Le mercredi 14 août 2024, 19:54:15 UTC Bastien Roucariès a écrit : Dear adam
Debdiff joined > Le mercredi 14 août 2024, 19:53:13 UTC Adam D. Barratt a écrit : > > COntrol: tags -1 + moreinfo > > > > On Mon, 2024-08-05 at 17:56 +0000, Bastien Roucariès wrote: > > > CVE-2022-39369 > > > > > > [ Impact ] > > > Service Hostname Discovery Exploitation > > > > diff -Nru fusiondirectory-1.3/debian/#control# > > fusiondirectory-1.3/debian/#control# > > --- fusiondirectory-1.3/debian/#control# 1970-01-01 00:00:00.000000000 > > +0000 > > +++ fusiondirectory-1.3/debian/#control# 2024-07-11 18:02:29.000000000 > > +0000 > > > > Why is this in the debdiff? > Agreed wil redo > > > > Regards, > > > > Adam > > > >
diff -Nru fusiondirectory-1.3/debian/changelog fusiondirectory-1.3/debian/changelog --- fusiondirectory-1.3/debian/changelog 2020-12-07 11:25:31.000000000 +0000 +++ fusiondirectory-1.3/debian/changelog 2024-07-11 18:02:29.000000000 +0000 @@ -1,3 +1,15 @@ +fusiondirectory (1.3-4+deb11u1) bullseye; urgency=medium + + * Non-maintainer upload. + + [ Tobias Frost ] + * Backport compatibility with php-cas version addressing CVE 2022-39369. + + [ Abhijith PA ] + * Fix CVE-2022-36179, CVE-2022-36180. + + -- Bastien Roucari??s <ro...@debian.org> Thu, 11 Jul 2024 18:02:29 +0000 + fusiondirectory (1.3-4) unstable; urgency=medium * debian/patches: diff -Nru fusiondirectory-1.3/debian/control fusiondirectory-1.3/debian/control --- fusiondirectory-1.3/debian/control 2020-12-07 11:25:31.000000000 +0000 +++ fusiondirectory-1.3/debian/control 2024-07-11 18:02:29.000000000 +0000 @@ -35,7 +35,7 @@ libxml-twig-perl, openssl, php, - php-cas, + php-cas (>= 1.3.8-1+deb11u1~), php-cli, php-curl, php-fpdf, @@ -56,6 +56,7 @@ Breaks: fusiondirectory-plugin-dashboard (<< 1.0.8.7), fusiondirectory-plugin-dashboard-schema (<< 1.0.8.7), + fusiondirectory-schema (<< 1.3-4+deb11u1~) Replaces: fusiondirectory-plugin-dashboard (<< 1.0.8.7), fusiondirectory-plugin-dashboard-schema (<< 1.0.8.7), diff -Nru fusiondirectory-1.3/debian/NEWS fusiondirectory-1.3/debian/NEWS --- fusiondirectory-1.3/debian/NEWS 1970-01-01 00:00:00.000000000 +0000 +++ fusiondirectory-1.3/debian/NEWS 2024-07-11 18:02:29.000000000 +0000 @@ -0,0 +1,30 @@ +fusiondirectory (1.3-4+deb11u1) bullseye; urgency=medium + + If you are using CAS for authentication: + To address CVE-2022-39369 in php-cas - the library used for CAS - had + to introduce an API breaking change which requires some additional + configuration in fusiondirectory. + + The php-cas package introducing the fix for bullseye is version + 1.3.8-1+deb11u1. After installing the php-cas update, a CAS enabled + fusiondirectory installation will no longer work until those steps are + done: + + - make sure to install the updated fusiondirectory-schema package for + bullseye. + + - update the fusiondirectory core schema in LDAP by running + fusiondirectory-insert-schema -m + + - switch to using the new php-cas API by running + fusiondirectory-setup --set-config-CasLibraryBool=TRUE + + - set the CAS ClientServiceName to the base URL of the fusiondirectory + installation, for example: + fusiondirectory-setup --set-config-CasClientServiceName="https://fusiondirectory.example.org/"; + + To troubleshoot php-cas problems, the property CasVerbose can be activated for + additional diagnostics: + fusiondirectory-setup --set-config-CasVerbose=TRUE + + -- Bastien Roucari??s <ro...