Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-19791: OW2 Projects - LemonLDAP::NG 2.0.7 is out! (lemonldap-ng.lemonldap-ng-2-0-7-is-out)

In LemonLDAP::NG (aka lemonldap-ng) before 2.0.7, the default Apache HTTP Server configuration does not properly restrict access to SOAP/REST endpoints (when some LemonLDAP::NG setup options are used). For example, an attacker can insert index.fcgi/index.fcgi into a URL to bypass a Require directive.

CVE
Open in Source
#web#mac#apache#js#git#perl#ldap#auth

This release contains some security fixes, including CVE-2019-19791

This new release fixes more than 60 issues. Here are some of bugfixes and improvements of this release:

  • Security:
    • [Security: medium, CVE-2019-19791] Apache access rules and SOAP/REST endpoints
    • [Security:medium] Redirection in OpenID Connect is granted by default if no URI defined in oidcRPMetaDataOptionsRedirectUris
    • [Security:low] afterData plugins (grantSession) cannot prevent session establishment when 2FA is in use
  • Bugs:
    • Issuer urldc is lost after error in 2F flow or notification flow
    • Outgoing emails are missing a Date: field
    • Zimbra preauth not working
    • REST config service not working
    • Server Error with OpenID Connect register endpoint
    • Manager version comparator does not work with minified JS
    • Reset expired password doesn’t trigger when using Combination
    • Kerberos not working with session upgrade
    • After temporary ldap failure, ldap connections stop working forever
    • Authenticating with external OpenID Connect Provider fails because of special chars in user name
  • Improvements:
    • Possibility to configure new plugins in Manager
    • Append overScheme for persistent sessions
    • Allow differents type of managerDN
    • Append a requiredAuthenticationLevel option for each uri
    • Add an option to force claims in ID token
    • Possibility to set attributes and extra claims in OIDC registration endpoints
    • Specific message and error code for 2F failure
  • New features:
    • Add per-service macros
    • New script to convert sessions between backends
    • Renew Captcha button
    • Provide refresh tokens in OpenID Connect
    • Certificate reset by mail
    • Possibility to view/close other sessions opened for the same user
    • Create a web service for “refresh my rights”

The full changelog can be seen here: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/milestones/69

Upgrade notes: https://lemonldap-ng.org/documentation/latest/upgrade#section207

Download: https://lemonldap-ng.org/download

They made this release:

  • Core team: Maxime Besson, Xavier Guimard, Christophe Maudoux and Clément Oudot
  • Organizations : Gendarmerie Nationale, Worteks, CNAMTS, Orange, CSTB, Urgences Santé Québec, FER Genève, Linagora, SITIV, Métropole Européenne de Lille
  • Community (issues opening, tests, patches, pull requests) : David Coutadeur, Andreas Deschka, Daniel Berteaud, Grégory Roy, Antoine Rosier, Mickael Bride, Vincent Filali-Ansary, Dave Conroy, Julien Ledoux, Louis Chemineau, Vincent Mazenod, Xavier Bachelot

If you use LemonLDAP::NG and enjoy it, please let us know:

  • https://lemonldap-ng.org/references
  • https://www.openhub.net/p/lemonldap-ng
  • http://alternativeto.net/software/lemonldap-ng/
  • https://comptoir-du-libre.org/softwares/view/101
  • https://framalibre.org/content/lemonldapng
  • http://twitter.com/lemonldapng
  • https://www.facebook.com/lemonldapng/

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE