with 2.0.0 mail templates ++ # in future versions this should only happen for plaintext emails + $body =~ s/\$expMailDate/$req->data->{expMailDate}/ge; + $body =~ s/\$expMailTime/$req->data->{expMailTime}/ge; + $body =~ s/\$url/$url/g; +@@ -420,7 +425,6 @@ + + sub modifyCertificate { + my ( $self, $req ) = @_; +- my %tplPrms; + my $nbio; + my $x509; + my $notAfter; +@@ -539,7 +543,6 @@ + $req->{sessionInfo}->{ $self->conf->{mailSessionKey} } ); + + # Build mail content +- $tplPrms{MAIN_LOGO} = $self->conf->{portalMainLogo}; + my $tr = $self->translate($req); + my $subject = $self->conf->{certificateResetByMailStep2Subject}; + unless ($subject) { +@@ -560,12 +563,14 @@ + $req, + 'mail_certificateReset', + filter => $tr, +- params => \%tplPrms ++ params => {}, + ); + $html = 1; + } + + # Replace variables in body ++ # FIXME: kept for compatibility with 2.0.0 mail templates ++ # in future versions this should only happen for plaintext emails + $body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge; + + # Send mail +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm +@@ -91,7 +91,7 @@ + + sub _reset { + my ( $self, $req ) = @_; +- my ( $mailToken, %tplPrms ); ++ my ($mailToken); + + # PASSWORD CHANGE FORM => changePwd() + if ( +@@ -323,7 +323,6 @@ + ); + + # Build mail content +- $tplPrms{MAIN_LOGO} = $self->conf->{portalMainLogo}; + my $tr = $self->translate($req); + my $subject = $self->conf->{mailConfirmSubject}; + unless ($subject) { +@@ -344,12 +343,18 @@ + $req, + 'mail_confirm', + filter => $tr, +- params => \%tplPrms ++ params => { ++ expMailDate => $req->data->{expMailDate}, ++ expMailTime => $req->data->{expMailTime}, ++ url => $url, ++ }, + ); + $html = 1; + } + + # Replace variables in body ++ # FIXME: kept for compatibility with 2.0.0 mail templates ++ # in future versions this should only happen for plaintext emails + $body =~ s/\$expMailDate/$req->data->{expMailDate}/ge; + $body =~ s/\$expMailTime/$req->data->{expMailTime}/ge; + $body =~ s/\$url/$url/g; +@@ -496,7 +501,6 @@ + $req->{sessionInfo}->{ $self->conf->{mailSessionKey} } ); + + # Build mail content +- $tplPrms{MAIN_LOGO} = $self->conf->{portalMainLogo}; + my $tr = $self->translate($req); + my $subject = $self->conf->{mailSubject}; + unless ($subject) { +@@ -505,6 +509,8 @@ + } + my $body; + my $html; ++ my $password = $req->data->{newpassword}; ++ + if ( $self->conf->{mailBody} ) { + + # We use a specific text message, no html +@@ -517,13 +523,16 @@ + $req, + 'mail_password', + filter => $tr, +- params => \%tplPrms ++ params => { ++ %tplPrms, password => $password, ++ }, + ); + $html = 1; + } + + # Replace variables in body +- my $password = $req->data->{newpassword}; ++ # FIXME: kept for compatibility with 2.0.0 mail templates ++ # in future versions this should only happen for plaintext emails + $body =~ s/\$password/$password/g; + $body =~ s/\$(\w+)/$req->{sessionInfo}->{$1} || ''/ge; + +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Register.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Register.pm +@@ -114,7 +114,6 @@ + # Parameters check + sub _register { + my ( $self, $req ) = @_; +- my %tplPrms; + + # Check if it's a first access + unless ( ( $req->method =~ /^POST$/i and $req->param('mail') ) +@@ -301,7 +300,6 @@ + ); + + # Build mail content +- $tplPrms{MAIN_LOGO} = $self->conf->{portalMainLogo}; + my $tr = $self->translate($req); + my $subject = $self->conf->{registerConfirmSubject}; + unless ($subject) { +@@ -316,10 +314,17 @@ + $req, + 'mail_register_confirm', + filter => $tr, +- params => \%tplPrms ++ params => { ++ expMailDate => $req->data->{expMailDate}, ++ expMailTime => $req->data->{expMailTime}, ++ url => $url, ++ %{ $req->data->{registerInfo} || {} }, ++ }, + ); + + # Replace variables in body ++ # FIXME: kept for compatibility with 2.0.0 mail templates ++ # in future versions this should only happen for plaintext emails + $body =~ s/\$expMailDate/$req->data->{expMailDate}/g; + $body =~ s/\$expMailTime/$req->data->{expMailTime}/g; + $body =~ s/\$url/$url/g; +@@ -361,7 +366,6 @@ + } + + # Build mail content +- $tplPrms{MAIN_LOGO} = $self->conf->{portalMainLogo}; + my $tr = $self->translate($req); + my $subject = $self->conf->{registerDoneSubject}; + unless ($subject) { +@@ -371,14 +375,6 @@ + my $body; + my $html = 1; + +- # Use HTML template +- $body = $self->loadMailTemplate( +- $req, +- 'mail_register_done', +- filter => $tr, +- params => \%tplPrms +- ); +- + # Build portal url + my $url = $self->conf->{portal}; + $url =~ s#/*$##; +@@ -390,7 +386,20 @@ + ( $req_url ? ( url => $req_url ) : () ), + ); + ++ # Use HTML template ++ $body = $self->loadMailTemplate( ++ $req, ++ 'mail_register_done', ++ filter => $tr, ++ params => { ++ url => $url, ++ %{ $req->data->{registerInfo} || {} }, ++ }, ++ ); ++ + # Replace variables in body ++ # FIXME: kept for compatibility with 2.0.0 mail templates ++ # in future versions this should only happen for plaintext emails + $body =~ s/\$url/$url/g; + $body =~ s/\$(\w+)/$req->data->{registerInfo}->{$1}/ge; + +--- a/lemonldap-ng-portal/site/templates/common/mail_2fcode.tpl ++++ b/lemonldap-ng-portal/site/templates/common/mail_2fcode.tpl +@@ -1,10 +1,10 @@ + <TMPL_INCLUDE NAME="mail_header.tpl"> + + <span> +-<span trspan="hello">Hello</span> $cn,<br /> ++<span trspan="hello">Hello</span> <TMPL_VAR NAME="session_cn" ESCAPE=HTML>,<br /> + <br /> + <span trspan="yourLoginCodeIs">Your login code is</span> +-<b>$code</b><br/> ++<b><TMPL_VAR NAME="code" ESCAPE=HTML></b><br/> + </span> + + <TMPL_INCLUDE NAME="mail_footer.tpl"> +--- a/lemonldap-ng-portal/site/templates/common/mail_certificateConfirm.tpl ++++ b/lemonldap-ng-portal/site/templates/common/mail_certificateConfirm.tpl +@@ -1,10 +1,10 @@ + <TMPL_INCLUDE NAME="mail_header.tpl"> + + <p> +-<span trspan="hello">Hello</span> $cn,<br /> ++<span trspan="hello">Hello</span> <TMPL_VAR NAME="session_cn" ESCAPE=HTML>,<br /> + <br /> + <span><img src="cid:arrow:../common/bullet_go.png" alt="go"/></span> +-<a href="$url" style="text-decoration:none;color:orange;"> ++<a href="<TMPL_VAR NAME="url" ESCAPE=HTML>" style="text-decoration:none;color:orange;"> + <span trspan="click2ResetCertificate">Click here to reset your certificate</span> + </a> + </p> +--- a/lemonldap-ng-portal/site/templates/common/mail_certificateReset.tpl ++++ b/lemonldap-ng-portal/site/templates/common/mail_certificateReset.tpl +@@ -1,7 +1,7 @@ + <TMPL_INCLUDE NAME="mail_header.tpl"> + + <p> +-<span trspan="hello">Hello</span> $cn,<br /> ++<span trspan="hello">Hello</span> <TMPL_VAR NAME="session_cn" ESCAPE=HTML>,<br /> + <br /> + <span trspan="resetCertificateOK">Your certificate has been successfully reset!