Debian Bug report logs -
#696329
lemonldap-ng: CVE-2012-6426: SAML messages signatures are not verified
Reported by: Henri Salo <henri@nerv.fi>
Date: Wed, 19 Dec 2012 15:00:01 UTC
Severity: important
Tags: patch, security
Found in versions lemonldap-ng/1.1.2-5, lemonldap-ng/1.2.2-2
Fixed in versions lemonldap-ng/1.2.2-3, lemonldap-ng/1.1.2-5+deb7u1
Done: Xavier Guimard <x.guimard@free.fr>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#696329; Package lemonldap-ng.
(Wed, 19 Dec 2012 15:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Wed, 19 Dec 2012 15:00:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: lemonldap-ng
Version: 1.2.2-2
Severity: important
Tags: security
Description: Due to a bad use of Lasso library, SAML signatures are never checked, even if we force signature check. Anyone using SAML binding in LemonLDAP::NG should apply it quick and upgrade to 1.2.3 as soon as it will be released.
Bug: http://jira.ow2.org/browse/LEMONLDAP-570
Patch: http://jira.ow2.org/secure/attachment/11153/lemonldap-ng-saml-signature-verification.patch
CVE request http://www.openwall.com/lists/oss-security/2012/12/19/6
Checked from code that this is not yet patched in unstable.
- Henri Salo
Added tag(s) pending and patch.
Request was from Xavier <x.guimard@free.fr>
to control@bugs.debian.org.
(Thu, 20 Dec 2012 05:33:06 GMT) (full text, mbox, link).
Marked as found in versions lemonldap-ng/1.1.2-5.
Request was from Xavier <x.guimard@free.fr>
to control@bugs.debian.org.
(Thu, 20 Dec 2012 05:39:09 GMT) (full text, mbox, link).
Reply sent
to Xavier Guimard <x.guimard@free.fr>:
You have taken responsibility.
(Sun, 23 Dec 2012 17:36:06 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Sun, 23 Dec 2012 17:36:06 GMT) (full text, mbox, link).
Message #14 received at 696329-close@bugs.debian.org (full text, mbox, reply):
Source: lemonldap-ng
Source-Version: 1.2.2-3
We believe that the bug you reported is fixed in the latest version of
lemonldap-ng, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 696329@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <x.guimard@free.fr> (supplier of updated lemonldap-ng package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 23 Dec 2012 17:36:39 +0100
Source: lemonldap-ng
Binary: lemonldap-ng lemonldap-ng-doc liblemonldap-ng-handler-perl liblemonldap-ng-conf-perl liblemonldap-ng-manager-perl liblemonldap-ng-portal-perl
Architecture: source all
Version: 1.2.2-3
Distribution: unstable
Urgency: low
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Xavier Guimard <x.guimard@free.fr>
Description:
lemonldap-ng - LemonLDAP::NG is an OpenID, CAS and SAML compatible Web-SSO syste
lemonldap-ng-doc - Lemonldap::NG Web-SSO system documentation
liblemonldap-ng-conf-perl - Lemonldap::NG common files
liblemonldap-ng-handler-perl - Lemonldap::NG Apache handler part
liblemonldap-ng-manager-perl - Lemonldap::NG manager part
liblemonldap-ng-portal-perl - Lemonldap::NG authentication portal part
Closes: 694890 696329
Changes:
lemonldap-ng (1.2.2-3) unstable; urgency=low
.
