Skip to content
changelog 158 KiB
Newer Older
Clément OUDOT's avatar
Clément OUDOT committed
lemonldap-ng (2.0.15.1) jammy; urgency=medium

  * Bugs:
    * #2796: "Internal Server Error" during MFA flow when using LDAP as UserDB in 2.0.15

 -- Clément <clem.oudot@gmail.com>  Thu, 15 Sep 2022 15:58:47 +0200

Clément OUDOT's avatar
Clément OUDOT committed
lemonldap-ng (2.0.15) jammy; urgency=medium

  * Bugs:
    * #2615: Redirection issue with Issue SAML + ForceAuthn=true + Kerberos authentication
    * #2650: Empty SCRIPT_NAME breaks the portal
    * #2690: Second factor logo/label not used on registration screen
    * #2708: Auth::OpenIDConnect redirects in a loop when invalid JSON metadata is provided
    * #2712: 2fSelfRegistration == 0 + 2fActivation == 1 leads to registrable second factor being presented every time
    * #2714: Session upgrade link in 2FA manager not working
    * #2716: 2FA registration does not auto-redirect to only available provider after deleting an existing 2FA
    * #2724: one importMetadata Script default option isn't correct
    * #2733: Allowing ALL special characters does not work with reset password form
    * #2742: convertConfig no error but nothing converted
    * #2758: [CVE-2022-37186] Session destroyed on portal but still valid on handlers while there is activity
    * #2760: Userinfo does not show updated attributs when using Offline sessions
    * #2769: missing handler logs with default Nginx + LemonLDAP
    * #2772: translation overrides from skin json files are not used when sending emails
    * #2773: translation override from skin bypasses llng.ini
    * #2785: Invalid <Organization> in SAML metadata can crash portal startup
    * #2787: Status: Unknown command line during OIDC flow
    * #2789: $portal->templateDir causes skin mix-up
    * #2791: After token timeout during 2FA flow,  login form is left in broken state
    * #2793: samlGotAuthnRequest cannot modify $login->request when signature validation is enabled

  * New features:
    * #2491: Use environment variables placeholder in lemonldap json configuration
    * #2713: handle refresh tokens in Auth::OpenIDConnect
    * #2737: remember previous authentication choice
    * #2763: Install LL::NG on EL9

  * Improvements:
    * #2607: bypass OIDC logout confirmation
    * #2674: Add HSTS as new security parameter in the Manager
    * #2692: New API for CAPTCHA plugins
    * #2719: importMetadata should handle conflicts between multiple federations
    * #2720: importMetadata should be configurable
    * #2723: Cannot specify custom urn:oasis:names:tc:SAML:2.0:assertion:AuthnContextClassRef values for LemonLDAP IdPs
    * #2725: Add session data to oidcGenerateUserInfoResponse
    * #2726: Add a session variable for used 2F module
    * #2732: Add userLogger event when a specific 2FA is selected
    * #2739: Provide a specific package to install LLNG FastCGI client
    * #2745: portalEnablePasswordDisplay is not used in password change form
    * #2746: SAML metadata without SingleLogoutService leads to error at logout
    * #2753: Add IDP selection rules for CAS and OIDC
    * #2755: OIDC : issue on token endpoint with method client_secret_basic
    * #2756: Allow customization of portal JS code with jQuery events
    * #2757: Allow admins to change the 2FA timeout
    * #2759: Append a go-back-to-top button
    * #2761: Append an option to customize Manager CSS
    * #2762: Add re-send option to code-based OTPs
    * #2768: Add new hooks on Access Token refresh
    * #2775: Notification process can not be continued with JSON response
    * #2780: New lemonldap-ng-cli subcommand: merge
    * #2782: Notifications are not sorted by sessions explorer and epoch is  not converted into local date
    * #2784: Allow history fields to be translated in templates

  * Templates:
    * #2690: Second factor logo/label not used on registration screen
    * #2714: Session upgrade link in 2FA manager not working
    * #2737: remember previous authentication choice
    * #2745: portalEnablePasswordDisplay is not used in password change form
    * #2750: Option to define the favicon
    * #2759: Append a go-back-to-top button
    * #2761: Append an option to customize Manager CSS

 -- Clément <clem.oudot@gmail.com>  Fri, 09 Sep 2022 10:13:43 +0200

Clément OUDOT's avatar
Clément OUDOT committed
lemonldap-ng (2.0.14) focal; urgency=medium

  * Bugs:
    * #2519: first authentication returns 500 code after inactivity period
    * #2566: No configuration available in fresh LemonLDAP 2.0.12
    * #2594: Double slashes in _pdata->{_url} when LLNG is OIDC RP
    * #2595: Portal does not run correctly with portalRequireOldPassword=0
    * #2596: [security:low] open redirect in CAS gateway mode
    * #2597: External password reset URL is called with skin= and url= parameters
    * #2600: RESTProxy authentication does not work with AuthChoice-enabled internal Portal
    * #2603: Saving configuration drops OIDC scope rules
    * #2606: FindUser plugin: SpoofId field is not updated if a value has been already set before the Ajax request
    * #2612: [Security: low, CVE-2021-40874] RESTServer pwdConfirm always returns true with Combination + Kerberos
    * #2613: ProxyAuth cookie name can not be modified
    * #2616: Login is not remembered when password is incorrect
    * #2618: DevOps handler does not work if RULES_URL uWSGI/FastCGI parameter is set
    * #2620: Net::LDAP::Control::PasswordPolicy is not always loaded
    * #2622: Fail oauth2 grants when resulting scope is empty
    * #2626: Portal fatal errors cause "Conflict detected between 2 extensions, aborting 1 route" message to appear in logs
    * #2632: Handler::Server::Nginx does not use logger config from lemonldap-ng.ini
    * #2637: Error with default locationRules
    * #2645: importMetadata does not set NameIDFormat to "persistent" for new providers
    * #2648: "Authentication module succeed but has not set $req->user" when using SAML Artifact mode with some, but not all IDPs
    * #2655: 'afterData' plugins loaded after Impersonation will be never executed
    * #2656: CAS: multiple proxies is not correctly implemented
    * #2658: Macros based on '_XXX' and authenticationLevel attributes are not computed by refresh function
    * #2660: Combination is not compatible with LDAP password policies
    * #2663: Radius authentication fails when radius used as authentication module
    * #2671: xss attack detected on a relayState parameter
    * #2675: Auth::Custom calls module init twice
    * #2676: UserDB::Custom and Password::Custom loads module twice and calls init three times
    * #2677: *::Custom do not allow config overrides
    * #2678: Auth::Custom getDisplayType is broken with choice
    * #2682: Fails to create password-protected X509 certificates with OpenSSL 3.0
    * #2689: REST server: 400 bad request with DELETE /session/my
    * #2691: Error when using has2f in a manager rule
    * #2693: "Status: Unknown command line -> " log line for each SKIP and EXPIRED accesses
    * #2703: OIDC RP menu attributes name do not refresh live

  * New features:
    * #1411: Web Authentication API (webauthn)
    * #2325: "Warn on new network location" plugin
    * #2679: CheckDevOps: Append an option to check if used attributes are existing
    * #2686: Web service for application list

  * Improvements:
    * #1714: Check logLevel value
    * #2277: pdata cookie is not removed if SAML flow fails
    * #2457: Do not translate OIDC RP exported attributes
    * #2476: $groups is not initialize  for  at least LDAP authentication
    * #2508: Look configuration timestamp to dismiss cache
    * #2558: Add a new portal error code for Auth::OIDC issues
    * #2565: Adding per-request information in logs
    * #2570: RGAA: Adding a role attribute into messages
    * #2577: RGAA: placeholder only should not be used as label
    * #2591: stayconnected plugin: allow to disable browser fingerprint check and update documentation
    * #2593: Contextual / Adaptive authentication / Risk-based authentication
    * #2599: Certificate reset templates are not translated
    * #2601: RESTProxy authentication does not support Impersonation
    * #2602: Export OIDC grant type in rules
    * #2604: Append an option to normalize HTTP headers with CheckDevOps plugin
    * #2605: llnglanguage cookie will be rejected if sameSite attribute is not set
    * #2609: Better history management for plugins
    * #2614: display precise error while sending direct SOAP SAML message
    * #2617: SafeJail must be enabled with CheckDevOps plugin
    * #2619: Brazilian translation
    * #2621: SAML: HTTP-Artifact mode should be discouraged
    * #2625: Add an option to encrypt TOTP secrets
    * #2627: Append an option in Manager to be able to set RULES_URL param
    * #2638: Redirect to 2fregisters is missing a slash
    * #2644: No error displayed in logs in DevOps Handler when rules file can't be downloaded
    * #2646: bruteForceProtectionMaxAge and bruteForceProtectionMaxLockTime missing from manager
    * #2647: Display logins history with CheckUser plugin
    * #2649: Portal plugins should not require an "init" method
    * #2651: Hebrew Translation
    * #2654: CAS temporary tickets should have a short expiration time
    * #2657: Hidden attributes, custom functions and plugins declarations are inconsistent
    * #2662: CheckUser plugin: Append a rule to allow some users to display hidden attributes
    * #2664: impossible to use getModule in the Password modules
    * #2667: Add RP confkey to oidcGenerateUserInfoResponse plugin hook
    * #2668: CheckDevOps: prevent portal crash/loop if a bad rules.json file is provided
    * #2672: DBI password hash list is too restrictive
    * #2673: Allow to configure multiple service URL per CAS application
    * #2679: CheckDevOps: Append an option to check if used attributes are existing
    * #2683: Possibility to set an activation rule for "remember me" option
    * #2685: DevOps handler uses default HTTPS redirection if no VH is defined
    * #2694: Chrome warns about compromised data when using form replay
    * #2698: Avoid useless warning messages in log

  * Templates:
    * #2325: "Warn on new network location" plugin
    * #2570: RGAA: Adding a role attribute into messages
    * #2577: RGAA: placeholder only should not be used as label
    * #2597: External password reset URL is called with skin= and url= parameters

 -- Clément <clem.oudot@gmail.com>  Sat, 19 Feb 2022 17:49:18 +0100

Clément OUDOT's avatar
Clément OUDOT committed
lemonldap-ng (2.0.13) focal; urgency=medium

  * Bugs:
    * #2428: Correctly report the number of purged sessions when using deleteIfLowerThan
    * #2566: No configuration available in fresh LemonLDAP 2.0.12
    * #2567: CORS headers not sent in userinfo endpoint error response
    * #2568: SafeJail does not report errors correctly
    * #2573: convertConfig does not work when target backend is empty
    * #2589: FindUser plugin: minor improvements and several issues

  * Improvements:
    * #2558: Add a new portal error code for Auth::OIDC issues
    * #2564: Missing options to use text emails for some features
    * #2585: RGAA: to use autocomplete when possible
    * #2589: FindUser plugin: minor improvements and several issues
    * #2592: Bad error reporting during portal init

  * Templates:
    * #2585: RGAA: to use autocomplete when possible
    * #2589: FindUser plugin: minor improvements and several issues

 -- Clément <clem.oudot@gmail.com>  Fri, 20 Aug 2021 18:30:23 +0200

Clément OUDOT's avatar
Clément OUDOT committed
lemonldap-ng (2.0.12) focal; urgency=medium

  * Bugs:
    * #2153: logout forward url pointing to a protected application cause infinite redirection (pdata)
    * #2439: Unable to configure oidcOPMetaDataJSON and oidcOPMetaDataJWKS trough lemonldap-ng-cli
    * #2453: Manager API: missing doc and array handling of additional audiences
    * #2455: llng-fastcgi-server exited with signal 13
    * #2459: Debian packages: missing dependency to gsfonts may break Captcha
    * #2460: "Underlying object can't load conf" in v2.0.11
    * #2463: Portal plugin hooks triggered multiple times after reload
    * #2469: mySessionAuthorizedRWKeys causes internal server error when removing OIDC consent
    * #2474: OAuth2 endpoints should return an error when multiple client authentication methods are used
    * #2475: OIDC: Invalid error code returned in badAuthRequest
    * #2477: [security:low] Wildcard in virtualhost allows being redirected to untrusted domains
    * #2480: Set an authLevel and disable ReAuthentication plugin leads to an endless loop
    * #2481: missing _utime in OIDC Client Credential sessions
    * #2482: unexpected persistent sessions appear since 2.0.10
    * #2483: Second factor removal does not work when hiding session ids from manager
    * #2487: Incorrect error reporting in convertSessions
    * #2489: Do not grant the openid scope during Resource Owner Password Grant
    * #2493: Unable to register a new configuration attribute with CLI when option force is enabled and backend is RDBI
    * #2495: [security:medium] XSS on register form
    * #2498: convertSessions does not filter sessionKind correctly
    * #2503: REST/SOAP exported attributes are not sent by REST server
    * #2509: Local password policy: Allowing ALL special characters does not work
    * #2511: expires_in in token response has the wrong JSON type in some cases
    * #2513: LLNG 2.0.11 : SAML SLO from IDP to SP with POST Binding blocked by browser
    * #2518: SAML: persistent NameID is empty when using "unspecified" format on SP side
    * #2520: Missing translations for DBI configuration
    * #2525: Gracefully handle invalid perl expression in CAS/SAML/OIDC
    * #2529: [bug] OIDC userinfo as jwt not readable
    * #2531: calling to_json with hash containing file handle fails
    * #2534: CDA does not work with wildcard vhosts
    * #2535: [security:low] Incorrect regexp construction in isTrustedUrl lets attacker steal session on CDA application
    * #2539: [security:high, CVE-2021-35472] session cache corruption can lead to authorization bypass or spoofing
    * #2541: Misleading TOTP options
    * #2543: [security:low] 2FA bypass with sfOnlyUpgrade and totp2fDisplayExistingSecret
    * #2547: Parameter oidcRPMetaDataOptionsUserInfoSignAlg is missing in Manager
    * #2548: OpenID Connect ACR value can't be configured with something else than 'loa-...'
    * #2549: [security:low, CVE-2021-35473] OAuth2 handler does not verify access token validity
    * #2550: Token endpoint should only emit ID token when scope contains "openid"

  * New features:
    * #1976: FindUser plugin
    * #2451: CrowdSec plugin to query Crowdsec server
    * #2458: CheckDevOps plugin
    * #2510: Hook on password change
    * #2532: add oidcGenerateCode hook
    * #2554: Remove OIDC checksession iframe from metadata

  * Improvements:
    * #2260: Missing elements in sphinx documentation (mongodb)
    * #2419: Support JWT as OAuth 2.0 Bearer Access Tokens
    * #2424: Feature: Scope Rules
    * #2454: Append a Show/Hide password button into login form
    * #2456: Prevent DevOps handler to send hidden session attributes
    * #2462: Use timezone provided in input dates in extended function "checkDate"
    * #2465: Force OIDC error messages to use JSON
    * #2472: Loading metadata can be slow due to parsing of default certificate bundle
    * #2484: Hook for populating client credential session
    * #2488: Allow selection of AssertionConsumerServiceURL in IDP-Initiated SAML login
    * #2496: Add new option to ignore undeclared OIDC scopes
    * #2499: add key mapper for convertSession
    * #2502: Resource Owner Password fails with PE_FIRSTACCESS when using Auth::Choice
    * #2506: CAS: add an option to forbid host-based matching
    * #2521: Avoid browsers parameter hide placeholder
    * #2533: add hooks for CAS issuer
    * #2536: optimize SingleSession to avoid unneeded session fetches
    * #2544: Default 2FA register timeout is too low
    * #2557: Avoid browsers to store new, old and confirmed password during update process
    * #2562: Add --user/--group options to lmConfigEditor and lemonldap-ng-cli (user:group hardcoded to apache may not work correctly)

  * Templates:
    * #1976: FindUser plugin
    * #2454: Append a Show/Hide password button into login form
    * #2458: CheckDevOps plugin
    * #2495: [security:medium] XSS on register form
    * #2521: Avoid browsers parameter hide placeholder
    * #2541: Misleading TOTP options
    * #2557: Avoid browsers to store new, old and confirmed password during update process

 -- Clément <clem.oudot@gmail.com>  Thu, 22 Jul 2021 17:41:44 +0200

Clément OUDOT's avatar
Clément OUDOT committed
lemonldap-ng (2.0.11) focal; urgency=medium

  * Bugs:
    * #2445: lmAuth param sent to protected application
    * #2446: Incorrect MIME type on /psgi.js
    * #2448: Adaptative Authentication rule triggered several times
    * #2449: SAML SLO using Redirect/POST binding does not work with multiple SP

  * New features:
    * #1987: add grant_type=client_credentials in OIDC

  * Improvements:
    * #2397: OAuth2 handler should make client_id and scopes of the access token available to rules and headers
    * #2436: CheckUser displays headers as they have been defined in conf intead of how they are sent
    * #2444: set oidcServiceKeyIdSig by default

 -- Clément <clem.oudot@gmail.com>  Sat, 30 Jan 2021 18:33:37 +0100

lemonldap-ng (2.0.10) stable; urgency=medium

  * Bugs:
    * #1978: can't configure variables to post in virtual host's form replay with lemonldap-cli
    * #2245: Manager API  does not call reloadUrls
    * #2262: SAML: SP-initiated logout does not propagate to external authentication modules
    * #2267: LDAP timeout does not apply to search/bind/etc
    * #2293: LL:NG 2.0.8 Manager test for external/working SMTP fails @ SSL handshake, terminates connections
    * #2304: Error when using SMTP over SSL in CentOS 7
    * #2310: Misspelled parameter in call to ldap->search()
    * #2315: CheckUser plugin: option rules rely on checked user rather than  connected user
    * #2318: Manager API:  translate JSON booleans to int
    * #2332: [security:low] removal of registrable 2F does not test the current authn level
    * #2340: lemonldap-ng-cli restore does not work if the config backend is empty
    * #2342: Calling logout page for unauthenticated user forces login
    * #2344: Enable keepalive on LDAP connections
    * #2347: [Manager API] postLogoutRedirectUris should be an array
    * #2348: [Manager API] Bad URL in documentation
    * #2352: skipRenewConfirmation and skipUpgradeConfirmation options do not work
    * #2354: Lemonldap::NG::Common::Conf::msg is never reset and grows indefinitely
    * #2355: Password policy checker broken in password reset by mail template
    * #2357: CDA query parameter not parsed when query params are reordered
    * #2361: Cannot remove OIDC consent from session explorer
    * #2364: llngconnexion cookie in the StayConnected-Plugin rejected
    * #2365: Check my last logins option does not work with StayConnected plugin
    * #2366: StayConnected plugin does not work with 2FA
    * #2367: skip rule doesn't work with DevOps handler
    * #2369: Memory leak in Issuer::_redirect
    * #2373: Remove spaces from generated login when user register account
    * #2374: Missing form-check-input class in form groups
    * #2375: Refresh session plugin: refresh result is not checked before returning JSON answer
    * #2377: Reset expired password process does not work without _whatToTrace macro or if old password is not required
    * #2378: Error in inGroup expansion
    * #2383: Vhost with wildcard with % sign, configuration not loaded in manager
    * #2387: logout does not clear handler cache
    * #2399: Local password policy check should be disabled when clicking on "generate password" checkbox
    * #2401: Selinux policy blocks cache after restorecon
    * #2403: Missing Ldap attribute in CAS ticket if equals 0
    * #2410: LDAP connectivity issues on startup cause fatal initialization error when passwordDB=LDAP
    * #2411: Javascript error when local password policy configured and password tab disabled in menu
    * #2413: checkstate returns error 500 with user parameter
    * #2417: Error in cookie name used by lemonldap regexp
    * #2420: Auth::SAML should handle missing NameID
    * #2425: "Configuration error: xxx SAML metadata has no EntityID" when updating SAML sp in manager API
    * #2426: twitter auth fails when coming from oidc/saml/cas service
    * #2429: SAML sessions fill up with logout sessions that do not expire
    * #2430: Password not updated in session after password change
    * #2440: OIDC api: redirect URI not handled at top level during get/update operations

  * New features:
    * #2336: Adaptative Authentication Plugin
    * #2391: Add extended function to test for registered second factor
    * #2408: Add Chinese (Taiwan) translation

  * Improvements:
    * #714: Make password change compatible with Combination
    * #716: Make password reset work with Combination
    * #2232: lmAttrOrMacro test in Manager is too restrictive
    * #2266: local password policy conflicts with LDAP password policy
    * #2301: password reset page(s) CSS issues
    * #2309: Unintialized $app in CAS Issuer during test
    * #2314: CheckUser plugin: Append an option to display computed sessions data
    * #2316: "New keys" in saml security configuration should generate a certificate
    * #2317: Combination and fail2ban logs
    * #2319: Allow the SAML signature alg to be set per-provider
    * #2321: Can't save configuration with 2 CAS applications sharing the same hostname
    * #2322: Support for SHA384 and SHA512 saml signatures
    * #2329: Display a warning if password module is enabled without password backend
    * #2330: Allow to configure OIDC claims type
    * #2331: Warning in default Nginx configuration
    * #2334: GlobalLogout plugin can sometimes found some non-SSO or corrupted sessions
    * #2335: apache handler: allow users to override the port/scheme for redirections
    * #2339: Plugins refactoring
    * #2341: Make SHA256 the default signature method for SAML
    * #2345: RGAA recommand alt tags to be empty for decoration images
    * #2350: [security:low] Hiding session ids from the manager
    * #2356: RGAA 5.4 requires arrays to have defined captions
    * #2359: plugin engine for issuers
    * #2360: Avoid assignment in expressions
    * #2368: StayConnected-Plugin: when user-agent changes login is only possible after deleting cookies
    * #2372: Add a domain whitelist to Auth::Kerberos
    * #2380: CORS headers not sent by sendError
    * #2381: Append a hook to be able to overwrite access log
    * #2386: CheckUser does not resolve vhost aliases
    * #2388: Allow custom SSL logos when using choice
    * #2393: All messages printed in userLogger should use whatToTrace value to log user name
    * #2398: CheckUser: Append an option to hide specific headers value depending on tested VHost
    * #2404: Force deletion of corrupted sessions in DBI and LDAP backends
    * #2406: Possibility to use a different mail for 2FA and password reset
    * #2409: Update Spanish translation
    * #2414: Manager evaluates macros with Safe Jail whereas useSafeJail has been disabled
    * #2422: Missing alt attributes in mail HTML templates
    * #2427: Make AssertionConsumerServiceURL available to SAML rules
    * #2438: Add a confirmation when deleting second factor

