Bug#928944: CVE-2019-12046: lemonldap-ng tokens allows anonymous session when stored in session DB
Guilhem Moulin
guilhem at debian.org
Wed May 22 12:47:04 BST 2019
On Wed, 22 May 2019 at 07:34:06 +0200, Xavier wrote:
> It seems that Clément has fixed something related to that feature.
> Could you try https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/deff50f072c64898d1204daa28c01fdcc7275ea4 ?
That solves the issue indeed, thanks for the pointer! I ended up
amending the patch as attached though:
* Not setting the ‘Access-Control-Allow-Origin: *’ header is upstream
issue #1519, fixed in e6c034a38aa0e7dadcf0ce87809193b327fbc0e5.
* The second to last hunk from deff50f072c64898d1204daa28c01fdcc7275ea4
(-2134,8 +2137,10) doesn't apply, and as it's only cosmetic
(whitespace change) I just skipped it.
Cheers,
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: llng.diff
Type: text/x-diff
Size: 2160 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20190522/c758ba73/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20190522/c758ba73/attachment.sig>
More information about the pkg-perl-maintainers
mailing list