lemonldap-ng (2.0.2+ds-7+deb10u5) buster-security; urgency=high lemonldap-ng community fixed a vulnerability in the Nginx default configuration files (CVE-2020-24660). Debian package does not install any default site, but documentation provided insecure examples in Nginx configuration before this version. If you use lemonldap-ng handler with Nginx, you should verify your configuration files. Upstream community recommends to fix the X_ORIGINAL_URI variable: location = /lmAuth { fastcgi_param X_ORIGINAL_URI $request_uri; # or uwsgi_param X_ORIGINAL_URI $original_uri; ... } location = /protected-area { set $original_uri $uri$is_args$args; ... } The updated example file is installed in documentation: /usr/share/doc/lemonldap-ng-handler/examples/test-nginx.conf See https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290 for more -- Xavier Guimard Mon, 07 Sep 2020 11:16:03 +0200 lemonldap-ng (2.0.2+ds-7+deb10u3) buster; urgency=medium This version fixes 3 security issues. However, you must verify 2 things: * if you enabled SOAP/REST plugins, verify in your portal web configuration file that they are well protected (see new default configuration files: /etc/lemonldap-ng/portal-apache2.X.conf and /etc/lemonldap-ng/portal-nginx.conf) * if you enabled OpenID-Connect identity provider, your relaying parties must have a redirection uri. You just have to save a new configuration using the manager and automatic tests will fail if one relying party is misconfigured -- Xavier Guimard Fri, 20 Dec 2019 18:12:54 +0100 lemonldap-ng (2.0.0+ds-1) unstable; urgency=medium 2.0 is a major release, many things have been changed. You must read https://lemonldap-ng.org/documentation/2.0/upgrade before upgrade. -- Xavier Guimard Mon, 30 Oct 2018 12:48:25 +0100 lemonldap-ng (1.9.2-1) unstable; urgency=medium liblemonldap-ng-handler-perl package has been split into: - lemonldap-ng-handler that provides web server configuration - liblemonldap-ng-handler-perl that provides Perl libraries only -- Xavier Guimard Sat, 16 Apr 2016 21:18:28 +0200 lemonldap-ng (1.9.1-1) unstable; urgency=medium 1) Configuration and sessions storage From now, Lemonldap::NG uses JSON serialization to store configuration and sessions instead of Storable::nfreeze Perl function. This permits one to have heterogenous servers connected to the same LLNG organization (32/64 bits or different Perl versions). Old format still works but: * configuration backends: new format is applied at first configuration save, * sessions storages: new format is applied for each new session or when updating an existing session. You can force LemonLDAP::NG to keep the old serialization method by setting useStorable to 1 in sessions backend options if you have some custom hooks. Note that this behaviour only affects modules Apache::Session::File, SQL database and Apache::Session::LDAP If you have more than one server and don't want to stop the SSO service, start upgrading in the following order: * servers that have only handlers; * portal servers (all together if your load balancer doesn't keep state by user or client IP and if users use the menu); * manager server 2) Manage Ajax requests when sessions expires To request for authentication, handlers sent a 302 HTTP code even if request was an Ajax one. From now, after redirection, portal will send a 401 code with a WWW-Authenticate header containing "SSO portal-URL". This is a little HTTP protocol hook created because browsers follow redirection transparently. If you want to keep old behaviour, set noAjaxHook to 1 (in General Parameters -> Advanced -> Handler redirections -> Keep redirections for Ajax). 3) New "Multi" authentication scheme The Multi backend configuration has changed. Now the stacks are defined in separate attributes: * multiAuthStack * multiUserDBStack So an old configuration like this: authentication = Multi LDAP;DBI userDB = Multi LDAP;DBI Must be replaced by: authentication = Multi userDB = Multi multiAuthStack = LDAP;DBI multiUserDBStack = LDAP;DBI 4) Form replay Management of form replay has been rewritten. If you uses this experimental feature, you must edit your configuration and rewrite it. -- Xavier Guimard Mon, 07 Mar 2016 07:12:08 +0100 lemonldap-ng (1.4.6-1) unstable; urgency=medium Handler files "My::Package" are no longer installed by default as a module "Lemonldap::NG::Handler" generic is now available. It is therefore necessary either to modify Apache configuration files to use "Lemonldap::NG::Handler" or create your own Perl modules using the provided examples files. -- Xavier Guimard Mon, 29 Dec 2014 17:10:00 +0100 lemonldap-ng (1.2.2-3) unstable; urgency=low Examples files (Apache configuration and default handler files) are now not installed in /var/lib/lemonldap-ng/handler but available as examples files -- Xavier Guimard Wed, 05 Dec 2012 06:27:45 +0100 lemonldap-ng (1.2.2-2) unstable; urgency=low Since 1.2.2, LemonLDAP::NG uses 'Demo' authentication backend by default and the manager is protected by default by LemonLDAP::NG. So for an unconfigured installation, you have to use dwho account to access to the manager (password dwho) -- Xavier Guimard Thu, 29 Nov 2012 06:22:45 +0100