  * Templates:
    * #2301: password reset page(s) CSS issues
    * #2355: Password policy checker broken in password reset by mail template
    * #2356: RGAA 5.4 requires arrays to have defined captions
    * #2365: Check my last logins option does not work with StayConnected plugin
    * #2366: StayConnected plugin does not work with 2FA
    * #2374: Missing form-check-input class in form groups
    * #2422: Missing alt attributes in mail HTML templates
    * #2438: Add a confirmation when deleting second factor

  * WebServer Confs:
    * #2331: Warning in default Nginx configuration
    * #2434: [security:medium] Headers are not deleted for unprotected or skip locations with nginx handler

 -- Clément <clem.oudot@gmail.com>  Sun, 17 Jan 2021 16:52:38 +0100

Clément OUDOT's avatar
Clément OUDOT committed
lemonldap-ng (2.0.9) stable; urgency=medium

  * Bugs:
    * #1659: RESTProxy doesn't fully work as a UserDB module
    * #1980: Refresh my rights causes error 500 with OIDC provider
    * #2190: 2.0.6 -> 2.0.8 sends "ARRAY (xxxx)" instead of Groups
    * #2196: Unable do display integer field with other fields in Manager
    * #2199: StayConnected plugin not working due to error in fingerprint javascript
    * #2200: Bad default value for portalDisplayOidcConsents
    * #2211: Setting yubikey verification URL to an empty value does not fallback to Yubikey_Webclient URL
    * #2212: Captcha or OTT is not renewed if Impersonation process failed
    * #2215: CheckUser idRule is checked only if session is computed
    * #2217: Error "Value must be BASE64 encoded" with some specific URL when Handler redirects on portal
    * #2221: Bad error message when conf backend fails to load
    * #2222: Errors in lemonldap-ng.ini are not correctly reported
    * #2223: Misleading error reporting when failing to save conf in lemonldap-ng-cli
    * #2224: regression in redirection to SAML urls with query string after #2085
    * #2229: Impersonation plugin: real_hGroup value is overwritten when specified groups are merged
    * #2230: LLNG 2.0.8 - Error on portal.js with IE 11
    * #2234: Prevent browser caching in sendJSONresponse
    * #2237: SAML SP error with auth kerberos
    * #2250: [CVE-2020-16093] Peer certificate not checked when using LDAPS
    * #2253: clearing oidcRPMetaDataOptionsLogoutUrl leads to Bad URL error
    * #2254: Local session cache and systemd PrivateTmp
    * #2256: Multivalued attributes are not returned as array in OpenID Connect userinfo endpoint
    * #2257: Missing country in OpenID Connect Address Claim
    * #2258: Error when using lougout_app_sso
    * #2261: Refresh my rights fails when Auth=SAML and UserDB=LDAP
    * #2263: Incorrect SOAP Content-Type
    * #2271: Labels are not working in auth form
    * #2272: Secure flag missing on lemonldappdata cookie and during logout
    * #2274: pdata cookie with SameSite value not equal to NONE is not removed and logout request leads to an internal server error with federate flow on SP side
    * #2275: sgRequired option does not work when global storage is enabled for token
    * #2287: LL:NG-provided lua-header snippet -> "writing a global lua variable ('i') which may lead to race conditions between concurrent requests"
    * #2288: LL:NG 2.0.8  manager missing doc-referenced "Login History" tab
    * #2289: Special chars password policy is not displayed if password is expired
    * #2290: [security:high, CVE-2020-24660] Lack of URL normalization by Nginx may lead to authorization bypass when URL access rules are used
    * #2296: skippedGlobalTests / skippedUnitTests have no effect (again)
    * #2305: Error in call to _launch in Lemonldap::NG::Common::Conf delete() method
    * #2306: ldapGroupDecodeSearchedValue does not apply to recursive group search
    * #2307: Password form not displayed when "password change after reset" is returned by LDAP ppolicy and Combination used for authentication

  * New features:
    * #1646: integrate documentation into the codebase
    * #2124: use 2FA only if and when needed
    * #2205: Add a session command line (CLI) tool

  * Improvements:
    * #1598: Proxy Backend support for Password Module (passwordDB)
    * #2188: Declare vhost with wildcard and prefix/suffix
    * #2189: Make externally-provisionned yubikeys easier to configure
    * #2193: Polish translation
    * #2195: Manager - Configuration's Author IP address field should honor $ipAddr
    * #2201: Avoid Portal to crash with bad GrantSession rule
    * #2203: Retrieve GPG keys and SSH keys in GitHub authentication module
    * #2207: Append an "Unrestricted users" rule to CheckUser, ContextSwitching and Impersonation plugins
    * #2214: add option to make convertConfig easier in most cases
    * #2225: REST ression server is too intolerant of clock drift (2)
    * #2233: Error/Warnings id not replaced with CLI
    * #2239: Mail reset token should not be deleted at first page access
    * #2240: Add tests for CAS service URL and OIDC client ID (presence/unicity) when configuration is saved
    * #2241: Add CAS App management to the manager API
    * #2242: Display new supported grant_types in OIDC discovery page
    * #2244: Use configuration key in user log messages for all Issuer modules
    * #2249: Check password policy on the client side when changing password
    * #2251: Add a parameter for Syslog options
    * #2252: No host in logs to use with Fail2ban
    * #2265: increase log level for mail sending and password reset
    * #2273: URL is not set to Portal URL after ContextSwitching
    * #2276: Using bruteForceProtectionIncrementalTempo lock user at first attempt
    * #2278: Display instance name when prompting a message
    * #2280: User attribute based on local macro in Openid rp
    * #2281: Manage SameSite default behavior
    * #2283: Improve Notifications explorer to display done notifications content
    * #2284: Improve serviceToken debug logs
    * #2292: request "do not minify" json config option
    * #2295: Erroneous use of NTLM should be explicitely reported to the user
    * #2299: healthcheck endpoint for manager API
    * #2302: correct usage of invalid vs unvalid in code & messaging
    * #2303: Add del method to lemonldap-ng-cli

 -- Clément <clem.oudot@gmail.com>  Sun, 06 Sep 2020 19:59:22 +0200

Clément OUDOT's avatar
Clément OUDOT committed
lemonldap-ng (2.0.8) stable; urgency=medium