</span> + </p> +--- a/lemonldap-ng-portal/site/templates/common/mail_confirm.tpl ++++ b/lemonldap-ng-portal/site/templates/common/mail_confirm.tpl +@@ -1,10 +1,10 @@ + <TMPL_INCLUDE NAME="mail_header.tpl"> + + <p> +-<span trspan="hello">Hello</span> $cn,<br /> ++<span trspan="hello">Hello</span> <TMPL_VAR NAME="session_cn" ESCAPE=HTML>,<br /> + <br /> + <span><img src="cid:arrow:../common/bullet_go.png" alt="go"/></span> +-<a href="$url" style="text-decoration:none;color:orange;"> ++<a href="<TMPL_VAR NAME="url" ESCAPE=HTML>" style="text-decoration:none;color:orange;"> + <span trspan="click2Reset">Click here to reset your password</span> + </a> + </p> +--- a/lemonldap-ng-portal/site/templates/common/mail_footer.tpl ++++ b/lemonldap-ng-portal/site/templates/common/mail_footer.tpl +@@ -4,7 +4,7 @@ + <p> + <span trspan="autoMail">This mail was sent automatically</span><br /> + <span trspan="requestIssuedFromIP">The request was issued from IP</span> +-$ipAddr ++<TMPL_VAR NAME="session_ipAddr" ESCAPE=HTML> + </p> + </div> + +--- a/lemonldap-ng-portal/site/templates/common/mail_password.tpl ++++ b/lemonldap-ng-portal/site/templates/common/mail_password.tpl +@@ -1,12 +1,12 @@ + <TMPL_INCLUDE NAME="mail_header.tpl"> + + <p> +-<span trspan="hello">Hello</span> $cn,<br /> ++<span trspan="hello">Hello</span> <TMPL_VAR NAME="session_cn" ESCAPE=HTML>,<br /> + <br /> + <TMPL_IF NAME="RESET"> + <span trspan="newPwdIs">Your new password is</span> + <span><img src="cid:key:../common/key.png" alt="key"/></span> +-<b>$password</b> ++<b><TMPL_VAR NAME="password" ESCAPE=HTML></b> + <TMPL_ELSE> + <span trspan="pwdChanged">Your password has been successfully changed!</span> + </TMPL_IF> +--- a/lemonldap-ng-portal/site/templates/common/mail_register_confirm.tpl ++++ b/lemonldap-ng-portal/site/templates/common/mail_register_confirm.tpl +@@ -1,10 +1,10 @@ + <TMPL_INCLUDE NAME="mail_header.tpl"> + + <p> +-<span trspan="hello">Hello</span> $firstname $lastname,<br /> ++<span trspan="hello">Hello</span> <TMPL_VAR NAME="firstname" ESCAPE=HTML> <TMPL_VAR NAME="lastname" ESCAPE=HTML>,<br /> + <br /> + <span><img src="cid:arrow:../common/bullet_go.png" alt="go"/></span> +-<a href="$url" style="text-decoration:none;color:orange;"> ++<a href="<TMPL_VAR NAME="url" ESCAPE=HTML>" style="text-decoration:none;color:orange;"> + <span trspan="click2Register">Click here to confirm your account registration</span> + </a> + </p> +--- a/lemonldap-ng-portal/site/templates/common/mail_register_done.tpl ++++ b/lemonldap-ng-portal/site/templates/common/mail_register_done.tpl +@@ -1,19 +1,19 @@ + <TMPL_INCLUDE NAME="mail_header.tpl"> + + <p> +-<span trspan="hello">Hello</span> $firstname $lastname,<br /> ++<span trspan="hello">Hello</span> <TMPL_VAR NAME="firstname" ESCAPE=HTML> <TMPL_VAR NAME="lastname" ESCAPE=HTML>,<br /> + <br /> + <span trspan="accountCreated">Your account was successfully created.</span> + <br /> + <br /> + <span trspan="yourLoginIs">Your login is</span> + <span><img src="cid:key:../common/bullet_go.png" alt="go"/></span> +-<b>$login</b> ++<b><TMPL_VAR NAME="login" ESCAPE=HTML></b> + <br /> + <span trspan="pwdIs">Your password is</span> + <span><img src="cid:key:../common/key.png" alt="key"/></span> +-<b>$password</b> ++<b><TMPL_VAR NAME="password" ESCAPE=HTML></b> + </p> +-<p><a href="$url"><span trspan="goToPortal">Click here to access to portal</span></a></p> ++<p><a href="<TMPL_VAR NAME="url" ESCAPE=HTML>"><span trspan="goToPortal">Click here to access to portal</span></a></p> + + <TMPL_INCLUDE NAME="mail_footer.tpl"> diff --git a/debian/patches/series b/debian/patches/series index b1a4d299e..a1245fc76 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,9 @@ javascript-path.patch Avoid-developer-tests.patch fix-for-pod2man.diff replace-api-doc-by-link.diff +CVE-2021-35472.patch +CVE-2021-35473.patch +fix-trusted-domain-wildcard.patch +fix-trusted-domain-regex.patch +fix-xss-on-register-form.patch +dont-display-totp-secret.patch
