Bug#1090934: ldap-account-manager: CVE-2024-52792

Wed, 25 Dec 2024 00:57:18 -0800 

Hi,

the source files for the 9.0 version that fixes the issue can be found here:

https://www.ldap-account-manager.org/static/debian-packages/
Since this vulnerability is moderate and depends on a misconfiguration of Apache or a different application I do not intend to provide a patch version for Stable. In addition, the fix was done by replacing the config file format (TXT to JSON) which is not a small topic to backport.
If needed, 9.0 can be used as fix for Stable, it is compatible with this release, too. 9.0 can still read the old 8.x file format but changes are stored in new format. 

Best regards
Roland


Am 20.12.24 um 22:37 schrieb Salvatore Bonaccorso:

Source: ldap-account-manager
Version: 8.7-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for ldap-account-manager.

CVE-2024-52792[0]:
| LDAP Account Manager (LAM) is a php webfrontend for managing entries
| (e.g. users, groups, DHCP settings) stored in an LDAP directory. In
| affected versions LAM does not properly sanitize configuration
| values, that are set via `mainmanage.php` and `confmain.php`. This
| allows setting arbitrary config values and thus effectively
| bypassing `mitigation` of CVE-2024-23333/GHSA-fm9w-7m7v-wxqv.
| Configuration values for the main config or server profiles are set
| via `mainmanage.php` and `confmain.php`. The values are written to
| `config.cfg` or `serverprofile.conf` in the format of `settingsName:
| settingsValue` line-by-line. An attacker can smuggle arbitrary
| config values in a config file, by inserting a newline into certain
| config fields, followed by the value. This vulnerability has been
| addressed in version 9.0. All users are advised to upgrade. There
| are no known workarounds for this vulnerability.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-52792
     https://www.cve.org/CVERecord?id=CVE-2024-52792
[1] 
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-6cp9-j5r7-xhcc

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to