  * Bugs:
    * #1314: Workaround for memory Leak in perl-fcgi with Perl < 5.18
    * #1659: RESTProxy doesn't fully work as a UserDB module
    * #1776: Manager breaks when moving a newly created category or application
    * #1939: expired issuer context is not reset when starting new authentication
    * #1990: [warn] Route xxx redefined when using the fastCGI server
    * #1992: Memory leak issue on CentOS 7 / perl 5.16
    * #2048: t/32-OIDC-Refresh-Token.t fails randomly
    * #2049: Unable to display notifications marked as done (DBI)
    * #2050: Wrong message displayed by CheckUser plugin
    * #2051: SAML Service Provider Macros are incorrectly displayed/saved by the manager
    * #2057: Log in request without captcha returns an internal server error
    * #2058: Use of configuration cache can mix global and local configuration parameters
    * #2059: Error in Manager / CLI / Editor when an attribute is not defined
    * #2061: pdata not cleaned with Kerberos authentication
    * #2063: Javascript error: window.datas is undefined
    * #2072: Configuration comparator error on application menu "order"
    * #2074: Portal menu : display condition with sp: does not work for SAML SP
    * #2080: SAML POST to SP becomes GET when an info is displayed
    * #2081: Parameter added to external redirect URL when info.tpl is used
    * #2082: SSLVarIf cannot be set in manager
    * #2085: OIDC provider doesn't work when info is displayed during the login process
    * #2086: LDAP notifications backend does not work
    * #2089: Old format notifications with file backend don t work
    * #2090: Session creation mixup when supplying an existing _session_id
    * #2097: Error after activating userLogger (Apache)
    * #2099: Error 500 when SAML Session is expired
    * #2101: Wildcard in virtualhost names : URL contains a non protected host
    * #2104: Sessions are not well computed by CheckUser plugin
    * #2105: Using RS* ID Token signature algorithm without a RSA key causes ID Token to be returned as "null"
    * #2111: Bad translation tag for password policy remaining grace message
    * #2113: Password policy warning before password expiration is badly displayed
    * #2116: Missing goToPortal translation for mails
    * #2118: Multivalued attributes received from CAS server stored as string "ARRAY" in session
    * #2120: OIDC: hybrid flow does not issue ID token
    * #2123: Rest2F does not transmit session attributes to Verify URL
    * #2127: Cache reload throw an error if status enabled
    * #2128: Manager with CDA issue
    * #2133: Issues with removed second factors notification system
    * #2138: logout forward doesn't work anymore
    * #2141: Auth Combination SSL/LDAP + VHOSTTYPE AuthBasic broken
    * #2142: OIDC consent validation fails after second factor form or redirection from external IDP
    * #2143: Enable redirection on forbidden access with self protected Portal URLs leads to an endless loop
    * #2144: OTT is not sent if SSL authentication fails with Choice
    * #2148: Bad request with Notification SPA
    * #2151: Session upgrade does not work with multiple second factors
    * #2152: Nginx configuration files do not work with IPv6
    * #2159: Single session module configuration
    * #2165: Server error with rule on Combination
    * #2167: OAuth2 handler should return 401 when access token is missing or invalid
    * #2168: LLNG is too strict on OIDC scope syntax
    * #2169: duplicates in _oidcConsents when scope is updated
    * #2171: Introspection endpoint does not recognize refreshed Access Tokens
    * #2179: refresh my rights downgrades authentication level set by 2FA
    * #2180: SingleSession plugin does not work if history is displayed

  * New features:
    * #2033: Manager API to reset 2FA
    * #2034: Manager API to manage SAML and OIDC clients
    * #2069: Manage Cookie SameSite value
    * #2136: Possibility to override language with a parameter in URL
    * #2154: Github authentication backend

  * Improvements:
    * #1598: Proxy Backend support for Password Module (passwordDB)
    * #1877: Option to run setMacros after setGroups
    * #1902: Configuration is saved even with errors with lemonldap-ng-cli
    * #1957: Provide packages for CentOS 8
    * #2046: compactConf is confusing
    * #2064: Do not show action buttons on portal when displaying waiting message (Kerberos or SSL Ajax call)
    * #2065: Improve diff.html templates to display Author, Date and Summary of both configurations
    * #2068: Append an option to set CSP frame ancestors header
    * #2070: LemonLDAP session cookie - SameSite attribute
    * #2071: Allow users to see and display theirs accepted notifications
    * #2073: Improve notifications SPA
    * #2076: Possibility to configure a custom CSS file
    * #2084: Make "error" the default log level for lasso
    * #2088: BruteForce module: increase delay between each login attempt
    * #2091: Better look for buttons in 2FA choice screen
    * #2093: CheckUser - Remove persistent session attributes if required
    * #2096: Improve introspection endpoint
    * #2102: Bad  Autologin rule lead to error 500 and crash the portal
    * #2103: Add a rollback option to lemonldap-ng-cli
    * #2106: CheckUser: Append an option to hide empty headers
    * #2108: "Underlying object can't load conf" is a bad error message
    * #2109: Securing the new API endpoints for 2.0.8 release
    * #2114: Improve adaptive display and show instance name
    * #2115: Possibility to select choice tab, as for menu tab
    * #2117: Remove warning messages "uninitialized value $encryption_mode"
    * #2119: Rely on "isRequired" XML field in importMetadata script to mark SAML attributes as mandatory
    * #2121: Prevent Portal to crash if Custom Functions module is not found
    * #2125: Internal Server Error when REST backend does not return a JSON Object
    * #2126: Prevent Portal to crash if a bad rule is used for enabling a plugin
    * #2129: AuthenticationLevel based macros and groups should be updated with second factor
    * #2130: Append password policy options to define and require special characters
    * #2131: Make json does nothing if only a Portal constant is appended
    * #2132: Application icons are displayed with real sizes by the Manager and It is not particularly convenient
    * #2135: Remove 'underscore' in notification reference
    * #2140: Append an option to define applications tooltip
    * #2145: Display  a custom param with GlobalLogout plugin
    * #2149: Add an easy way to set level of additional second factors
    * #2155: Implement Resource Owner Password Credentials Grant
    * #2156: "Require 2FA" should be renamed
    * #2161: DBI should test that "table" is set
    * #2164: Make SingleSession options configurable by a rule
    * #2166: Configuration parser does not check validity of SAML/OIDC/CAS/vhost options
    * #2173: Make CheckUser options configurable by a rule
    * #2175: Reorganize OIDC RP options in manager
    * #2177: OIDC: Allow additional audiences for ID Token
    * #2178: Make require old password option configurable by a rule
    * #2182: Append a Show/Hide password button into  change password form
    * #2184: SAML logout request returns 400 error code if session is not found
    * #2185: Append a rule to display sfaManager link

 -- Clément <clem.oudot@gmail.com>  Mon, 04 May 2020 22:43:29 +0200

Clément OUDOT's avatar
Clément OUDOT committed
lemonldap-ng (2.0.7) stable; urgency=medium

