Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi, I just uploaded two fusiondirectory fixes (one bug, one no-dsa CVE) for the next stretch point release: + * debian/patches: + + Add 0001_CVE-2019-11187_stricter-ldap-error-check.patch. + Perform stricter check on LDAP success/failure (CVE-2019-11187). Considered severe issue by upstream, assessment by the security team say: no-dsa issue. In theory, the flaw that got fixed could let someone into the FusionDirectory WebUI with a wrong password. + * debian/control: + + Add to D (fusiondirectory): php-xml. (Closes: #931959). The installer setup requires php-xml, also valid for fusiondirectory in stretch. Greets, Mike -- System Information: Debian Release: 10.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru fusiondirectory-1.0.19/debian/changelog fusiondirectory-1.0.19/debian/changelog --- fusiondirectory-1.0.19/debian/changelog 2017-01-22 21:54:59.000000000 +0100 +++ fusiondirectory-1.0.19/debian/changelog 2019-08-08 12:01:12.000000000 +0200 @@ -1,3 +1,13 @@ +fusiondirectory (1.0.19-1+deb9u1) stretch; urgency=medium + + * debian/patches: + + Add 0001_CVE-2019-11187_stricter-ldap-error-check.patch. + Perform stricter check on LDAP success/failure (CVE-2019-11187). + * debian/control: + + Add to D (fusiondirectory): php-xml. (Closes: #931959). + + -- Mike Gabriel <sunwea...@debian.org> Thu, 08 Aug 2019 12:01:12 +0200 + fusiondirectory (1.0.19-1) unstable; urgency=medium [ Benoit Mortier ] diff -Nru fusiondirectory-1.0.19/debian/control fusiondirectory-1.0.19/debian/control --- fusiondirectory-1.0.19/debian/control 2017-01-22 21:52:35.000000000 +0100 +++ fusiondirectory-1.0.19/debian/control 2019-08-08 12:01:12.000000000 +0200 @@ -43,6 +43,7 @@ php-ldap, php-recode, schema2ldif, + php-xml, smarty-gettext (>= 1.1), smarty3, ${misc:Depends}, diff -Nru fusiondirectory-1.0.19/debian/patches/0001_CVE-2019-11187_stricter-ldap-error-check.patch fusiondirectory-1.0.19/debian/patches/0001_CVE-2019-11187_stricter-ldap-error-check.patch --- fusiondirectory-1.0.19/debian/patches/0001_CVE-2019-11187_stricter-ldap-error-check.patch 1970-01-01 01:00:00.000000000 +0100 +++ fusiondirectory-1.0.19/debian/patches/0001_CVE-2019-11187_stricter-ldap-error-check.patch 2019-08-08 12:01:12.000000000 +0200 @@ -0,0 +1,32 @@ +From f2fd17d4ddead5d3b61ddebf5fd21e043bda30be Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <c...@opensides.be> +Date: Mon, 29 Jul 2019 09:32:22 +0000 +Subject: [PATCH] Merge branch 'stricter-ldap-error-check' into '1.4-dev' + +:ambulance: fix(ldap) Use a stricter error check in ldap::success() + +See merge request fusiondirectory/fd!648 + +(cherry picked from commit 29ca9876df28e45bb8f4f8960f3760c336936dfc) + +23936352 :ambulance: fix(ldap) Use a stricter error check in ldap::success() +--- + core/include/class_ldap.inc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/core/include/class_ldap.inc b/core/include/class_ldap.inc +index e5b04c28..54090353 100644 +--- a/core/include/class_ldap.inc ++++ b/core/include/class_ldap.inc +@@ -906,7 +906,7 @@ class LDAP + */ + function success() + { +- return preg_match('/Success/i', $this->error); ++ return (trim($this->error) === 'Success'); + } + + /*! +-- +2.21.0 + diff -Nru fusiondirectory-1.0.19/debian/patches/series fusiondirectory-1.0.19/debian/patches/series --- fusiondirectory-1.0.19/debian/patches/series 2016-11-26 20:01:13.000000000 +0100 +++ fusiondirectory-1.0.19/debian/patches/series 2019-08-08 12:01:12.000000000 +0200 @@ -2,3 +2,4 @@ 2001_fusiondirectory-apache.patch 2002_fusiondirectory-headers.patch 2003_fusiondirectory-setup.patch +0001_CVE-2019-11187_stricter-ldap-error-check.patch