CVE-2020-36659

NameCVE-2020-36659
DescriptionIn Apache::Session::Browseable before 1.3.6, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3285-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libapache-session-browseable-perl (PTS)bullseye1.3.8-1fixed
bookworm1.3.11-3fixed
sid, trixie1.3.14-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libapache-session-browseable-perlsourcebuster1.3.0-1+deb10u1DLA-3285-1
libapache-session-browseable-perlsource(unstable)1.3.7-1

Notes

Fixed by: https://github.com/LemonLDAPNG/Apache-Session-Browseable/commit/fdf393235140b293cae5578ef136055a78f3574f (v1.3.6)
Regression follow-up: https://github.com/LemonLDAPNG/Apache-Session-Browseable/commit/c73e05c1363cd59e437aa1ea5ea0d260d62d5ee6 (v1.3.7)

Search for package or bug name: Reporting problems