  * Bugs:
    * #1893: Issuer urldc is lost after error in 2F flow
    * #1909: Reset password by email issue
    * #1943: [Security: medium, CVE-2019-19791] Apache access rules and SOAP/REST endpoints
    * #1945: passwordpolicy.tpl contains wrong tag
    * #1948: Tranlation menu does not work with Diff.html
    * #1949: Don't Store Password shows password in cleartext
    * #1952: "Attributes and macros" session keys should not be translated
Clément OUDOT's avatar
Clément OUDOT committed
    * #1953: Outgoing emails are missing a Date: field
Clément OUDOT's avatar
Clément OUDOT committed
    * #1954: zimbra preauth not working
    * #1955: Redirection lost after notification validation
    * #1960: REST config service not working
    * #1961: IDP selection rule regression in 2.0.0
    * #1963: Server Error with OpenID Connect register endpoint
    * #1964: Diff.html does not work with minified JS
    * #1966: Configuration reload does not apply changes to location rules
    * #1968: skippedUnitTests/skippedGlobalTests have no effect
    * #1969: Force password reset with LDAP password policy does not work if macro _whatToTrace is not defined
    * #1974: ServiceToken handler TTL value always set to default
Clément OUDOT's avatar
Clément OUDOT committed
    * #1984: Reset expired password doesn't trigger when using Combination
Clément OUDOT's avatar
Clément OUDOT committed
    * #2005: Error in portal "refresh my rights" feature when whatToTrace value is not equal to login
    * #2009: Display authentication error on login form with Combination Kerberos + LDAP
    * #2010: Kerberos not working with session upgrade
    * #2012: Several issues with notification system
    * #2013: Handler, yum install
    * #2018: After temporary ldap failure, ldap connections stop working forever
    * #2038: Missing type attribute in 2FA HTML inputs
    * #2045: Authenticating with external OpenID Connect Provider fails because of special chars in user name

  * New features:
Clément OUDOT's avatar
Clément OUDOT committed
    * #813: Provide refresh tokens in OpenID Connect
Clément OUDOT's avatar
Clément OUDOT committed
    * #1605: certificate reset by mail
    * #1956: DecryptValue plugin
    * #1999: Possibility to view/close other sessions opened for the same user
    * #2006: Create a web service for "refresh my rights"

  * Improvements:
    * #1590: Possibility to configure new plugins in Manager
    * #1905: Append overScheme for persistent sessions
    * #1941: After logged out from SP we are always redirected to IdP - Unable to go back to SP Portal
    * #1947: Highlight active module with Diff.html
    * #1967: allow differents type of managerDN
    * #1983: The script purgeCentralCache should be more fault tolerant
    * #1988: Append a requiredAuthenticationLevel option for each uri
    * #1989: Main logo and lang icons are missing with upgradesession template
    * #1991: Some user logs not using whatToTrace for username
    * #1993: Same issue like (#1884) occures with Issuer redirection
    * #1994: Append varInUri extended function
    * #1995: Add an option to force claims in ID token
    * #1996: REQUEST_URI env variable is not set by CheckUser plugin
    * #1997: Enable checkTime option by default
Clément OUDOT's avatar
Clément OUDOT committed
    * #1998: Misleading token ID format
Clément OUDOT's avatar
Clément OUDOT committed
    * #2003: Possibility to set attributes and extra claims in OIDC registration endpoints
    * #2007: Password change prompt displayed even if initial auth fails
    * #2008: Specific message and error code for 2F failure
    * #2011: Create a function to test if a value belongs to a list
    * #2012: Several issues with notification system
    * #2014: New script to convert sessions between backends
    * #2019: Renew Captcha button
    * #2024: Change default value for cspFormAction
    * #2042: Add per-service macros

Clément OUDOT's avatar
Clément OUDOT committed
 -- Clément <clem.oudot@gmail.com>  Sat, 21 Dec 2019 16:59:22 +0100
Clément OUDOT's avatar
Clément OUDOT committed

Clément OUDOT's avatar
Clément OUDOT committed
lemonldap-ng (2.0.6) stable; urgency=medium

  * Bugs:
    * #1834: Use base64 URL for JWT generation
    * #1838: Return claims from scope values in ID token if no access token requested
    * #1852: SAML request lost after notification
    * #1853: Adding a second notification with same reference is not refused
    * #1856: Unable to validate more than one notification (JSON format)
    * #1857: Message "session is expired" if a notification is  refused
    * #1861: Persistent data and notification validation
    * #1863: Duplicate Set-Cookie header when sending lemonldappdata and lemonldap cookies
    * #1864: incorrect loading of SAML metadata when entityID containts html-encoded characters
    * #1865: Dependencies missing in RPM
    * #1866: Skin parameter is lost in second factor choice
    * #1867: Bad error template with Combination and OTT timeout
    * #1868: Yubikey enrolment failed on Internet Explorer
    * #1869: [Security:low] psessions case sensitivity might impact security of 2FA when using case-insensitive auth backends
    * #1874: OTT not regenerated after submitting TOTP form with an expired OTT
    * #1875: Variables from Users module DBI is not used when Authentication module is LDAP (chain: [LDAP,DBI]
    * #1876: $_ no longer works in macros, rules and headers since 2.0
    * #1878: Pdata cookie not cleared after cross domain Auth request
    * #1880: [Security:low] Restricted users can edit conf by using default route
    * #1881: [Security:high] oidc authorization codes are not tied to their RP
    * #1883: Infinite loop when displaying sessions by IP address
    * #1889: No changes detected by Manager when removing CAS/OIDC attributes from a CAS application / OIDC RP or provider
    * #1890: LinkedIn v1 API is not available anymore
    * #1891: GET parameter "cancel" with Choice and CAS authentication
    * #1897: Emails are sometimes sent in the wrong language
    * #1898: Handler SecureToken is not working anymore
    * #1901: Handler error if a header definition is empty
    * #1903: Mail password reset and Combination with LDAP does not work
    * #1906: Missing MAIN_LOGO variable in redirect.tpl
    * #1910: Issue with "force password change on next login" feature with LDAP
    * #1915: Skin selected by rule is lost in 2FA process
    * #1922: Accentuated UTF-8 value of header is UTF-8 encoded again by handler
    * #1925: AuthBasic handler does not work with AuthChoice
    * #1933: [Security:low] nginx portal example file does not filter REST urls
    * #1935: [Security:medium] AuthSlave does not check credential headers

  * New features:
    * #993: Define a local password policy
    * #1783: ContextSwitching plugin
    * #1843: OAuth2 introspection endpoint
    * #1847: Radius 2F module
    * #1860: Multiple instances of 2F modules

