Debian 10 Buster DLA-3287-1 Critical: Lemonldap-NG Info Leak Risk
debian lts
January 28, 2023
Two vulnerabilities were found in lemonldap-ng, an OpenID-Connect, CAS and SAML compatible Web-SSO system, that could result in information disclosure or impersonation
Summary
Maxime Besson discovered that LemonLDAP::NG before 2.0.9 did not
check validity of the X.509 certificate by default when connecting
to remote LDAP backends, because the default configuration of the
Net::LDAPS module for Perl is used.
This update changes the default behavior to require X.509 validation
against the distribution bundle /etc/ssl/certs/ca-certificates.crt.
Previous behavior can reverted by running
`/usr/share/lemonldap-ng/bin/lemonldap-ng-cli set ldapVerify none`.
If a session backend is set to Apache::Session::LDAP or
Apache::Session::Browseable::LDAP, then the complete fix involves
upgrading the corresponding Apache::Session module
(libapache-session-ldap-perl resp. libapache-session-browseable-perl)
to 0.4-1+deb10u1 (or â¥0.5) resp. 1.3.0-1+deb10u1 (or â¥1.3.8). See
related advisories DLA-3284-1 and DLA-3285-1 for details.
CVE-2022-37186
Mickael Bride discovered that under certain conditions the session
PREVIOUS 
NEXT Severity
critical
Lowest
Low
Medium
High
Critical
-------------------------------------------------------------------------Package: lemonldap-ng
Version: 2.0.2+ds-7+deb10u8
CVE ID: CVE-2020-16093 CVE-2022-37186
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!