[SECURITY] [DLA 3612-1] lemonldap-ng security update

2023-10-0816:51:28

lists.debian.org

server-side-request-forgery

cve-2023-44469

open redirection

lemonldap-ng

debian lts advisory

debian 10 buster

security update

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

4.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

23.6%

JSON

Debian LTS Advisory DLA-3612-1 [email protected]
https://www.debian.org/lts/security/ Yadd
October 08, 2023 https://wiki.debian.org/LTS

Package : lemonldap-ng
Version : 2.0.2+ds-7+deb10u10
CVE ID : CVE-2023-44469

Two vulnerabilities were discovered in lemonldap-ng:

an open redirection when OpenID-Connect configuration isn't generated by
the manager and if OIDC RP has no oidcRPMetaDataOptionsRedirectUris
a Server-Side-Request-Forgery in OpenID-Connect (CVE-2023-44469)

For Debian 10 buster, this problem has been fixed in version
2.0.2+ds-7+deb10u10.

We recommend that you upgrade your lemonldap-ng packages.

For the detailed security status of lemonldap-ng please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lemonldap-ng

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian11alllemonldap-ng-fastcgi-server< 2.0.11+ds-4+deb11u5lemonldap-ng-fastcgi-server_2.0.11+ds-4+deb11u5_all.deb
Debian10alllemonldap-ng-uwsgi-app< 2.0.2+ds-7+deb10u10lemonldap-ng-uwsgi-app_2.0.2+ds-7+deb10u10_all.deb
Debian11alllemonldap-ng< 2.0.11+ds-4+deb11u5lemonldap-ng_2.0.11+ds-4+deb11u5_all.deb
Debian10allliblemonldap-ng-common-perl< 2.0.2+ds-7+deb10u10liblemonldap-ng-common-perl_2.0.2+ds-7+deb10u10_all.deb
Debian10allliblemonldap-ng-handler-perl< 2.0.2+ds-7+deb10u10liblemonldap-ng-handler-perl_2.0.2+ds-7+deb10u10_all.deb
Debian12allliblemonldap-ng-handler-perl< 2.16.1+ds-deb12u2liblemonldap-ng-handler-perl_2.16.1+ds-deb12u2_all.deb
Debian12alllemonldap-ng< 2.16.1+ds-deb12u2lemonldap-ng_2.16.1+ds-deb12u2_all.deb
Debian10alllemonldap-ng-fastcgi-server< 2.0.2+ds-7+deb10u10lemonldap-ng-fastcgi-server_2.0.2+ds-7+deb10u10_all.deb
Debian11allliblemonldap-ng-portal-perl< 2.0.11+ds-4+deb11u5liblemonldap-ng-portal-perl_2.0.11+ds-4+deb11u5_all.deb
Debian12alllemonldap-ng-fastcgi-server< 2.16.1+ds-deb12u2lemonldap-ng-fastcgi-server_2.16.1+ds-deb12u2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	11	all	lemonldap-ng-fastcgi-server	< 2.0.11+ds-4+deb11u5	lemonldap-ng-fastcgi-server_2.0.11+ds-4+deb11u5_all.deb
Debian	10	all	lemonldap-ng-uwsgi-app	< 2.0.2+ds-7+deb10u10	lemonldap-ng-uwsgi-app_2.0.2+ds-7+deb10u10_all.deb
Debian	11	all	lemonldap-ng	< 2.0.11+ds-4+deb11u5	lemonldap-ng_2.0.11+ds-4+deb11u5_all.deb
Debian	10	all	liblemonldap-ng-common-perl	< 2.0.2+ds-7+deb10u10	liblemonldap-ng-common-perl_2.0.2+ds-7+deb10u10_all.deb
Debian	10	all	liblemonldap-ng-handler-perl	< 2.0.2+ds-7+deb10u10	liblemonldap-ng-handler-perl_2.0.2+ds-7+deb10u10_all.deb
Debian	12	all	liblemonldap-ng-handler-perl	< 2.16.1+ds-deb12u2	liblemonldap-ng-handler-perl_2.16.1+ds-deb12u2_all.deb
Debian	12	all	lemonldap-ng	< 2.16.1+ds-deb12u2	lemonldap-ng_2.16.1+ds-deb12u2_all.deb
Debian	10	all	lemonldap-ng-fastcgi-server	< 2.0.2+ds-7+deb10u10	lemonldap-ng-fastcgi-server_2.0.2+ds-7+deb10u10_all.deb
Debian	11	all	liblemonldap-ng-portal-perl	< 2.0.11+ds-4+deb11u5	liblemonldap-ng-portal-perl_2.0.11+ds-4+deb11u5_all.deb
Debian	12	all	lemonldap-ng-fastcgi-server	< 2.16.1+ds-deb12u2	lemonldap-ng-fastcgi-server_2.16.1+ds-deb12u2_all.deb