* Remove recursive changes in debian/*.postinst (chown and chmod)
* Remove /var/lib/lemonldap-ng/handler from dh_installdirs list
(Closes: #694890)
* Remove pre-defined MyHandler file. Now available from examples only
* Move test application to examples directory
* Update README.Debian file
* Replace duplicate files by links
* Update descriptions
* Update debian/copyright (missing entries)
* Add verify-saml-signatures.patch, fix for CVE-2012-6426 (Closes: #696329)
Checksums-Sha1:
1c8181c37dc0aedd91018d8954d8d057dfd21027 2973 lemonldap-ng_1.2.2-3.dsc
e6e9ea8f0d26b503cfe0ae7b6b14fe81d47d04bc 80128 lemonldap-ng_1.2.2-3.debian.tar.gz
a40da438f2f1f43e1d58e123e0b4967a767fd38a 30298 lemonldap-ng_1.2.2-3_all.deb
0247a735863aa6cb5b86e8799adc35aeb350a1a4 4817354 lemonldap-ng-doc_1.2.2-3_all.deb
f080efb6189ec1dcee8407f7ef1a08dfbf426802 125372 liblemonldap-ng-handler-perl_1.2.2-3_all.deb
88fc62ee2c5d6d01a02d61e593f1c8511d44cdb1 98360 liblemonldap-ng-conf-perl_1.2.2-3_all.deb
23e3969f8ab9f70ee4a5907be6cd6af28b98a511 277872 liblemonldap-ng-manager-perl_1.2.2-3_all.deb
f23b92fb29105b37bcf6ac136f33c7c407362d55 507372 liblemonldap-ng-portal-perl_1.2.2-3_all.deb
Checksums-Sha256:
bbff2fc5ea713cbc2d452bad2f433119925a3665a0567be9df76a8d3881b082e 2973 lemonldap-ng_1.2.2-3.dsc
91fe37fd194fcd02205016558e12cab8946514f1918807ec8a1a11c966337728 80128 lemonldap-ng_1.2.2-3.debian.tar.gz
e914e0301971dc6d5be662d96d6042823f5c9e0e9af2bbab6efedf2a021848d6 30298 lemonldap-ng_1.2.2-3_all.deb
004279d368cea4a91cb00984b4148291b38c37cd7c5fcd942dc88881457a83da 4817354 lemonldap-ng-doc_1.2.2-3_all.deb
014cdcb9e7331c9030d9ea739202f30a499dd72ee99219a1d2e764fd70bb4006 125372 liblemonldap-ng-handler-perl_1.2.2-3_all.deb
ec4fe02ea349c4d599db1599f3d15317c7d8088509a259b354002002ec323281 98360 liblemonldap-ng-conf-perl_1.2.2-3_all.deb
c088f99a8cb788f7779b03823e6ec24be1bc97c8527edf6e33f1a60efc0f1a39 277872 liblemonldap-ng-manager-perl_1.2.2-3_all.deb
9367e74789a401b31778f69c9a45c33acbbd5bd029b0eda6b123be86c2421ea5 507372 liblemonldap-ng-portal-perl_1.2.2-3_all.deb
Files:
3f9a6d180eebcb6aab6cfd060a6e2372 2973 perl optional lemonldap-ng_1.2.2-3.dsc
43208a19b2233b1bd2d0e83609c65789 80128 perl optional lemonldap-ng_1.2.2-3.debian.tar.gz
1b48b179be069d0032b2759b0ee12234 30298 perl optional lemonldap-ng_1.2.2-3_all.deb
d96751b39d025689b933ddbb628c79d9 4817354 doc optional lemonldap-ng-doc_1.2.2-3_all.deb
dcedea253a51df86e566e886dc4ce9a8 125372 perl optional liblemonldap-ng-handler-perl_1.2.2-3_all.deb
f502ec3fdb77747f2c7aa8c101df67b5 98360 perl optional liblemonldap-ng-conf-perl_1.2.2-3_all.deb
8b056801f3a3ed3ecaa85fbae678269c 277872 perl optional liblemonldap-ng-manager-perl_1.2.2-3_all.deb
5f473ba55ee2d52d1e89cc51e7766c5a 507372 perl optional liblemonldap-ng-portal-perl_1.2.2-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJQ1z7FAAoJELs6aAGGSaoGucsP/2cd6Gx/hrO7coA9zKWL14CK
GfW/LdtXqvlCFREXsmuWk1XMpCnvQRHzrfkEMpBFNaLgK1Yb/80pyezMhUlaavt/
gIhpDyw8MYvn3HCL47+CaGs/MYRUX4JHI4hwHWVYTwKyH4SCir6AqQStN22cthi/
g3seOFQj4rtn8amFjhZ2l392EwXssgen1xfrDMPIEbOlYO0zXO3b5AICJbN3vn9E
t9Qeo1jTLxB7GXmU/0nhEuZQ2NtkqnviJKvPx6Vzf3u4rNLpEqjdTU8I10dKVoy2
Ma4VO5U4UaFOrV5rkbhEkivzkv0d43kbV5cYloDVie7oYNOmHLgkHkFjca2RFon8
go1avsQ1ek5AvzdKadQyhIFQFVQ1WtS5tNP24s6V6WwByQpcdjbYikqC/wuXIKVY
Qq9N+UapAamSOkgi6fsYruV79ubgAkNDh9D5xS6sC+xoAseAK9mJ4lQZvdjrBah4
/MUJx5tV9wvyoAnhIq1nPQf+MEODEUUFg5dkWOTiW7QjIQ50T8kIQmMWdLNJI0va
keISaky9A9m6E6U7YIBGLRoc6Tjq7QZUbj+EgZO3jOfjOIOI8v6sjdKYOhYB8iZt
1rHhKbVdrRI/mMfqeHBnG1n2DSzfYeOzqMgyVAM3WAfY0ejkTd9B93P1571ATGco
q7aiW+Hf1iDjBSUp4Plv
=WXzy
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#696329; Package lemonldap-ng.
(Mon, 24 Dec 2012 11:39:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Mon, 24 Dec 2012 11:39:03 GMT) (full text, mbox, link).
