Bug#928944: CVE-2019-12046: lemonldap-ng tokens allows anonymous session when stored in session DB
Guilhem Moulin
guilhem at debian.org
Tue May 21 20:40:35 BST 2019
Hi Xavier,
# Load session data into object
if ($data) {
+ if ( $self->kind ) {
+ unless ( $data->{_session_kind} eq $self->kind ) {
+ $self->error("Session kind mistmatch");
+ return undef;
+ }
+ }
Doesn't that break CDA in 1.9.7-3+deb9u1? At least I'm no longer able
to access a protected application under domains other than the portal.
Error output shows occurrences of “Session kind mistmatch” instead, and
further debugging suggests that $data->{_session_kind} is "CDA" while
$self->kind is "SSO" in the execution flow that yields access denial.
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20190521/e8b8af5a/attachment.sig>
More information about the pkg-perl-maintainers
mailing list