Bug#934345: buster-pu: package gosa/2.7.4+reloaded3-8+deb10u1

Mike Gabriel sunweaver at debian.org
Sat Aug 10 03:09:33 BST 2019 

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org at packages.debian.org
Usertags: pu

Hi,

I'd just uploaded a fix for gosa targetting the first buster point release:

+  * debian/changelog:
+    + post-upload fix of patch-1045 explanation...

Cosmetic fixes for the 2.7.4+reloaded3-8 (previous) changelog stanza.

+  * debian/patches:
+    + Add 1046_CVE-2019-11187_stricter-ldap-error-check.patch.
+      Perform stricter check on LDAP success/failure (CVE-2019-11187).

Considered severe issue by FusionDirectory upstream, assessment by the
security team says: no-dsa issue. In theory, the flaw that got fixed could
let someone into the FusionDirectory WebUI with a wrong password.

Greets,
Mike

-- System Information:
Debian Release: 10.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-------------- next part --------------
diff -Nru gosa-2.7.4+reloaded3/debian/changelog gosa-2.7.4+reloaded3/debian/changelog
--- gosa-2.7.4+reloaded3/debian/changelog	2019-04-19 15:24:14.000000000 +0200
+++ gosa-2.7.4+reloaded3/debian/changelog	2019-08-10 04:04:23.000000000 +0200
@@ -1,3 +1,13 @@
+gosa (2.7.4+reloaded3-8+deb10u1) buster; urgency=medium
+
+  * debian/changelog:
+    + post-upload fix of patch-1045 explanation...
+  * debian/patches:
+    + Add 1046_CVE-2019-11187_stricter-ldap-error-check.patch.
+      Perform stricter check on LDAP success/failure (CVE-2019-11187).
+
+ -- Mike Gabriel <sunweaver at debian.org>  Sat, 10 Aug 2019 04:04:23 +0200
+
 gosa (2.7.4+reloaded3-8) unstable; urgency=medium
 
   * debian/patches:
@@ -14,8 +24,8 @@
     + Update 1026_fix-deprecated-constructor-format.patch. Drop an
       unwanted find+replace artefact in class_userFilter.
     + Add 1045_dont_use_filter_caching.patch. Disable filter caching via
-      $_SESSION. The filter caching mechanism stores PHP object in ; since
-      php7.0 this has lead to all sorts of unexpected results and flawed
+      $_SESSION. The filter caching mechanism stores PHP object in $_SESSON;
+      since php7.0 this has lead to all sorts of unexpected results and flawed
       rendering of class_management based listings. (Closes: #907815).
   * debian/control:
     + Bump Standards-Version: to 4.3.0. No changes needed.
diff -Nru gosa-2.7.4+reloaded3/debian/patches/1046_CVE-2019-11187_stricter-ldap-error-check.patch gosa-2.7.4+reloaded3/debian/patches/1046_CVE-2019-11187_stricter-ldap-error-check.patch
--- gosa-2.7.4+reloaded3/debian/patches/1046_CVE-2019-11187_stricter-ldap-error-check.patch	1970-01-01 01:00:00.000000000 +0100
+++ gosa-2.7.4+reloaded3/debian/patches/1046_CVE-2019-11187_stricter-ldap-error-check.patch	2019-08-10 04:04:05.000000000 +0200
@@ -0,0 +1,29 @@
+From f2fd17d4ddead5d3b61ddebf5fd21e043bda30be Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come at opensides.be>
+Date: Mon, 29 Jul 2019 09:32:22 +0000
+Subject: [PATCH] Merge branch 'stricter-ldap-error-check' into '1.4-dev'
+
+:ambulance: fix(ldap) Use a stricter error check in ldap::success()
+
+See merge request fusiondirectory/fd!648
+
+(cherry picked from commit 29ca9876df28e45bb8f4f8960f3760c336936dfc)
+
+[sunweaver (Debian)] Ported over from FD to GOsa².
+
+23936352 :ambulance: fix(ldap) Use a stricter error check in ldap::success()
+---
+ core/include/class_ldap.inc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/gosa-core/include/class_ldap.inc
++++ b/gosa-core/include/class_ldap.inc
+@@ -931,7 +931,7 @@
+ 
+     function success()
+     {
+-        return (preg_match('/Success/i', $this->error));
++        return (trim($this->error) === 'Success');
+     }
+ 
+ 
diff -Nru gosa-2.7.4+reloaded3/debian/patches/series gosa-2.7.4+reloaded3/debian/patches/series
--- gosa-2.7.4+reloaded3/debian/patches/series	2019-04-19 15:22:28.000000000 +0200
+++ gosa-2.7.4+reloaded3/debian/patches/series	2019-08-10 04:04:05.000000000 +0200
@@ -63,3 +63,4 @@
 1043_smarty-add-on-function-param-types.patch
 1044_crypto-transition-without-mcrypt.patch
 1045_dont_use_filter_caching.patch
+1046_CVE-2019-11187_stricter-ldap-error-check.patch

More information about the Debian-edu-pkg-team mailing list