Debian Security Advisory

DSA-4762-1 lemonldap-ng -- security update

Date Reported:
07 Sep 2020
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2020-24660.
More information:

It was discovered that the default configuration files for running the Lemonldap::NG Web SSO system on the Nginx web server were susceptible to authorisation bypass of URL access rules. The Debian packages do not use Nginx by default.

For the stable distribution (buster), this problem has been fixed in version 2.0.2+ds-7+deb10u5, this update provides fixed example configuration which needs to be integrated into Lemonldap::NG deployments based on Nginx.

We recommend that you upgrade your lemonldap-ng packages.

For the detailed security status of lemonldap-ng please refer to its security tracker page at: