-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.3857
          fusiondirectory security update and rebuild for php-cas
                               10 July 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           fusiondirectory
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-39369 CVE-2022-36180 CVE-2022-36179

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2023/07/msg00009.html

Comment: CVSS (Max):  9.8 CVE-2022-36179 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3487-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Abhijith PA
                                                             Tobias Frost
July 08, 2023                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : fusiondirectory
Version        : 1.2.3-4+deb10u2
CVE ID         : CVE-2022-36179 CVE-2022-36180
Debian Bug     :

A potential Cross Site Scripting (XSS) vulnerablity (CVE-2022-36180) and
session handling vulnerability (CVE-2022-36179 )have been found in
fusiondirectory, a Web Based LDAP Administration Program.

Additionally, fusiondirectory has been updated to address the API change
in php-cas due to CVE-2022-39369, see DLA 3485-1 for details.

Due to this, if CAS authentication is used, fusiondirectory
will stop working until those steps are done:

- - make sure to install the updated fusiondirectory-schema package for
  buster.

- - update the fusiondirectory core schema in LDAP by running
    fusiondirectory-insert-schema -m

- - switch to using the new php-cas API by running
    fusiondirectory-setup --set-config-CasLibraryBool=TRUE

- - set the CAS ClientServiceName to the base URL of the fusiondirectory
  installation, for example:
fusiondirectory-setup --set-config-CasClientServiceName="https://fusiondirectory.example.org/"


For Debian 10 buster, these problems have been fixed in version
1.2.3-4+deb10u2.

We recommend that you upgrade your fusiondirectory packages.

For the detailed security status of fusiondirectory please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/fusiondirectory

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


- -----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmSpbbAACgkQkWT6HRe9
XTbJLA//chCAVLIfcRpvdrXg4zjRsUugD8mtlWP0u0VGK9RHnNitKzNiMHZqSRYr
CRioKjtoozVTvWtg1YTtKQMBSHisSvA0PGl2EwFna9wuB+ktwzwW4357zCRKf69E
5urMGv1qlMpMF0r8GG481Z4cWP4G+fJfli2UYXoFcd0Xad6DKUY0Fp67Zve3hGrM
cHbtDAooI7cxhVS5c4tnNQjNnxi/xXH4a+Ungk9YD7PVqEtC8pk21a1z5Iqd7MIC
G2oBhU2iuD/VXo+S+CwjG9Itnflll7RE3fBbv2XGVxO+tOX7wXUHRmSJagjBV9b9
SWmrI3toMeU/Snay9E8kPLqMDZ+R/nf4hn8eW8yBE3c13TPa+A0nVaPVA4tKWIf/
JjsiiPYvi/IytX/fcxW6gtNIorP5SnZ65SYQv4+MtTXvon2H0V+sN6qMshJ0QkAL
89voW8rYAIeKkQ7/rAwimr7gq9d6m1N6wwYzIPhZKVUcZp47b8+4xpiL90PY7tkL
drOiapl4ev+BTglYlSBocukiDE7nzkMm8ZEJ3Y4XGwZAa77eExCfNUAiylbsltMD
6+JK0XkPCT7rEFG/FGx5nQXcIb53xycLaMBF4I2d0ijJld1j50iw9gBJFD+/FBAh
st4uNo8g6xNI4QSgV4lsx/i8MQVr4jjceDcj7WvkA9433btyu+g=
=kuFZ
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZKt05ckNZI30y1K9AQheQRAAtmXtHAY+YMfGpDDxRVYLQnHizYUh3C6+
tH18rygmsfjKzwIDq8aScJHbJTHnYcxWWEdNOXHpafdtxcrOAYIkVZlJ+gdK/DcG
lNEWLBYTnsZU0z+/0A7RQhLURgoPtiUuj+WGvA1KQ/IRBPIs+nHHVhiVAjf/vTbV
RyIPxgbUkTFYESFeOYDnAKoBio2kZkuwxOMpQYo3eNYPz4gU79CYPIc0cUJW9DLi
zEyW3dtTc+JH7lUQGMl2pszUsJYls8zNSqaNFiyNzrzHarR5KCeEPFX4wFPDKcjJ
6wDzuMDvLm2yrSu8IEazR6QzNF6XaKjTPy7U1Miis3zofujO0D5J5zVEXgYWjxmq
YNm2C3bpNrhmbmdRgKYEdL0T5aDMB9RInXWy6N6SK1qBKUqmL3jhKGYmCggl4OvV
wXw3XQJNZbwdMMg1oHR4/OoVxCpOhhMa04Jd2vt5LuKN20WUu7o6Ww/dnusbu6L0
JqCKLixtuC0fp93JuATN0t8uIr0tpTwwSsp7TxF3qYfGwbFqPqNpfIWQJI4dbghT
TYm33qELoEcjImIxi+1qKZR2U5ZlWUvSP5IsbdohEUgNnAZCVyuTriXjJ3Uo5Rm6
GXBZ6H4w7teG57SZq9nkVyKjXgt1N+d64DS7z3byW4K8giQHLVleBOQkGGJBflQS
3vo0obTs2Vs=
=jFcP
-----END PGP SIGNATURE-----