-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4446-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 14, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : lemonldap-ng CVE ID : CVE-2019-12046 It was discovered that the Lemonldap::NG web SSO system performed insuffient validation of session tokens if the "tokenUseGlobalStorage" option is enabled, which could grant users with access to the main session database access to an anonymous session. For the stable distribution (stretch), this problem has been fixed in version 1.9.7-3+deb9u1. We recommend that you upgrade your lemonldap-ng packages. For the detailed security status of lemonldap-ng please refer to its security tracker page at: https://security-tracker.debian.org/tracker/lemonldap-ng Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlzbL3AACgkQEMKTtsN8 TjZnyg/+OgtJMGgRLtuAlYm5vWJmmxwqw+Yqyvl9FHBI535Yfr5/F6b7cvXfn4A2 L0bSKYceLUmXT0D+8EIp6DxhhOiEEs5ME4PhboX4MJT79ln8CqCxngLmgTX4bh2T kc5uEEkJoHwNf15vi1HIRPiRtv8f0gTFGZa9yAhR6XqrdqMLGtTYwR338r1wPr65 0gcGFNgUCL/JoI+QZSE5QyN/pseAiO32YbP4WkoIOukWlYanYQht4R2hQePU9b+p tghcXyBEQ3Z2Z1F+SirkuIDuYOhPD3Uws+8cLVhX/CnVdjqDMc83kwSqBt6t1EEb SGToAYXuIReR7MVZ6aBaEgkdFEouyvBh8JtlLAnm7CC0VLkG50cTOCHQjczezT/F 7YcdQ1EksXoa9IWb35PrmiLPw7iKnrTaIFfFH1+hJPjHst5QJ6pzwM4kDfY77Tpd +RjgPDRo+1sYBHSqG26dWhkuqNXNjr3AMl3G+IZXdBy7LIiRvsV5fN6SZaGCNOhd mtiJPtUxBigpNKtzkg0R72Jp9bOaYE8jqHdQfnOdtYiy2Kn+F7kwgm+dEfvMqHU8 rhBREAIf66DoXZGPZR7WH+8rLLyQgpq4qsEq2fTQZygpCUDBE4EXhEU4l+3jvFuH 9q00FcRAlT/u9rRqmTv0Z825zRztrdUasq/xrAQeOwJk0QFhJfU= =SGxM -----END PGP SIGNATURE-----