Your message dated Sun, 05 Jul 2009 12:02:07 +0000
with message-id <[email protected]>
and subject line Bug#512009: fixed in lemonldap-ng 0.9.4-1
has caused the Debian Bug report #512009,
regarding liblemonldap-ng-portal-perl: XSS vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
512009: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512009
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: liblemonldap-ng-portal-perl
Version: 0.9.2-1.1
Severity: normal
Tags: patch,security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
LEMONLDAP::NG portal is vulnerable to XSS attack. Here is the patch.
Note that 0.9.3.2 version (included in unstable branch) is not vulnerable.
- -- System Information:
Debian Release: 5.0
APT prefers testing
APT policy: (800, 'testing'), (800, 'stable'), (600, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages liblemonldap-ng-portal-perl depends on:
ii libapache-session-perl 1.86-1 Perl modules for keeping persisten
ii libhtml-template-perl 2.9-1 HTML::Template : A module for usin
ii liblemonldap-ng-conf-perl 0.9.2-1.1 Lemonldap::NG apache administratio
ii libnet-ldap-perl 1:0.36-1 A Client interface to LDAP servers
liblemonldap-ng-portal-perl recommends no packages.
Versions of packages liblemonldap-ng-portal-perl suggests:
ii libcgi-session-perl 4.35-1 Persistent session data in CGI app
ii liblasso-perl 2.2.1-2 Library for Liberty Alliance and S
ii slapd 2.4.11-1 OpenLDAP server (slapd)
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAklwWlMACgkQZ9okSKmj7dV2FQCfaTzgNHMywl8h2sk/UD1825y8
w5sAni5ddY0cUPDzFfNnUFHGfMp9/wSl
=R3In
-----END PGP SIGNATURE-----
diff -aburN lemonldap-ng-0.9.2/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_i18n.pm lemonldap-ng-0.9.2-patched/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_i18n.pm
--- lemonldap-ng-0.9.2/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_i18n.pm 2008-06-06 14:26:33.000000000 +0200
+++ lemonldap-ng-0.9.2-patched/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_i18n.pm 2009-01-08 16:42:32.000000000 +0100
@@ -51,6 +51,7 @@
# * PE_PP_ACCOUNT_LOCKED 21
# * PE_PP_PASSWORD_EXPIRED 22
# * PE_CERTIFICATEREQUIRED 23
+# * PE_ERROR 24
# Not used in errors:
# * PE_DONE -1
@@ -82,6 +83,7 @@
"Votre compte est bloqué",
"Votre mot de passe a expiré",
"Certificat exigé",
+ "Erreur",
];
}
@@ -111,6 +113,7 @@
"Your account is locked",
"Your password has expired",
"Certificate required",
+ 'Error',
];
}
@@ -140,5 +143,6 @@
"Contul dvs. este blocat",
"Parola dvs. a expirat",
"Certificat cerut",
+ 'Eroare',
];
}
diff -aburN lemonldap-ng-0.9.2/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm lemonldap-ng-0.9.2-patched/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
--- lemonldap-ng-0.9.2/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm 2008-06-13 16:38:03.000000000 +0200
+++ lemonldap-ng-0.9.2-patched/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm 2009-01-08 16:42:55.000000000 +0100
@@ -198,7 +198,25 @@
sub controlUrlOrigin {
my $self = shift;
if ( $self->param('url') ) {
+
+ # REJECT NON BASE64 URL
+ if ( $self->param('url') =~ m#[^A-Za-z0-9\+/=]# ) {
+ print STDERR "WARNING : seams to have an XSS attack\n";
+ return PE_ERROR;
+ }
+
$self->{urldc} = decode_base64( $self->param('url') );
+ $self->{urldc} =~ s/[\r\n]//sg;
+
+ # REJECT [\0<'"`] in URL or encoded '%'
+ if (
+ $self->{urldc} =~ /(?:\0|<|'|"|`|\%(?:00|25|3C|22|27|2C))/
+ )
+ {
+ delete $self->{urldc};
+ print STDERR "WARNING : seams to have an XSS attack\n";
+ return PE_ERROR;
+ }
}
PE_OK;
}
--- End Message ---
--- Begin Message ---
Source: lemonldap-ng
Source-Version: 0.9.4-1
We believe that the bug you reported is fixed in the latest version of
lemonldap-ng, which is due to be installed in the Debian FTP archive:
lemonldap-ng-doc_0.9.4-1_all.deb
to pool/main/l/lemonldap-ng/lemonldap-ng-doc_0.9.4-1_all.deb
lemonldap-ng_0.9.4-1.diff.gz
to pool/main/l/lemonldap-ng/lemonldap-ng_0.9.4-1.diff.gz
lemonldap-ng_0.9.4-1.dsc
to pool/main/l/lemonldap-ng/lemonldap-ng_0.9.4-1.dsc
lemonldap-ng_0.9.4-1_all.deb
to pool/main/l/lemonldap-ng/lemonldap-ng_0.9.4-1_all.deb
lemonldap-ng_0.9.4.orig.tar.gz
to pool/main/l/lemonldap-ng/lemonldap-ng_0.9.4.orig.tar.gz
liblemonldap-ng-conf-perl_0.9.4-1_all.deb
to pool/main/l/lemonldap-ng/liblemonldap-ng-conf-perl_0.9.4-1_all.deb
liblemonldap-ng-handler-perl_0.9.4-1_all.deb
to pool/main/l/lemonldap-ng/liblemonldap-ng-handler-perl_0.9.4-1_all.deb
liblemonldap-ng-manager-perl_0.9.4-1_all.deb
to pool/main/l/lemonldap-ng/liblemonldap-ng-manager-perl_0.9.4-1_all.deb
liblemonldap-ng-portal-perl_0.9.4-1_all.deb
to pool/main/l/lemonldap-ng/liblemonldap-ng-portal-perl_0.9.4-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated lemonldap-ng package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 05 Jul 2009 13:46:54 +0200
Source: lemonldap-ng
Binary: lemonldap-ng lemonldap-ng-doc liblemonldap-ng-handler-perl
liblemonldap-ng-conf-perl liblemonldap-ng-manager-perl
liblemonldap-ng-portal-perl
Architecture: source all
Version: 0.9.4-1
Distribution: unstable
Urgency: low
Maintainer: Xavier Guimard <[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Description:
lemonldap-ng - Lemonldap::NG Web-SSO system
lemonldap-ng-doc - Lemonldap::NG Web-SSO system documentation
liblemonldap-ng-conf-perl - Lemonldap::NG common files
liblemonldap-ng-handler-perl - Lemonldap::NG Apache module part
liblemonldap-ng-manager-perl - Lemonldap::NG manager part
liblemonldap-ng-portal-perl - Lemonldap::NG authentication portal part
Closes: 512009
Changes:
lemonldap-ng (0.9.4-1) unstable; urgency=low
.
* New upstream release
* Closes: #512009 (closed since 0.9.3.2)
Checksums-Sha1:
b30c37e02d1a4ae1f4b16b21d81843e91c894575 1448 lemonldap-ng_0.9.4-1.dsc
e29d9a1e5eb0b31474251bb03ecfa67f5fc6bc16 1333592 lemonldap-ng_0.9.4.orig.tar.gz
36f026df239be447f6802f76af610299c7fc56e1 1006 lemonldap-ng_0.9.4-1.diff.gz
5a4d50047c49cc82571175117e252901f8cc1f42 10708 lemonldap-ng_0.9.4-1_all.deb
76f580934906c253d740a14445b50801163e3f49 863550
lemonldap-ng-doc_0.9.4-1_all.deb
aa378d15647ae1d1c8f175e976d7183df92934b8 76718
liblemonldap-ng-handler-perl_0.9.4-1_all.deb
ef11f9d53200f94ba52afc25f28b38ddbf42ade3 55966
liblemonldap-ng-conf-perl_0.9.4-1_all.deb
c9932ac0de661d0cdf5f75ec32c0d8c02f24cf4a 180286
liblemonldap-ng-manager-perl_0.9.4-1_all.deb
c82748969351059c0af9b3d9246f9a782b72f81d 363226
liblemonldap-ng-portal-perl_0.9.4-1_all.deb
Checksums-Sha256:
c6b0e973c93a071ab7cb27ceaeade4e029410f426b98aaf66bd177c5d58e42eb 1448
lemonldap-ng_0.9.4-1.dsc
35aa46a1f3a2a7f83cc92f20c5308e2061adc11709283d6d1e5f244fbdbca7b5 1333592
lemonldap-ng_0.9.4.orig.tar.gz
7a43d50b683ee20131aa4bde47861aad68b1794deba523c7a50f2419ddd6aad5 1006
lemonldap-ng_0.9.4-1.diff.gz
8d6ff6a30d0d0ac3c2ec8171aed0990fc09d74162251c395919a9677a70ffcab 10708
lemonldap-ng_0.9.4-1_all.deb
ac6bba53bea184a9e4f8f6e53d69a562619e4146ba04e8a9c489d1b6ee87ccfc 863550
lemonldap-ng-doc_0.9.4-1_all.deb
d77774234894988ff1e83f11e2fdac383ebe8c945b4aaec2fb3694007d86fb7c 76718
liblemonldap-ng-handler-perl_0.9.4-1_all.deb
b3b504858c957d76989124988cce3f2e8040bdfa7b1695c8b3b10cea1aeb17be 55966
liblemonldap-ng-conf-perl_0.9.4-1_all.deb
2cae939c7a9389af45396fdae7f2d09013f8609bbf316660dfd2fbd8eda3c18c 180286
liblemonldap-ng-manager-perl_0.9.4-1_all.deb
0a69b156d40aba07a1dd82578fb8ef87924801c67974ecae9fce6c5d4ea4e385 363226
liblemonldap-ng-portal-perl_0.9.4-1_all.deb
Files:
3c081aa88b7a9df853421bd8ed9332cf 1448 perl extra lemonldap-ng_0.9.4-1.dsc
c99b73f0da9e1eb75d52825cebbf5bbd 1333592 perl extra
lemonldap-ng_0.9.4.orig.tar.gz
fe15f7e788b6b099df581e9d0464d0dd 1006 perl extra lemonldap-ng_0.9.4-1.diff.gz
698c0ed5573e2237538ceca9922619ff 10708 web extra lemonldap-ng_0.9.4-1_all.deb
6c1ca46ab25b62d13ba381d3b23d30b6 863550 doc extra
lemonldap-ng-doc_0.9.4-1_all.deb
d165dfd05dff16e8ca5f0077ee5dc43b 76718 perl extra
liblemonldap-ng-handler-perl_0.9.4-1_all.deb
0beb4f8d8427151c4e1cc103c872442e 55966 perl extra
liblemonldap-ng-conf-perl_0.9.4-1_all.deb
d70b2d879e35d2d2fcd637cdccfe028a 180286 perl extra
liblemonldap-ng-manager-perl_0.9.4-1_all.deb
124a72ecb9f6edb2b98dae5605d46c1f 363226 perl extra
liblemonldap-ng-portal-perl_0.9.4-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkpQk8gACgkQZ9okSKmj7dWK0QCfYdQ5cJnpvoaAleb529Hr5pFU
IwkAn2uNfSGjoL8Mu9B/vl0gPLEpxcAT
=Cfvl
-----END PGP SIGNATURE-----
--- End Message ---