Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: pkg-perl-maintain...@alioth-lists.debian.net
[ Reason ] lemonldap-ng before version 2.0.15 has an issue that may maintain a session active on a Lemonldap::NG's handler if user has a continuous activity on this handler after session expiration or deletion (CVE-2022-37186), if and only if user activity is tracked by handlers (disabled by defaut) [ Impact ] Medium vulnerability [ Tests ] Test passed, non new tested backported here [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Handler's calls to session API now have a "nocache" option for writing. Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index f6be653a8..c276c65c0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +lemonldap-ng (2.0.11+ds-4+deb11u2) bullseye; urgency=medium + + * Add patch to improve session destroy propagation (Closes: CVE-2022-37186) + + -- Yadd <y...@debian.org> Sun, 11 Sep 2022 09:28:30 +0200 + lemonldap-ng (2.0.11+ds-4+deb11u1) bullseye; urgency=medium * Fix auth process in password-testing plugins (Closes: CVE-2021-20874) diff --git a/debian/patches/CVE-2022-37186.patch b/debian/patches/CVE-2022-37186.patch new file mode 100644 index 000000000..12e80c4d7 --- /dev/null +++ b/debian/patches/CVE-2022-37186.patch @@ -0,0 +1,31 @@ +Description: Improve session destroy propagation +Author: Yadd <y...@debian.org> +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/59c781b3 +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2758 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2022-09-11 + +--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Store.pm ++++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Store.pm +@@ -56,7 +56,7 @@ + + # Get session from cache + my $id = $session->{data}->{_session_id}; +- if ( $self->cache->get($id) ) { ++ if ( !$self->{args}->{noCache} and $self->cache->get($id) ) { + $session->{serialized} = $self->cache->get($id); + return; + } +--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Session.pm ++++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Session.pm +@@ -213,7 +213,8 @@ + return 0; + } + +- my $data = $self->_tie_session($tieOptions); ++ my $data = $self->_tie_session( ++ { ( $tieOptions ? %$tieOptions : () ), noCache => 1 } ); + + if ($data) { + foreach ( keys %$infos ) { diff --git a/debian/patches/series b/debian/patches/series index 644277be7..9d8952af0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -9,3 +9,4 @@ fix-trusted-domain-regex.patch fix-xss-on-register-form.patch dont-display-totp-secret.patch CVE-2021-40874.patch +CVE-2022-37186.patch