@debian.org> Thu, 11 Jul 2024 18:08:39 +0000 diff -Nru fusiondirectory-1.3/debian/patches/0010-phpCAS_API_change.patch fusiondirectory-1.3/debian/patches/0010-phpCAS_API_change.patch --- fusiondirectory-1.3/debian/patches/0010-phpCAS_API_change.patch 1970-01-01 00:00:00.000000000 +0000 +++ fusiondirectory-1.3/debian/patches/0010-phpCAS_API_change.patch 2024-07-11 18:02:29.000000000 +0000 @@ -0,0 +1,184 @@ +From: FusionDirectory Packagers <team+fusiondirect...@tracker.debian.org> +Date: Thu, 11 Jul 2024 17:52:17 +0000 +Subject: Backport changes required for newer php-cas API + +Origin: https://github.com/fusiondirectory/fusiondirectory/commit/299a320a7fe905402aea85b899dbd5a9cab9324c +Origin: https://github.com/fusiondirectory/fusiondirectory/commit/7ded986a5f5aabe2670cd176caeb9d76f8555dca +Origin: https://github.com/fusiondirectory/fusiondirectory/commit/39019502aa36b211aa283fac3b922c3806c2fef5 +Last-Update: 2023-06-27 <YYYY-MM-DD, last update of the meta-information, optional> + +To adress CVE-2022-39369, php-cas needs an API change. +This patches backports the required upstream changes to the buster version. +The patch also adds the switch for php-cas verbose mode, for better troubleshooting. +Last-Update: 2023-06-27 <YYYY-MM-DD, last update of the meta-information, optional> +--- + core/contrib/openldap/core-fd-conf.schema | 21 ++++++++++++- + core/html/index.php | 49 ++++++++++++++++++++++++------ + core/plugins/config/class_configInLdap.inc | 29 +++++++++++++++++- + 3 files changed, 87 insertions(+), 12 deletions(-) + +diff --git a/core/contrib/openldap/core-fd-conf.schema b/core/contrib/openldap/core-fd-conf.schema +index 840d1ff..8edcc20 100644 +--- a/core/contrib/openldap/core-fd-conf.schema ++++ b/core/contrib/openldap/core-fd-conf.schema +@@ -452,6 +452,25 @@ attributetype ( 1.3.6.1.4.1.38414.8.21.5 NAME 'fdCasContext' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE) + ++attributetype ( 1.3.6.1.4.1.38414.8.21.6 NAME 'fdCasVerbose' ++ DESC 'FusionDirectory - CAS??verbose flag' ++ EQUALITY booleanMatch ++ SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ++ SINGLE-VALUE ) ++ ++attributetype ( 1.3.6.1.4.1.38414.8.21.7 NAME 'fdCasLibraryBool' ++ DESC 'FusionDirectory - CAS boolean to activate CAS library >= 1.6' ++ EQUALITY booleanMatch ++ SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ++ SINGLE-VALUE ) ++ ++attributetype ( 1.3.6.1.4.1.38414.8.21.8 NAME 'fdCasClientServiceName' ++ DESC 'FusionDirectory - CAS client service name' ++ EQUALITY caseExactIA5Match ++ SUBSTR caseExactIA5SubstringsMatch ++ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ++ SINGLE-VALUE) ++ + # merged from dashboard-fd.schema - Needed by Fusion Directory for dashboard options + + attributetype ( 1.3.6.1.4.1.38414.27.1.1 NAME 'fdDashboardPrefix' +@@ -563,7 +582,7 @@ objectclass ( 1.3.6.1.4.1.38414.8.2.1 NAME 'fusionDirectoryConf' + fdPluginsMenuBlacklist $ + fdAclTabOnObjects $ fdDepartmentCategories $ + fdSslCaCertPath $ fdSslKeyPath $ fdSslCertPath $ +- fdCasActivated $ fdCasServerCaCertPath $ fdCasHost $ fdCasPort $ fdCasContext ++ fdCasActivated $ fdCasServerCaCertPath $ fdCasHost $ fdCasPort $ fdCasContext $ fdCasVerbose $fdCasLibraryBool $ fdCasClientServiceName + ) ) + + objectclass ( 1.3.6.1.4.1.38414.8.2.2 NAME 'fusionDirectoryPluginsConf' +diff --git a/core/html/index.php b/core/html/index.php +index 38918fb..8a8dfcb 100644 +--- a/core/html/index.php ++++ b/core/html/index.php +@@ -121,13 +121,29 @@ if (isset($_REQUEST['signout']) && $_REQUEST['signout']) { + /* Move FD autoload after CAS autoload */ + spl_autoload_unregister('__fusiondirectory_autoload'); + spl_autoload_register('__fusiondirectory_autoload'); ++ ++ if ($config->get_cfg_value('CasVerbose') == 'TRUE') { ++ phpCAS::setVerbose(TRUE); ++ } ++ ++ // Initialize CAS with proper library and call. ++ if ($config->get_cfg_value('CasLibraryBool') === 'TRUE') { + phpCAS::client( + CAS_VERSION_2_0, + $config->get_cfg_value('casHost', 'localhost'), +- (int)($config->get_cfg_value('casPort', 443)), +- $config->get_cfg_value('casContext', '') ++ (int) ($config->get_cfg_value('casPort', 443)), ++ $config->get_cfg_value('casContext'), ++ $config->get_cfg_value('CasClientServiceName') + ); +- // Set the CA certificate that is the issuer of the cert ++ } else { ++ phpCAS::client( ++ CAS_VERSION_2_0, ++ $config->get_cfg_value('casHost', 'localhost'), ++ (int) ($config->get_cfg_value('casPort', 443)), ++ $config->get_cfg_value('casContext') ++ ); ++ } ++ + phpCAS::setCasServerCACert($config->get_cfg_value('casServerCaCertPath')); + phpCas::logout(); + } +@@ -518,14 +534,27 @@ class Index { + $message = ''; + + //~ phpCAS::setDebug(); +- ++ if ($config->get_cfg_value('CasVerbose') == 'TRUE') { ++ phpCAS::setVerbose(TRUE); ++ } ++ + // Initialize phpCAS +- phpCAS::client( +- CAS_VERSION_2_0, +- $config->get_cfg_value('casHost', 'localhost'), +- (int)($config->get_cfg_value('casPort', 443)), +- $config->get_cfg_value('casContext', '') +- ); ++ if ($config->get_cfg_value('CasLibraryBool') === 'TRUE') { ++ phpCAS::client( ++ CAS_VERSION_2_0, ++ $config->get_cfg_value('casHost', 'localhost'), ++ (int) ($config->get_cfg_value('casPort', 443)), ++ $config->get_cfg_value('casContext'), ++ $config->get_cfg_value('CasClientServiceName') ++ ); ++ } else { ++ phpCAS::client( ++ CAS_VERSION_2_0, ++ $config->get_cfg_value('casHost', 'localhost'), ++ (int) ($config->get_cfg_value('casPort', 443)), ++ $config->get_cfg_value('casContext') ++ ); ++ } + + // Set the CA certificate that is the issuer of the cert + phpCAS::setCasServerCACert($config->get_cfg_value('casServerCaCertPath')); +diff --git a/core/plugins/config/class_configInLdap.inc b/core/plugins/config/class_configInLdap.inc +index 5f19db7..fe9545c 100644 +--- a/core/plugins/config/class_configInLdap.inc ++++ b/core/plugins/config/class_configInLdap.inc +@@ -277,6 +277,18 @@ class configInLdap extends simplePlugin + 'fdCasContext', FALSE, + '/cas' + ), ++ new BooleanAttribute( ++ _('Verbose error'), _('Activate verbose errors in phpCAS. Avoid in production.'), ++ 'fdCasVerbose', FALSE ++ ), ++ new BooleanAttribute( ++ _('Library CAS 1.6'), _('Activate if library CAS >= 1.6 is being used.'), ++ 