lemonldap-ng (2.0.2+ds-7+deb10u5) buster-security; urgency=high
lemonldap-ng community fixed a vulnerability in the Nginx default
configuration files (CVE-2020-24660).
Debian package does not install any default site, but documentation
provided insecure examples in Nginx configuration before this version. If
you use lemonldap-ng handler with Nginx, you should verify your
configuration files.
Upstream community recommends to fix the X_ORIGINAL_URI variable:
location = /lmAuth {
fastcgi_param X_ORIGINAL_URI $request_uri;
# or uwsgi_param X_ORIGINAL_URI $original_uri;
...
}
location = /protected-area {
set $original_uri $uri$is_args$args;
...
}
The updated example file is installed in documentation:
/usr/share/doc/lemonldap-ng-handler/examples/test-nginx.conf
See https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290 for more
-- Xavier Guimard <yadd@debian.org> Mon, 07 Sep 2020 11:16:03 +0200
lemonldap-ng (2.0.2+ds-7+deb10u3) buster; urgency=medium
This version fixes 3 security issues. However, you must verify 2 things:
* if you enabled SOAP/REST plugins, verify in your portal web configuration
file that they are well protected (see new default configuration files:
/etc/lemonldap-ng/portal-apache2.X.conf and
/etc/lemonldap-ng/portal-nginx.conf)
* if you enabled OpenID-Connect identity provider, your relaying parties
must have a redirection uri. You just have to save a new configuration
using the manager and automatic tests will fail if one relying party is
misconfigured
-- Xavier Guimard <yadd@debian.org> Fri, 20 Dec 2019 18:12:54 +0100
lemonldap-ng (2.0.0+ds-1) unstable; urgency=medium
2.0 is a major release, many things have been changed. You must read
https://lemonldap-ng.org/documentation/2.0/upgrade before upgrade.
-- Xavier Guimard <x.guimard@free.fr> Mon, 30 Oct 2018 12:48:25 +0100
lemonldap-ng (1.9.2-1) unstable; urgency=medium
liblemonldap-ng-handler-perl package has been split into:
- lemonldap-ng-handler that provides web server configuration
- liblemonldap-ng-handler-perl that provides Perl libraries only
-- Xavier Guimard <x.guimard@free.fr> Sat, 16 Apr 2016 21:18:28 +0200
lemonldap-ng (1.9.1-1) unstable; urgency=medium
1) Configuration and sessions storage
From now, Lemonldap::NG uses JSON serialization to store configuration and
sessions instead of Storable::nfreeze Perl function. This permits one to have
heterogenous servers connected to the same LLNG organization (32/64 bits or
different Perl versions). Old format still works but:
* configuration backends: new format is applied at first configuration
save,
* sessions storages: new format is applied for each new session or when
updating an existing session. You can force LemonLDAP::NG to keep the old
serialization method by setting useStorable to 1 in sessions backend
options if you have some custom hooks.
Note that this behaviour only affects modules Apache::Session::File, SQL
database and Apache::Session::LDAP
If you have more than one server and don't want to stop the SSO service, start
upgrading in the following order:
* servers that have only handlers;
* portal servers (all together if your load balancer doesn't keep state by
user or client IP and if users use the menu);
* manager server
2) Manage Ajax requests when sessions expires
To request for authentication, handlers sent a 302 HTTP code even if request
was an Ajax one. From now, after redirection, portal will send a 401 code
with a WWW-Authenticate header containing "SSO portal-URL". This is a little
HTTP protocol hook created because browsers follow redirection transparently.
If you want to keep old behaviour, set noAjaxHook to 1 (in General Parameters
-> Advanced -> Handler redirections -> Keep redirections for Ajax).
3) New "Multi" authentication scheme
The Multi backend configuration has changed. Now the stacks are defined in
separate attributes:
* multiAuthStack
* multiUserDBStack
So an old configuration like this:
authentication = Multi LDAP;DBI
userDB = Multi LDAP;DBI
Must be replaced by:
authentication = Multi
userDB = Multi
multiAuthStack = LDAP;DBI
multiUserDBStack = LDAP;DBI
4) Form replay
Management of form replay has been rewritten. If you uses this experimental
feature, you must edit your configuration and rewrite it.
-- Xavier Guimard <x.guimard@free.fr> Mon, 07 Mar 2016 07:12:08 +0100
lemonldap-ng (1.4.6-1) unstable; urgency=medium
Handler files "My::Package" are no longer installed by default as a module
"Lemonldap::NG::Handler" generic is now available. It is therefore
necessary either to modify Apache configuration files to use
"Lemonldap::NG::Handler" or create your own Perl modules using the provided
examples files.
-- Xavier Guimard <x.guimard@free.fr> Mon, 29 Dec 2014 17:10:00 +0100
lemonldap-ng (1.2.2-3) unstable; urgency=low
Examples files (Apache configuration and default handler files) are now not
installed in /var/lib/lemonldap-ng/handler but available as examples files
-- Xavier Guimard <x.guimard@free.fr> Wed, 05 Dec 2012 06:27:45 +0100
lemonldap-ng (1.2.2-2) unstable; urgency=low
Since 1.2.2, LemonLDAP::NG uses 'Demo' authentication backend by default
and the manager is protected by default by LemonLDAP::NG. So for an
unconfigured installation, you have to use dwho account to access to the
manager (password dwho)
-- Xavier Guimard <x.guimard@free.fr> Thu, 29 Nov 2012 06:22:45 +0100