  * Improvements:
    * #1619: Support IBM Tivoli Directory Server (ITDS)
    * #1702: Improve log generated by lemonldap
    * #1825: Possibility to disable persistent sessions
    * #1829: Redirection lost between SSL/Ajax and SAML
    * #1831: Warning in lemonldap-ng-cli
    * #1832: Add save/restore in CLI help message and control restore parameters
    * #1833: Show cli errors on file access
    * #1835: [Security:improvement] Do not accept a "none" signature in JWT if we enforce signature verification
    * #1842: Merge userLogger notice with logger debug
    * #1844: CheckUser plugin does not compute real session attributes if Impersonation is enabled
    * #1846: Adapt response_types_supported / grant_types_supported attributes in OpenID Connect metadata depending on configured flows
    * #1849: CDA is not compatible with Handler::PSGI::Try
    * #1850: No "Session granted" log if grantSession plugin not enabled
    * #1851: Append notification REST services
    * #1862: When displaying notifications, sort them by date and references
    * #1870: REST Api endpoint "error"
    * #1873: Labels for 2FA choices
    * #1879: [security:low] Access token expiration time is not enforced on userinfo or OAuth handler
    * #1882: Confusing default OIDC issuer setting
    * #1884: Force Upgrade tokens to be stored into global storage if auth and authssl are served by different load balancers
    * #1885: Append an option to log an extra parameter
    * #1888: Javascript error on textContent method with .Net framework and WPF
    * #1896: Add _session_kind to default SOAP/REST exported attributes
    * #1899: Fix portal and manager display for Internet Explorer
    * #1904: Append an option "don t compact conf" + debug log + compact CAS parameters if not enabled
    * #1908: Complete blackout probably due to uncontroled SQL connexion timeout
    * #1913: Append an option to allow / forbid browsers to store users password
    * #1916: Issuer OTT timeout
    * #1919: Customizable error message when a required SAML attribute is missing
    * #1923: REST ression server is too intolerant of clock drift
    * #1927: Implement  CORS preflight request
    * #1928: Option to hide password generation checkbox in mail password reset plugin
    * #1929: Custom functions are not imported into Safe Jail
    * #1930: Display password change form after a password policy error in mail reset password plugin
    * #1931: Disable password input field until font is fully downloaded by browser
    * #1932: REST session server should return both session and _httpSession id
    * #1936: Append an option to display Slave logo
    * #1938: CheckUser plugin : include search parameters

 -- Clément <clem.oudot@gmail.com>  Tue, 24 Sep 2019 11:13:39 +0200

lemonldap-ng (2.0.5) stable; urgency=medium

  * Bugs:
    * #1521: The manager renames the id of applications created by lemonldap-ng-cli
    * #1655: Can't delete notifications from the manager
    * #1717: Warnings "Devel::StackTrace" when using unnative Perl functions
    * #1746: Impersonation does not work with double cookies authentication
    * #1749: Authentication with "Double Cookies for a single session" (securedCookie==3) does not work
    * #1753: Logout with CASv2 is not working (Bad URL)
    * #1754: Configuration caching issue when overriding globalStorage in lemonldap-ng.ini
    * #1755: CheckUser plugin fails if OTT globalStrorage is enabled
    * #1759: Server Error when OpenID Connect provider enabled without any RP
    * #1762: CDA sessions are not removed when handler uses SOAP
    * #1775: Authentication with double cookies fails when uniq session is enabled
    * #1777: Server Error with SAML SLO and expired SSO session
    * #1779: Go to portal message not translated in register confirmation mail
    * #1795: [Security: low] CAS 3.0 Logout does not validate redirect URL
    * #1800: Auth::Slave is unusable with Choice
    * #1802: No error returned if no code provided on OpenID Connect token endpoint
    * #1805: Auth::LDAP unusable in combination if UserDB::LDAP isn't called
    * #1809: UserDB::DBI with Auth::LDAP seems to not work properly
    * #1810: [Security: low] llng-fastcgi-server could fail to setgid
    * #1811: Lua-headers file is missing
    * #1813: searchOn* does not work when a portal uses REST session backend
    * #1814: Local cache not fully purged
    * #1818: [Security:low] XXE vulnerability in SOAP notification server
    * #1819: Portal Notification server unusable with old XML format
    * #1821: Pdata not cleared after session upgrade
    * #1822: Session upgrade does not work with 2FA
    * #1824: lmConfigEditor does not work anymore
    * #1826: Race condition on SSL login form button

  * New features:
    * #1796: Display a message if an expired 2f device is removed

  * Improvements:
    * #1706: html not interpreted for translated messages
    * #1723: Real authentication is masked when using proxy authentication module
    * #1732: Sessions explorer and Browseable::Postgres
    * #1734: RPM version uses JSON::PP instead of JSON::XS
    * #1747: Logging out from portal cause an error with doubleCookie after refreshing rights
    * #1750: Wrong version / author / IP / log in lemonldap-ng-cli
    * #1758: Warnings in Viewer.pm when saving configuration
    * #1763: Transmission of Authorization header should probably be on by default
    * #1764: Set choosen language in user session
    * #1765: Better CORS handling
    * #1766: Warning in logs with SAML
    * #1767: Append startTime overScheme to display sessions to avoid browser crash
    * #1769: CSRF token is not automatically regenerated after a failed login with Auth::Choice
    * #1770: Add save/restore commands in cli
    * #1771: SSO sessions _updateTime value is not updated after a refresh request
    * #1773: Append option to modify service Token handler TTL
    * #1774: CheckUser plugin does not work with SAML
    * #1782: Append an option to set 2FA TTL
    * #1791: Append an option in Manager to merge only specified SSO groups with Impersonation
    * #1797: Allow ServiceToken to send service headers
    * #1799: StorePassword in session not working when using session REST server
    * #1827: Using lemonldap-ng-cli info gives warning with default configuration
    * #1828: 2F plugins and method loadTemplate are not using skin rules
    * #1830: [Security:improvement] Improved use of cryptography

 -- Clément <clem.oudot@gmail.com>  Sat, 29 Jun 2019 22:25:02 +0200

Yadd's avatar
Yadd committed
lemonldap-ng (2.0.4) stable; urgency=high

  * Bugs:
    * #1684: UI manager: boolean values do not appears in configuration forms with Yaml config format
    * #1709: ViewDiff template not displayed
    * #1710: Configuration keys not displayed in Viewer
    * #1716: [Security:minor] Update jQuery
    * #1720: Duplicate session opening when using multiple Kerberos instances in Combination
    * #1724: CAS 1.0 /validate endpoint does not return username
    * #1726: Deb package: missing dependency IO::String
    * #1733: Invalid default crontab in RPM
    * #1736: Configuration version in Manager is different from software version
    * #1738: Error not well catched with Ext2F
    * #1741: Deleted category is not detected as a change when saving conf.
    * #1742: [Security: high] Setting tokenUseGlobalStorage allows unauthenticated users to access the portal (and applications without rules)
    * #1743: [Security: low] register_token used for account creation can be used as a valid session identifier
    * #1746: Impersonation does not work with double cookies authentication

  * New features:
    * #1146: Allow Handler to read OAuth2 access token instead of browser cookie
    * #1722: [Security: improvement] PKCE to secure OIDC Authorization Code flow

  * Improvements:
    * #1703: Fix faulty headers on a null value
    * #1711: Return Session ID when authentication is done via REST
    * #1712: Display idpChoice cancel button only if AuthChoice is enabled
    * #1713: CAS : Allow per application CAS login override
    * #1714: Check logLevel value
    * #1725: Allow unauthenticated clients on OIDC token endpoint
    * #1728: Improve redirect page
    * #1729: Display error if SAML service is enabled without private and public keys signature
    * #1730: Sort real and spoofed attributes in CheckUser and Session explorer
    * #1735: Highlight valid SSO sessions in sessions explorer
    * #1739: Improve log in Grant Session plugin

 -- Clément <clem.oudot@gmail.com>  Sun, 12 May 2019 16:17:01 +0200

Yadd's avatar
Yadd committed
lemonldap-ng (2.0.3) stable; urgency=medium
Clément OUDOT's avatar
Clément OUDOT committed

