CVE-2020-16093

NameCVE-2020-16093
DescriptionIn LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3287-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lemonldap-ng (PTS)bullseye2.0.11+ds-4+deb11u5fixed
bullseye (security)2.0.11+ds-4+deb11u7fixed
bookworm, bookworm (security)2.16.1+ds-deb12u6fixed
sid, trixie2.21.1+ds-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lemonldap-ngsourcebuster2.0.2+ds-7+deb10u8DLA-3287-1
lemonldap-ngsource(unstable)2.0.9+ds-1

Notes

[stretch] - lemonldap-ng <no-dsa> (Minor issue + 2.x is a complete re-write, so very hard to backport!)
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2250
Search for package or bug name: Reporting problems