[Pkg-freeipa-devel] Bug#1060415: Bug#1060415: freeipa: CVE-2023-5455

Salvatore Bonaccorso carnil at debian.org
Thu Jan 11 08:35:17 GMT 2024 

Hi,

On Thu, Jan 11, 2024 at 10:02:45AM +0200, Timo Aaltonen wrote:
> Salvatore Bonaccorso kirjoitti 10.1.2024 klo 23.14:
> > Source: freeipa
> > Version: 4.10.2-2
> > Severity: important
> > Tags: security upstream
> > X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> > Control: found -1 4.9.11-1
> > 
> > Hi,
> > 
> > The following vulnerability was published for freeipa.
> > 
> > CVE-2023-5455[0]:
> > | A Cross-site request forgery vulnerability exists in
> > | ipa/session/login_password in all supported versions of IPA. This
> > | flaw allows an attacker to trick the user into submitting a request
> > | that could perform actions as the user, resulting in a loss of
> > | confidentiality and system integrity. During community penetration
> > | testing it was found that for certain HTTP end-points FreeIPA does
> > | not ensure CSRF protection. Due to implementation details one cannot
> > | use this flaw for reflection of a cookie representing already
> > | logged-in user. An attacker would always have to go through a new
> > | authentication attempt.
> > 
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2023-5455
> >      https://www.cve.org/CVERecord?id=CVE-2023-5455
> > [1] https://www.freeipa.org/release-notes/4-10-3.html#highlights-in-4-10-3
> >      https://pagure.io/freeipa/c/363fd5de98e883800ac08b2760e8c3150783e7e2
> > [2] https://www.freeipa.org/release-notes/4-9-14.html#highlights-in-4-9-14
> >      https://pagure.io/freeipa/c/9b1a65fe3936c4d3fe237775e54f0249b740f23e
> > 
> > Please adjust the affected versions in the BTS as needed.
> > 
> > Regards,
> > Salvatore
> 
> Hi,
> 
> This affects the server only, which we only have in experimental every now
> and then.

Ah right, the server binary packages are built only starting with
4.10.2-2+exp1. So while the source is present, it has no impact to the
built binary packages (apart experimental).

Will mark it unimportant then in the security-tracker.

Regards,
Salvatore

More information about the Pkg-freeipa-devel mailing list