Message #19 received at 696329@bugs.debian.org (full text, mbox, reply):
On Sun, Dec 23, 2012 at 05:32:34PM +0000, Xavier Guimard wrote:
> Source: lemonldap-ng
> Source-Version: 1.2.2-3
>
> lemonldap-ng (1.2.2-3) unstable; urgency=low
> .
> * Add verify-saml-signatures.patch, fix for CVE-2012-6426 (Closes: #696329)
> Checksums-Sha1:
Xavier,
Wheezy is still affected and the version in unstable has diverged too
much to be accepted into Wheezy at this point of the freeze.
Please upload the minimal security to testing-proposed-updates (distribution=
testing) and using the version 1.1.2-5+deb7u1. After that that file an unblock
request by filing a bug against release.debian.org
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#696329; Package lemonldap-ng.
(Mon, 24 Dec 2012 12:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to gregor herrmann <gregoa@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Mon, 24 Dec 2012 12:57:03 GMT) (full text, mbox, link).
Message #24 received at 696329@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon, 24 Dec 2012 12:37:37 +0100, Moritz Mühlenhoff wrote:
> Please upload the minimal security to testing-proposed-updates (distribution=
> testing) and using the version 1.1.2-5+deb7u1. After that that file an unblock
> request by filing a bug against release.debian.org
Xavier has already filed an unblock request (#696516), and Adam has
asked for an upload to unstable to happen before to give the patch
some testing. So the fix for wheezy is kind of "pending" :)
Cheers,
gregor
--
.''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
: :' : Debian GNU/Linux user, admin, and developer - http://www.debian.org/
`. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
`- NP: Arik Brauer: Sein Köpferl im Sand
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Xavier Guimard <x.guimard@free.fr>:
You have taken responsibility.
(Mon, 24 Dec 2012 20:51:16 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Mon, 24 Dec 2012 20:51:16 GMT) (full text, mbox, link).
Message #29 received at 696329-close@bugs.debian.org (full text, mbox, reply):
Source: lemonldap-ng
Source-Version: 1.1.2-5+deb7u1
We believe that the bug you reported is fixed in the latest version of
lemonldap-ng, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 696329@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <x.guimard@free.fr> (supplier of updated lemonldap-ng package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 20 Dec 2012 06:41:50 +0100
Source: lemonldap-ng
Binary: lemonldap-ng lemonldap-ng-doc liblemonldap-ng-handler-perl liblemonldap-ng-conf-perl liblemonldap-ng-manager-perl liblemonldap-ng-portal-perl
Architecture: source all
Version: 1.1.2-5+deb7u1
Distribution: testing-proposed-updates
Urgency: high
Maintainer: Xavier Guimard <x.guimard@free.fr>
Changed-By: Xavier Guimard <x.guimard@free.fr>
Description:
lemonldap-ng - Lemonldap::NG Web-SSO system
lemonldap-ng-doc - Lemonldap::NG Web-SSO system documentation
liblemonldap-ng-conf-perl - Lemonldap::NG common files
liblemonldap-ng-handler-perl - Lemonldap::NG Apache module part
liblemonldap-ng-manager-perl - Lemonldap::NG manager part
liblemonldap-ng-portal-perl - Lemonldap::NG authentication portal part
Closes: 693366 696329
Changes:
lemonldap-ng (1.1.2-5+deb7u1) testing-proposed-updates; urgency=high
.
