Hi Yadd,
On Fri, Sep 29, 2023 at 05:37:25PM +0400, Yadd wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian....@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: lemonldap...@packages.debian.org, y...@debian.org
> Control: affects -1 + src:lemonldap-ng
>
> [ Reason ]
> Two new vulnerabilities have been dicovered and fixed in lemonldap-ng:
> - an open redirection only when configuration is edited by hand and
> doesn't follow OIDC specifications
> - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol:
> A little-know feature of OIDC allows the OpenID Provider to fetch the
> Authorization request parameters itself by indicating a request_uri
> parameter. This feature is now restricted to a white list using this
> patch
>
> [ Impact ]
> One low and one medium security issue.
>
> [ Tests ]
> Patches includes test updates
>
> [ Risks ]
> Outside of test changes, patches are not so big and the test coverage
> provided by upstream is good, so risk is moderate.
>
> [ Checklist ]
> [X] *all* changes are documented in the d/changelog
> [X] I reviewed all changes and I approve them
> [X] attach debdiff against the package in (old)stable
> [X] the issue is verified as fixed in unstable
>
> [ Changes ]
> - open redirection patch: just rejects requests with `redirect_uri` if
> relying party configuration has no declared redirect URIs.
> - SSRF patch:
> * add new configuration parameter to list authorized "request_uris"
> * change the algorithm that manage request_uri parameter
>
> Cheers,
> Xavier
> diff --git a/debian/NEWS b/debian/NEWS
> index b8955920b..5295a3cbb 100644
> --- a/debian/NEWS
> +++ b/debian/NEWS
> @@ -1,3 +1,13 @@
> +lemonldap-ng (2.16.1+ds-deb12u2) bullseye; urgency=medium
^^^^^^^^
bookworm?
(but that said I guess that can be considered minor if time is tight
to get the upload in, but as well disclaimer, not part of the release
team)
Regards,
Salvatore