  * Bugs:
    * #1543: Redirection lost with CAS RP -> Choice -> SAML Discovery Protocol -> SAML IDP
    * #1654: Password must change on AD still not fully working
    * #1656: No IP shown in history logon
    * #1667: [Security:medium] Option userControl is not applied anymore in standard login process
    * #1671: Error in SP-initiated saml logout with multiple SP
    * #1672: In SAML Issuer, environment variables to store current SP are not filled
    * #1673: Application list display and specific rules
    * #1675: [Security:minor] Using /logout instead of /?logout=1 does not work
    * #1676: Active Directory connection information not saved
    * #1679: Default jQuery URL in form replay has changed
    * #1680: In form replay, POST data keys are not URL encoded
    * #1682: LinkedIn OAuth2 authentication is not available in combination modules list
    * #1683: Changing configuration option cspScript has no effect
    * #1684: UI manager: boolean values do not appears in configuration forms with Yaml config format
    * #1686: SOAP Portal WSDL file is invalid
    * #1691: Password policy can't display messages
    * #1692: Parameter base64 is ignored in setHiddenFormValue
    * #1693: Information is not displayed in logout process
    * #1698: Invalid pdata causes SAML login to fail after logout
    * #1703: Fix faulty headers on a null value
    * #1708: lmerror page loops on url parameter

  * New features:
    * #1632: Optionally let Ext2F module handle code generation
    * #1658: CheckUser plugin
    * #1661: Configuration viewer module
    * #1664: Impersonation plugin
    * #1697: Command-line tool to delete session for specific user(s)

  * Improvements:
    * #1549: Option to override IDP entityID
    * #1595: Possibility to override message with a custom JSON file in template
    * #1651: Disable cache on portal page
    * #1653: Allow failback to default skin when a template is not found in custom theme
    * #1660: Restore possibility to hide message in portal template
    * #1666: Display errors on login form
    * #1668: As IDP SAML, do not try to send SLO response if no SLO endpoint defined in SP metadata
    * #1670: Display "authentication in progress" when using Ajax with Kerberos
    * #1681: Change behavior with SAML mandatory/optional attributes in SAML Issuer
    * #1687: Add granted log for user and connexion informations
    * #1694: Disable CSRF token with AuthBasic
    * #1696: Remove unnecessary antiframe protection in portal javascript
    * #1699: Authentication level for REST and GPG authentication
    * #1700: Update AuthBasic handler doc : REST server is required
    * #1704: Append parameter to sort IDP, OP and CAS servers in Auth menu loop

 -- Clément <clem.oudot@gmail.com>  Thu, 11 Apr 2019 10:09:35 +0200

Yadd's avatar
Yadd committed
lemonldap-ng (2.0.2) stable; urgency=medium

  * Bugs:
    * #1574: "Manager is unprotected" message when whatToTrace value is not the default
    * #1603: Warnings with confirmation required don't work
    * #1604: Manager unit tests randomly failed
    * #1607: Safe errors when saving configuration with lmConfigEditor
    * #1610: Unable to save empty value for cookie expiration time in Manager
    * #1613: handler https redirection does not work
    * #1614: Accents not well displayed in Portal
    * #1618: Version in server signature is wrong
    * #1623: ADPwdExpireWarning and ADPwdMaxAge parameters are missing in Manager
    * #1627: Display issue with GrantSession plugin
Yadd's avatar
Yadd committed
    * #1628: [Security:minor] GrantSession plugin discloses its message to unlogged users
    * #1630: [Security:minor] SSO cookie is sent to protected applications with Nginx-based ReverseProxy
    * #1636: SSL and Kerberos Auth Modules don t work with choice
    * #1639: User must change password on AD is broken
    * #1642: Unable to select skin from URL
    * #1643: Portal CSS is sent with empty background when portalSkinBackground is not defined
    * #1644: error while reseting password with ppolicy enabled
    * #1648: ldapAuthnLevel and dbiAuthnLevel are ignored
    * #1649: Error about Handler when saving configuration in lmConfigEditor

  * New features:
    * #1569: GPG authentication module
    * #1629: Email-based two-factor module
    * #1631: Allow to display "env" as template variables

  * Improvements:
    * #1486: Portal starts even if init() has failed
    * #1600: Improve e2e tests
    * #1601: Create LDAP option to decode DN value
    * #1608: Date and comment not updated with lemonldap-ng-cli
    * #1609: add autocomplete="off" to 2F form fields
    * #1611: Improve apache configuration
    * #1622: Display delete button in 2FAManager only if action is allowed
    * #1625: "Use rule" option in issuer modules seem not to be used anymore
    * #1633: Better random generation
    * #1634: Improve management of template parameters
    * #1635: SAML attribut default value is not set
    * #1637: Add display options for SAML IDP like OIDC and CAS providers

 -- Clément <clem.oudot@gmail.com>  Tue, 12 Feb 2019 08:57:14 +0100
Yadd's avatar
Yadd committed
lemonldap-ng (2.0.1) stable; urgency=medium

  * Bugs:
    * #1564: Function authLogout is missing in package "Lemonldap::NG::Portal::Auth::SSL"
    * #1572: Error when saving in manager (mongoDB as ConfigurationBackend)
    * #1576: Browser doesn t select Portal appropriate language
    * #1579: SOAP Backend error for empty collection
    * #1582: MongoDB Conf backend looses sub hash keys
    * #1586: Portal message override do not work on plugins and mails templates
    * #1587: Captcha is not displayed in Register form if mail already exists
    * #1588: Captcha is validated with additional letters
    * #1589: Error in MailReset when asking to resend confirmation mail
    * #1592: Cannot select a menu tab with ?tab=<tab id> in URL
    * #1594: Cannot select oidcConsents tab in menu

  * Improvements:
    * #1565: OpenId - Default CSP value cause breakdown in OpenId authentification form
    * #1578: Fix fcgi/psgi extensions in documentation
    * #1583: Append parameter to configure number of allowed failed logins before brute force protection activation
    * #1584: Browser doesn t select Manager appropriate language
    * #1585: Fix main logo and langs icons display & double slash in lmerror 403 error URL
    * #1591: $req->user not available in plugins authenticated routes
    * #1593: Bad userinfo response: Unauthorized
    * #1596: Possibility to define new tabs in Menu
    * #1599: Usage of OpenID Connect with bad scope value result in unlimited session grow

 -- Clément <clem.oudot@gmail.com>  Fri, 21 Dec 2018 15:12:13 +0100

Yadd's avatar
Yadd committed
lemonldap-ng (2.0.0) stable; urgency=medium
Clément OUDOT's avatar
Clément OUDOT committed

  * Bugs:
    * #757: "Attempt to free unreferenced scalar" in Lemonldap::NG::Common::Session
    * #789: Apache reloading breaks SAML authentication
    * #804: Uncomplete logout in Issuer modules
    * #856: LemonLDAP loses exportedVars conf randomly
    * #863: get_url function builds wrong Portal URL
    * #918: Env variables are searched in backends
    * #998: encode_base64 can be udefined after a reload by URL
    * #1061: Multiple segfault using ModPerl::Registry with Apache2.4
    * #1113: OIDC Provider to SAML SP does not work
    * #1150: Can't get captcha to work with LDAP as backend
    * #1171: Session explorer freezes when session number is high
    * #1327: Facebook module not working due to API changes in Facebook
    * #1420: Answering to CAS proxy requests as CAS Provider