lemonldap-ng (2.16.1+ds-deb12u3) bookworm; urgency=medium Custom templates maybe vulnerable to XSS injection when default allowed characters have been changed. To fix this, replace every by -- Yadd Tue, 15 Oct 2024 19:27:47 +0200 lemonldap-ng (2.16.1+ds-deb12u2) bookworm; urgency=medium A feature of OIDC allows the OpenID Provider to fetch the Authorization request parameters itself by indicating a request_uri parameter. By default, this feature is now restricted to a white list. See Relying-Party security option to fill this field. -- Yadd Fri, 29 Sep 2023 17:15:03 +0400 lemonldap-ng (2.0.9+ds-1) unstable; urgency=medium CVE-2020-24660 lemonldap-ng community fixed a vulnerability in Nginx default configuration files (CVE-2020-24660). Debian package does not install any default site, but documentation provided bad examples in Nginx configuration before this version. If you use lemonldap-ng handler with Nginx, you should verify your configuration files. Upstream community recommends to fix X_ORIGINAL_URI variable: location = /lmAuth { fastcgi_param X_ORIGINAL_URI $request_uri; # or uwsgi_param X_ORIGINAL_URI $original_uri; ... } location = /protected-area { set $original_uri $uri$is_args$args; ... } The updated example file is installed in documentation: /usr/share/doc/lemonldap-ng-handler/examples/test-nginx.conf CVE-2020-16093 LDAP server certificates were previously not verified by default when using secure transports (LDAPS or TLS). Starting from this release, certificate validation is now enabled by default, including on existing installations. If you have configured your CA certificates incorrectly, LemonLDAP::NG will now start complaining about invalid certificates. You may temporarily disable it again with the following command: /usr/share/lemonldap-ng/bin/lemonldap-ng-cli set ldapVerify none If you use LDAP as a session backend, you are strongly encouraged to also upgrade corresponding Apache::Session module (Apache::Session::LDAP 0.5 or libapache-session-browseable-perl 1.3.8). After this upgrade, if you want to temporarily disable certificate validation, you can add the following parameter to the list of Apache::Session module options: - key: ldapVerify - value: none -- Xavier Guimard Mon, 07 Sep 2020 09:35:09 +0200 lemonldap-ng (2.0.5+ds-2) unstable; urgency=medium Since version 2.0.5, lemonldap-ng includes some improvements in cryptographic functions. To take advantage of them, you must change the encryption key of LemonLDAP::NG and restart all your servers. -- Xavier Guimard Sun, 30 Jun 2019 14:30:55 +0200 lemonldap-ng (2.0.0+ds-1) unstable; urgency=medium 2.0 is a major release, many things have been changed. You must read https://lemonldap-ng.org/documentation/2.0/upgrade before upgrade. -- Xavier Guimard Mon, 30 Oct 2018 12:48:25 +0100 lemonldap-ng (1.9.2-1) unstable; urgency=medium liblemonldap-ng-handler-perl package has been split into: - lemonldap-ng-handler that provides web server configuration - liblemonldap-ng-handler-perl that provides Perl libraries only -- Xavier Guimard Sat, 16 Apr 2016 21:18:28 +0200 lemonldap-ng (1.9.1-1) unstable; urgency=medium 1) Configuration and sessions storage From now, Lemonldap::NG uses JSON serialization to store configuration and sessions instead of Storable::nfreeze Perl function. This permits one to have heterogenous servers connected to the same LLNG organization (32/64 bits or different Perl versions). Old format still works but: * configuration backends: new format is applied at first configuration save, * sessions storages: new format is applied for each new session or when updating an existing session. You can force LemonLDAP::NG to keep the old serialization method by setting useStorable to 1 in sessions backend options if you have some custom hooks. Note that this behaviour only affects modules Apache::Session::File, SQL database and Apache::Session::LDAP If you have more than one server and don't want to stop the SSO service, start upgrading in the following order: * servers that have only handlers; * portal servers (all together if your load balancer doesn't keep state by user or client IP and if users use the menu); * manager server 2) Manage Ajax requests when sessions expires To request for authentication, handlers sent a 302 HTTP code even if request was an Ajax one. From now, after redirection, portal will send a 401 code with a WWW-Authenticate header containing "SSO portal-URL". This is a little HTTP protocol hook created because browsers follow redirection transparently. If you want to keep old behaviour, set noAjaxHook to 1 (in General Parameters -> Advanced -> Handler redirections -> Keep redirections for Ajax). 3) New "Multi" authentication scheme The Multi backend configuration has changed. Now the stacks are defined in separate attributes: * multiAuthStack * multiUserDBStack So an old configuration like this: authentication = Multi LDAP;DBI userDB = Multi LDAP;DBI Must be replaced by: authentication = Multi userDB = Multi multiAuthStack = LDAP;DBI multiUserDBStack = LDAP;DBI 4) Form replay Management of form replay has been rewritten. If you uses this experimental feature, you must edit your configuration and rewrite it. -- Xavier Guimard Mon, 07 Mar 2016 07:12:08 +0100 lemonldap-ng (1.4.6-1) unstable; urgency=medium Handler files "My::Package" are no longer installed by default as a module "Lemonldap::NG::Handler" generic is now available. It is therefore necessary either to modify Apache configuration files to use "Lemonldap::NG::Handler" or create your own Perl modules using the provided examples files. -- Xavier Guimard Mon, 29 Dec 2014 17:10:00 +0100 lemonldap-ng (1.2.2-3) unstable; urgency=low Examples files (Apache configuration and default handler files) are now not installed in /var/lib/lemonldap-ng/handler but available as examples files -- Xavier Guimard Wed, 05 Dec 2012 06:27:45 +0100 lemonldap-ng (1.2.2-2) unstable; urgency=low Since 1.2.2, LemonLDAP::NG uses 'Demo' authentication backend by default and the manager is protected by default by LemonLDAP::NG. So for an unconfigured installation, you have to use dwho account to access to the manager (password dwho) -- Xavier Guimard Thu, 29 Nov 2012 06:22:45 +0100