[SECURITY] [DLA 1790-1] lemonldap-ng security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : lemonldap-ng
Version : 1.3.3-1+deb9u1
CVE ID : CVE-2019-12046
Debian Bug : 928944
Erratum: bad versions
An attack vector was discovered by lemonldap-ng developers. When the SAML
or CAS service provider is enable and the administrator has chosen to store
SAML/CAS tokens in the session database, an attacker can open an anonymous
session to connect to any protected application that does not have specific
access rules.
For Debian 8 "Jessie", this problem has been fixed in version
1.3.3-1+deb9u1.
We recommend that you upgrade your lemonldap-ng packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAlzgWiQACgkQ9tdMp8mZ
7ulIEQ/+IqGPDKx4jthbTsL8leSysxw8JpgUwyJ6iWOGQ68nP05W08Ldhd47mT33
NW+bFfoYYBdu3UDVCytIHAHBDu5LD7ekhWJ6kLGvGK/NALoQ1P8RmO9xTVIJpgjV
SVr17IkHbspy8ZFkuHk/kOu0tmbU/C7SeaNVbGwXpoNv3yQgTucspcLLXsBJ7nEk
GDjUCYLiPi7v7zrPEAq4SFlBFiCfQ6T39FhWkYBM5Pt00TCPa5vB8zIQ8Bgepy5A
WJpJiVTZSxhVjQLpEluzy2cFrGmeUuWvZvWK3N/DDAGo+KV6j0365M3S6hb5UHuE
jCYBJ/3KRTaISYHr8GAgAmLCeS2WGAnUb+gYkD7xq5gYSpz0vtaN6C6tlB9RXHdx
7exel6e1lcWn1NuQl2CxqByRo/FDYDtCfHMjSWSKCYB4auHHRWsi6unvpRSD8tkK
Vt2T88nKMjlvYClD7ykk2OXNbiann2vWBlzlYVPL3T4Bpm9P0RJlGXMYnvqopbd5
EfyxrhSGJbxhOcs5bn54XY9UJKfPZxaeE67Oab4iSpVytDR6wwXskuPw98rM4H8y
NgmkL/xe0z+5DoMuULfmT5FkHodBHt8kvk4gJYPj+zFk9yPcZlf93svDJE/vvQxI
4RhIoPJVfAAxLidit+xF9eIXviFZw84KkPeOqHtsxfbMWo4E5UA=
=vw2j
-----END PGP SIGNATURE-----
Reply to: