Bug#928944: CVE-2019-12046: lemonldap-ng tokens allows anonymous session when stored in session DB
Xavier
yadd at debian.org
Wed May 22 06:34:06 BST 2019
Le 21 mai 2019 21:40:35 GMT+02:00, Guilhem Moulin <guilhem at debian.org> a écrit :
>Hi Xavier,
>
> # Load session data into object
> if ($data) {
>+ if ( $self->kind ) {
>+ unless ( $data->{_session_kind} eq $self->kind ) {
>+ $self->error("Session kind mistmatch");
>+ return undef;
>+ }
>+ }
>
>Doesn't that break CDA in 1.9.7-3+deb9u1? At least I'm no longer able
>to access a protected application under domains other than the portal.
>
>Error output shows occurrences of “Session kind mistmatch” instead, and
>further debugging suggests that $data->{_session_kind} is "CDA" while
>$self->kind is "SSO" in the execution flow that yields access denial.
Hello,
It seems that Clément has fixed something related to that feature. Could you try https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/deff50f072c64898d1204daa28c01fdcc7275ea4 ?
If it's OK, I'll propose a stretch update
--
Send with my EELO / K-9 Mail
More information about the pkg-perl-maintainers
mailing list