ldap-account-manager - Debian Package Tracker

general

source: ldap-account-manager (main)
version: 9.0-1
maintainer: Roland Gruber (DMD)
arch: all
std-ver: 4.7.0
VCS: unknown

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 8.0.1-0+deb11u1
o-o-sec: 8.0.1-0+deb11u1
oldstable: 8.3-1
stable: 9.0-1
testing: 9.0-1
unstable: 9.0-1

versioned links

8.0.1-0+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ldap-account-manager (2 bugs: 0, 0, 2, 0)
ldap-account-manager-lamdaemon

action needed

A new upstream version is available: 9.5.1..1 high

A new upstream version 9.5.1..1 is available, you should consider packaging it.

Created: 2025-11-27 Last update: 2026-03-22 18:01

3 security issues in trixie high

There are 3 open security issues in trixie.

2 important issues:

CVE-2026-27894: LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary code. Users need to login to LAM to exploit this vulnerability. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user and delete the PDF profile files (making PDF exports impossible).
CVE-2026-27895: LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, the PDF export component does not correctly validate uploaded file extensions. This way any file type (including .php files) can be uploaded. With GHSA-w7xq-vjr3-p9cf, an attacker can achieve remote code execution as the web server user. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user.

1 issue left for the package maintainer to handle:

CVE-2025-58174: (needs triaging) LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM before 9.3 allows stored cross-site scripting in the Profile section via the profile name field, which renders untrusted input as HTML and executes a supplied script (for example a script element). An authenticated user with permission to create or edit a profile can insert a script payload into the profile name and have it executed when the profile data is viewed in a browser. This issue is fixed in version 9.3. No known workarounds are mentioned.

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-09-16 Last update: 2026-03-21 14:03

3 security issues in sid high

There are 3 open security issues in sid.

3 important issues:

CVE-2025-58174: LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM before 9.3 allows stored cross-site scripting in the Profile section via the profile name field, which renders untrusted input as HTML and executes a supplied script (for example a script element). An authenticated user with permission to create or edit a profile can insert a script payload into the profile name and have it executed when the profile data is viewed in a browser. This issue is fixed in version 9.3. No known workarounds are mentioned.
CVE-2026-27894: LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary code. Users need to login to LAM to exploit this vulnerability. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user and delete the PDF profile files (making PDF exports impossible).
CVE-2026-27895: LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, the PDF export component does not correctly validate uploaded file extensions. This way any file type (including .php files) can be uploaded. With GHSA-w7xq-vjr3-p9cf, an attacker can achieve remote code execution as the web server user. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user.

Created: 2025-09-16 Last update: 2026-03-21 14:03

3 security issues in forky high

There are 3 open security issues in forky.

3 important issues:

CVE-2025-58174: LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM before 9.3 allows stored cross-site scripting in the Profile section via the profile name field, which renders untrusted input as HTML and executes a supplied script (for example a script element). An authenticated user with permission to create or edit a profile can insert a script payload into the profile name and have it executed when the profile data is viewed in a browser. This issue is fixed in version 9.3. No known workarounds are mentioned.
CVE-2026-27894: LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary code. Users need to login to LAM to exploit this vulnerability. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user and delete the PDF profile files (making PDF exports impossible).
CVE-2026-27895: LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, the PDF export component does not correctly validate uploaded file extensions. This way any file type (including .php files) can be uploaded. With GHSA-w7xq-vjr3-p9cf, an attacker can achieve remote code execution as the web server user. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user.

Created: 2025-09-16 Last update: 2026-03-21 14:03

4 security issues in bullseye high

There are 4 open security issues in bullseye.

1 important issue:

CVE-2026-27894: LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary code. Users need to login to LAM to exploit this vulnerability. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user and delete the PDF profile files (making PDF exports impossible).

2 issues postponed or untriaged:

CVE-2024-23333: (needs triaging) LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM's log configuration allows to specify arbitrary paths for log files. Prior to version 8.7, an attacker could exploit this by creating a PHP file and cause LAM to log some PHP code to this file. When the file is then accessed via web the code would be executed. The issue is mitigated by the following: An attacker needs to know LAM's master configuration password to be able to change the main settings; and the webserver needs write access to a directory that is accessible via web. LAM itself does not provide any such directories. The issue has been fixed in 8.7. As a workaround, limit access to LAM configuration pages to authorized users.
CVE-2025-58174: (postponed; to be fixed through a stable update) LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM before 9.3 allows stored cross-site scripting in the Profile section via the profile name field, which renders untrusted input as HTML and executes a supplied script (for example a script element). An authenticated user with permission to create or edit a profile can insert a script payload into the profile name and have it executed when the profile data is viewed in a browser. This issue is fixed in version 9.3. No known workarounds are mentioned.

1 ignored issue:

CVE-2024-52792: LDAP Account Manager (LAM) is a php webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In affected versions LAM does not properly sanitize configuration values, that are set via `mainmanage.php` and `confmain.php`. This allows setting arbitrary config values and thus effectively bypassing `mitigation` of CVE-2024-23333/GHSA-fm9w-7m7v-wxqv. Configuration values for the main config or server profiles are set via `mainmanage.php` and `confmain.php`. The values are written to `config.cfg` or `serverprofile.conf` in the format of `settingsName: settingsValue` line-by-line. An attacker can smuggle arbitrary config values in a config file, by inserting a newline into certain config fields, followed by the value. This vulnerability has been addressed in version 9.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Created: 2026-03-18 Last update: 2026-03-21 14:03

4 security issues in bookworm high

There are 4 open security issues in bookworm.

1 important issue:

CVE-2026-27894: LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary code. Users need to login to LAM to exploit this vulnerability. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user and delete the PDF profile files (making PDF exports impossible).

2 issues left for the package maintainer to handle:

CVE-2024-23333: (needs triaging) LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM's log configuration allows to specify arbitrary paths for log files. Prior to version 8.7, an attacker could exploit this by creating a PHP file and cause LAM to log some PHP code to this file. When the file is then accessed via web the code would be executed. The issue is mitigated by the following: An attacker needs to know LAM's master configuration password to be able to change the main settings; and the webserver needs write access to a directory that is accessible via web. LAM itself does not provide any such directories. The issue has been fixed in 8.7. As a workaround, limit access to LAM configuration pages to authorized users.
CVE-2025-58174: (needs triaging) LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM before 9.3 allows stored cross-site scripting in the Profile section via the profile name field, which renders untrusted input as HTML and executes a supplied script (for example a script element). An authenticated user with permission to create or edit a profile can insert a script payload into the profile name and have it executed when the profile data is viewed in a browser. This issue is fixed in version 9.3. No known workarounds are mentioned.

You can find information about how to handle these issues in the security team's documentation.

1 ignored issue:

CVE-2024-52792: LDAP Account Manager (LAM) is a php webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In affected versions LAM does not properly sanitize configuration values, that are set via `mainmanage.php` and `confmain.php`. This allows setting arbitrary config values and thus effectively bypassing `mitigation` of CVE-2024-23333/GHSA-fm9w-7m7v-wxqv. Configuration values for the main config or server profiles are set via `mainmanage.php` and `confmain.php`. The values are written to `config.cfg` or `serverprofile.conf` in the format of `settingsName: settingsValue` line-by-line. An attacker can smuggle arbitrary config values in a config file, by inserting a newline into certain config fields, followed by the value. This vulnerability has been addressed in version 9.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Created: 2024-03-19 Last update: 2026-03-21 14:03

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2026-01-07 Last update: 2026-03-22 21:30

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2025-04-10 Last update: 2025-04-10 14:01

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.3 instead of 4.7.0).

