-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3630
                       lemonldap-ng security update
                             26 September 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           lemonldap-ng
Publisher:         Debian
Operating System:  Debian GNU/Linux 10
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Increased Privileges -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-15941  

Original Bulletin: 
   http://www.debian.org/security/2019/dsa-4533

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running lemonldap-ng check for an updated version of the software 
         for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4533-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 25, 2019                    https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : lemonldap-ng
CVE ID         : CVE-2019-15941

It was discovered that the Lemonldap::NG web SSO system did not restrict
OIDC authorization codes to the relying party.

For the stable distribution (buster), this problem has been fixed in
version 2.0.2+ds-7+deb10u2.

We recommend that you upgrade your lemonldap-ng packages.

For the detailed security status of lemonldap-ng please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lemonldap-ng

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl2LznoACgkQEMKTtsN8
TjZbZBAAjnrLZLJXZvpNs9flwoQDwomvJR0zwIwQ+I+x6/VUJNXCxK30dq7TIFO/
Hv77CyGwBkAsQ4KAkVEf4av9iLIumXw60KBAcrrzrbrIF5F9BPQX438otllp3DeM
XxDxiDYi7VCw5KuDvH0zMc8OyxaC9CvAmiyzu6D5e2s8RSnNqg5fF0s8MR2x653H
ajdF96yZAmv1ji4YWj9nrUrR9HtIH5au23F6pM1aOVStK8znokgkc4uR0v+tpFIJ
YUTBrdCzZUKrNsDoZjhjcHp1pTphpVNb4am4HzjZPE7cpCYPaOZeivQuXaeOO6dV
uZlXcY9uMGgm0SatYqKAdNogTaJIm46hcAc/r9ijt2jZvSBXcfSTndqWQiPHryA+
d2BOnKgFtSGpkae2f364laU/p7BGaZtEsn+PGRh5vkFKfFEBLGvnHF6w3RSnfO+k
7QNok+RNs6+HOakShINYTPVZl8B6r4w1DBUmk6I9f+KvtVVfaxN/v2s3W+K426pH
No9+2BeNTK6bR1lw8I2C5vbu0xG6gqIUknAX9CR0pF7calgFbx6RRCe/DKTWbwGb
5b/huwY4ujN2UmnOqUkY6f3u75AGomZawivK4ATlY3NOb+GNK8+aXjtg/pX+zfU1
BWZY0UoOC1jUUngC6WXLfOINsGDzrpveYBktsLiLrxFLPByZ3EI=
=PxoP
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXYxG5WaOgq3Tt24GAQhV8BAAoNbaGf+i4IAReqaOG6q/DSmWzNux/0Tv
YxwwrApkcf/ZYe8LaHBLbOLJ1qUz4nDeU8Kb08/5e+Hipst0fY20ouo2SjQ/LIRX
e5yBaVRZKGkWkaj8Y2PAw3BKLaGxzsNhMLXOU8q+OTQvrcCDKsmAbOJxCq3lFww9
v3PwFvajePA/ZjoJGUw9GVqPPx06+5otLyUrLEJM4MkFW4Hm5W+bTx+K50frShCT
75IN2mEcy4PIdA0Jo499pIPCZDZV315W+blARjybecAl4dHZ0AR8Gihn4NhD/LTL
8d5qHsV3ByhfU3wYcrwjq9TkZnaeY+zr+LiUoxLNfq0FW1LYuP2qmYnv4stLZ5zj
cQVNmbLgNFQbRUPEj8CoUlTjk2fOh2yshLBFxDNUW5HNAXADezZw7im0AbxZ1gm+
wN9oRjjYXoZcOQ1j4wV7dXdbiBCXwLPwzbM//UFRb8AXA9Ap4GPTfg+rfiW1C5tY
WXWEKoh4x5si4geXjriHnQL5GDsLPS2uZ4D1j19/dE+MZKraOQTFiyfOn01lqhN9
GW6tatNbVK7VHTqnj1L2ipRU7kBS8z00d3KJcqx9MVUDYGfdYH3eOvhSaq3+qkrz
rY+N+PSND+WtrdBbAAN3Zb0/bpuZ4b06WbMDaDLbTXT3mvMcgvFaaeSsg88u0NWU
WXhnbaF9hrU=
=4NaI
-----END PGP SIGNATURE-----