'fdCasLibraryBool', FALSE ++ ), ++ new StringAttribute( ++ _('Client service'), _('The client service name'), ++ 'fdCasClientServiceName', FALSE ++ ), + ) + ), + 'people_and_group' => array( +@@ -548,6 +560,9 @@ class configInLdap extends simplePlugin + 'fdCasHost', + 'fdCasPort', + 'fdCasContext', ++ 'fdCasVerbose', ++ 'fdCasClientServiceName', ++ 'fdCasLibraryBool' + ) + ) + ) +@@ -570,7 +585,19 @@ class configInLdap extends simplePlugin + ) + ) + ); +- } ++ ++ // CAS boolean case to allow the use of CAS library >= 1.6 ++ ++ $this->attributesAccess['fdCasLibraryBool']->setManagedAttributes( ++ array( ++ 'disable' => array ( ++ FALSE => array ( ++ 'fdCasClientServiceName', ++ ) ++ ) ++ ) ++ ); ++} + + function compute_dn() + { diff -Nru fusiondirectory-1.3/debian/patches/CVE-2022-36179_80.patch fusiondirectory-1.3/debian/patches/CVE-2022-36179_80.patch --- fusiondirectory-1.3/debian/patches/CVE-2022-36179_80.patch 1970-01-01 00:00:00.000000000 +0000 +++ fusiondirectory-1.3/debian/patches/CVE-2022-36179_80.patch 2024-07-11 18:02:29.000000000 +0000 @@ -0,0 +1,45 @@ +From: FusionDirectory Packagers <team+fusiondirect...@tracker.debian.org> +Date: Thu, 11 Jul 2024 17:52:17 +0000 +Subject: Fix for CVE-2022-36179, CVE-2022-36180 + +Origin: https://github.com/fusiondirectory/fusiondirectory/commit/d84cf05573b52df98418adf3716daf365e8da745 + https://github.com/fusiondirectory/fusiondirectory/commit/fadebb79b932a0260bdb8723eb23694a3ae62366 +Last-Update: 2023-05-19 +--- + core/html/index.php | 4 ++++ + core/include/class_session.inc | 7 +++++++ + 2 files changed, 11 insertions(+) + +diff --git a/core/html/index.php b/core/html/index.php +index 8a8dfcb..5be3422 100644 +--- a/core/html/index.php ++++ b/core/html/index.php +@@ -424,6 +424,10 @@ class Index { + + if ($success) { + /* Everything went well, redirect to main.php */ ++ ++ //Regenerate after login in order to avoid session fixation issues (vuln), ++ session_regenerate_id(); ++ + static::redirect(); + } + } +diff --git a/core/include/class_session.inc b/core/include/class_session.inc +index 7367f1e..a9f6659 100644 +--- a/core/include/class_session.inc ++++ b/core/include/class_session.inc +@@ -230,6 +230,13 @@ class session { + !! The garbage collector is a cron job on debian systems, the cronjob will fetch the timeout from + the php.ini, so if you use debian, you must hardcode session.gc_maxlifetime in your php.ini */ + ini_set("session.gc_maxlifetime", 24 * 60 * 60); ++ ++ /* ++ * Set HttpOnly in order to enhance security by disabling execution of javascript on cookies, ++ * allowing possible XSS attacks ++ */ ++ ini_set("session.cookie_httponly", "1"); ++ + if ($id !== NULL) { + session_id($id); + } diff -Nru fusiondirectory-1.3/debian/patches/series fusiondirectory-1.3/debian/patches/series --- fusiondirectory-1.3/debian/patches/series 2020-12-07 11:25:31.000000000 +0000 +++ fusiondirectory-1.3/debian/patches/series 2024-07-11 18:02:29.000000000 +0000 @@ -2,3 +2,5 @@ 2003_fusiondirectory-setup.patch 0001_CVE-2019-11187_stricter-ldap-error-check.patch 2001_fd-location-in-apache-conf.patch +0010-phpCAS_API_change.patch +CVE-2022-36179_80.patch
signature.asc
Description: This is a digitally signed message part.
