Bug#928944: CVE-2019-12046: lemonldap-ng tokens allows anonymous session when stored in session DB

On Wed, 22 May 2019 at 07:34:06 +0200, Xavier wrote: > It seems that Clément has fixed something related to that feature. > Could you try > https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/deff50f072c64898d1204daa28c01fdcc7275ea4 > ? That solves the issue indeed, thanks for the pointer!

Bug#928944: CVE-2019-12046: lemonldap-ng tokens allows anonymous session when stored in session DB

Le 21 mai 2019 21:40:35 GMT+02:00, Guilhem Moulin a écrit : >Hi Xavier, > > # Load session data into object > if ($data) { >+if ( $self->kind ) { >+unless ( $data->{_session_kind} eq $self->kind ) { >+$self->error("Session kind mistmatch"); >+

Bug#928944: CVE-2019-12046: lemonldap-ng tokens allows anonymous session when stored in session DB

Hi Xavier, # Load session data into object if ($data) { +if ( $self->kind ) { +unless ( $data->{_session_kind} eq $self->kind ) { +$self->error("Session kind mistmatch"); +return undef; +} +} Doesn't that break CDA

Bug#928944: CVE-2019-12046: lemonldap-ng tokens allows anonymous session when stored in session DB

Package: liblemonldap-ng-portal-perl Severity: grave Tags: security upstream patch Justification: user security hole Forwarded: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1742 Found: 1.9.7-3 Hi all, during an internal audit, one of lemonldap-ngi's developers discovered an attack vect