* Fix for CVE-2012-6426 (Closes: #696329)
* Brazilian translation (Closes: #693366)
Checksums-Sha1:
e04bf0f2677676af2d6ecb43d96f1e7c437ffdc3 2561 lemonldap-ng_1.1.2-5+deb7u1.dsc
d803e36c2c319cca2e03e1cde7625d6d2fe14015 19476 lemonldap-ng_1.1.2-5+deb7u1.debian.tar.gz
6379686157da0960566873ad1be7c0f247525b4b 17938 lemonldap-ng_1.1.2-5+deb7u1_all.deb
f432e69eac3eb461946a8091f4dccb23a6de1e59 4484980 lemonldap-ng-doc_1.1.2-5+deb7u1_all.deb
db423ac00d436b8ff58e917192cb4ebb91cdbd13 109374 liblemonldap-ng-handler-perl_1.1.2-5+deb7u1_all.deb
b823f45c06df6c7ccef9e8e77a5b847fc49068c9 85632 liblemonldap-ng-conf-perl_1.1.2-5+deb7u1_all.deb
c8e6a46a8aaa02f7f1d74d2155b39bbc82f96a2d 262146 liblemonldap-ng-manager-perl_1.1.2-5+deb7u1_all.deb
88dfdbd365139cbb4d60659e03abf0312e59a897 482462 liblemonldap-ng-portal-perl_1.1.2-5+deb7u1_all.deb
Checksums-Sha256:
c709006eb9ab4009e2fac7edfbff7fe33816a3f5e7b2b1aa0fed47a4c39c4e78 2561 lemonldap-ng_1.1.2-5+deb7u1.dsc
e1b2ebccae964e7a66574d27c3bc12c598be8c9fa65c939a53d8c6bb9413a127 19476 lemonldap-ng_1.1.2-5+deb7u1.debian.tar.gz
ea360df5854c6241f55e62f99be9a9633b87da5c0d753ab30280d14a2d3c5ed4 17938 lemonldap-ng_1.1.2-5+deb7u1_all.deb
35b6107b9ffc78aa69d8a5cd4a397e8ca9a04a6c4ad3bdd563885ece2dd314f2 4484980 lemonldap-ng-doc_1.1.2-5+deb7u1_all.deb
fe2999f1259d1457c6ef9a2cd8ad14ec793608b269323db481ab8a18b59c8a2d 109374 liblemonldap-ng-handler-perl_1.1.2-5+deb7u1_all.deb
d328872b54c65134c5f036145879310b14cb9056f799305c3890b7819ef991b5 85632 liblemonldap-ng-conf-perl_1.1.2-5+deb7u1_all.deb
3fed0983ae83efe0f224dab1e203c90b8849fbc2d3dd5a87b8262222a2105a31 262146 liblemonldap-ng-manager-perl_1.1.2-5+deb7u1_all.deb
ab1686f8e8a4ddf7133ce8ffd82e7e25c68d529c9ba0c0615181873cb22cae33 482462 liblemonldap-ng-portal-perl_1.1.2-5+deb7u1_all.deb
Files:
605856a0b90b61e3d9b8e9b58fd28731 2561 perl extra lemonldap-ng_1.1.2-5+deb7u1.dsc
19608882a6d05ca05bb775849d19d5bb 19476 perl extra lemonldap-ng_1.1.2-5+deb7u1.debian.tar.gz
10f78018c51a5f8a9ce6bdb68d22e6db 17938 perl extra lemonldap-ng_1.1.2-5+deb7u1_all.deb
924e2d185afa795efee77876ce6391c6 4484980 doc extra lemonldap-ng-doc_1.1.2-5+deb7u1_all.deb
ae25800384e9b3b76004799a896d1797 109374 perl extra liblemonldap-ng-handler-perl_1.1.2-5+deb7u1_all.deb
1109768f3ad4534396d24f21eeb11c8b 85632 perl extra liblemonldap-ng-conf-perl_1.1.2-5+deb7u1_all.deb
2f0886389b383999de816be7c1a26a34 262146 perl extra liblemonldap-ng-manager-perl_1.1.2-5+deb7u1_all.deb
63754cfa5bce8aa6b63c285f92a22417 482462 perl extra liblemonldap-ng-portal-perl_1.1.2-5+deb7u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJQ2LkZAAoJELs6aAGGSaoGeXkP/iFE3vrUBTWLhpU8CIw2xWmv
9On9jtYXb6ViWFpPpTXEvKOp6p/vysGfGwb7A7RYmRjH6PqiZb+IusSN/SDnp8av
UPaBL+Q925Jw6SggtD8mrP0mvTvEPZg6y9U1gO3ukGmeLTi33gB/6RFt673l8nKy
URuR/Yqlx3lReeCCOl/m3CDdxWUy6z+wbGtPO6U5HxrTQt+TvLtU6sbh9Yifwy8m
WPG/83NBEbtn5wuh4oUE28AKORVZVncMo/Y59/maqeVOlzicX4wqqe4qg+Deo8Px
EoEvvMDekPfBcQWGHfDqlBBm9oNXoi40DgCe3eZCJ1UiximebjJKwDK870f5x0XG
Jkk2diftQ4PfcnFVtEsosiedtnyPZef2VL6J0MgyTf7FbKEoJrmUZGz4a+lsCDeS
Q7W+vyqilhmTRETlfOiIw8ZSCgsmhNHvuyDmmQzhDASRZoM3dukt2XlNWrAzl5tP
pOa/fKCoKm/g99xJjlHQ8D/+i+keMaO0iXJn6LObWjUDlhuHgbMOQcd8NBCHRLdB
8MWYuEA0CURWfS7YerQQP6JwTHA3j0DqtMAk4kTSs8omD3UT2NHx1MpZd6f+umza
jTDxuXlmChokbba/oTtpNFUYdssSrWkjyhiMleOLAaXwRGlGGXpdzc3wdQ2LwiRZ
kdaaQZjrWKyHG50aSj5j
=DQLE
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 22 Jan 2013 07:25:51 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:26:12 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon