Control: tags -1 confirmed On Fri, 2023-09-29 at 17:37 +0400, Yadd wrote: > Two new vulnerabilities have been dicovered and fixed in lemonldap- > ng: > - an open redirection only when configuration is edited by hand and > doesn't follow OIDC specifications > - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol: > A little-know feature of OIDC allows the OpenID Provider to fetch > the > Authorization request parameters itself by indicating a > request_uri > parameter. This feature is now restricted to a white list using > this > patch >
--- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,13 @@ +lemonldap-ng (2.16.1+ds-deb12u2) bullseye; urgency=medium As Salvatore pointed out, the suite is wrong in the header. + + A little-know feature of OIDC allows the OpenID Provider to fetch the s/little-know/&n/ Please go ahead. Regards, Adam