Created: 2025-02-21 Last update: 2025-12-23 20:00

news

[rss feed]

[2025-01-12] ldap-account-manager 9.0-1 MIGRATED to testing (Debian testing watch)
[2025-01-07] Accepted ldap-account-manager 9.0-1 (source) into unstable (Roland Gruber) (signed by: Tiago Bortoletto Vaz)
[2024-05-03] ldap-account-manager 8.7-1 MIGRATED to testing (Debian testing watch)
[2024-04-27] ldap-account-manager REMOVED from testing (Debian testing watch)
[2024-03-27] ldap-account-manager 8.7-1 MIGRATED to testing (Debian testing watch)
[2024-03-24] Accepted ldap-account-manager 8.7-1 (source) into unstable (Roland Gruber) (signed by: Fabio Tranchitella)
[2023-12-21] ldap-account-manager 8.6-1 MIGRATED to testing (Debian testing watch)
[2023-12-18] Accepted ldap-account-manager 8.6-1 (source) into unstable (Roland Gruber) (signed by: Fabio Tranchitella)
[2023-11-29] ldap-account-manager 8.5-1 MIGRATED to testing (Debian testing watch)
[2023-11-26] Accepted ldap-account-manager 8.5-1 (source) into unstable (Roland Gruber) (signed by: Fabio Tranchitella)
[2023-08-29] ldap-account-manager REMOVED from testing (Debian testing watch)
[2023-04-23] ldap-account-manager 8.3-1 MIGRATED to testing (Debian testing watch)
[2023-04-03] Accepted ldap-account-manager 8.3-1 (source) into unstable (Roland Gruber) (signed by: Fabio Tranchitella)
[2022-12-20] ldap-account-manager 8.2-1 MIGRATED to testing (Debian testing watch)
[2022-12-15] Accepted ldap-account-manager 8.2-1 (source) into unstable (Roland Gruber) (signed by: Fabio Tranchitella)
[2022-10-16] ldap-account-manager 8.1-1 MIGRATED to testing (Debian testing watch)
[2022-10-14] Accepted ldap-account-manager 8.1-1 (source) into unstable (Roland Gruber) (signed by: Fabio Tranchitella)
[2022-08-09] ldap-account-manager 8.0.1-1.1 MIGRATED to testing (Debian testing watch)
[2022-08-07] Accepted ldap-account-manager 8.0.1-1.1 (source) into unstable (Salvatore Bonaccorso)
[2022-07-11] Accepted ldap-account-manager 8.0.1-0+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Fabio Tranchitella)
[2022-07-05] Accepted ldap-account-manager 8.0.1-0+deb11u1 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Fabio Tranchitella)
[2022-07-04] Accepted ldap-account-manager 8.0.1-1 (source all) into unstable (Roland Gruber) (signed by: Fabio Tranchitella)
[2022-04-18] ldap-account-manager 7.9.1-1 MIGRATED to testing (Debian testing watch)
[2022-04-16] Accepted ldap-account-manager 7.9.1-1 (source) into unstable (Roland Gruber) (signed by: Fabio Tranchitella)
[2022-04-11] ldap-account-manager 7.9-1 MIGRATED to testing (Debian testing watch)
[2022-04-09] Accepted ldap-account-manager 7.9-1 (source) into unstable (Roland Gruber) (signed by: Fabio Tranchitella)
[2022-03-15] ldap-account-manager REMOVED from testing (Debian testing watch)
[2021-10-06] ldap-account-manager 7.7-1 MIGRATED to testing (Debian testing watch)
[2021-10-04] Accepted ldap-account-manager 7.7-1 (source) into unstable (Roland Gruber) (signed by: Fabio Tranchitella)
[2021-08-16] ldap-account-manager 7.5-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 5
RC: 1
I&N: 1
M&W: 3
F&P: 0
patch: 1

links

homepage
lintian (0, 1)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (100, -)
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 9.0-1build1
1 bug