Newer
Older
lemonldap-ng (2.17.2) jammy; urgency=medium
* Bugs:
* #3014: Logout error with message "[error] Unknown Relying Party xxxx" in logs
* #3033: Userinfo sometimes does not return attributes
-- Clément <clem.oudot@gmail.com> Tue, 14 Nov 2023 14:53:18 +0100
lemonldap-ng (2.17.1) jammy; urgency=medium
* Bugs:
* #2992: WAYF not triggered when using SAML federation plugin + one other provider
* #2996: Invalid URL for application logo in myapplications web service
* #2998: [Security:low] SSRF vulnerability in OIDC SSO
* #3001: Conf::LDAP options in lemonldap-ng.ini overrides Auth options in portal
* #3003: [Security:low] Open redirection when OIDC RP isn't configured with redirection uri
* #3010: oidcServiceAllowOnlyDeclaredScopes option drop offline_access scope
-- Clément <clem.oudot@gmail.com> Mon, 25 Sep 2023 16:46:45 +0200
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
lemonldap-ng (2.17.0) jammy; urgency=medium
* Bugs:
* #2055: Vhosts options hash key is removed after a while
* #2641: Unable to remove value for casAppMetaDataOptionsAuthnLevel
* #2711: Cannot override configuration in lemonldap-ng.ini when value is "0"
* #2847: Configuration corruption due to accented characters
* #2863: OIDC: `sid` in Front-Channel-Logout request is wrong
* #2873: AjaxInitScript/InitCmd not called after Choice error
* #2874: Removing oidcOPMetaDataOptionsAcrValues causes OIDC auth to fail
* #2882: SAML signature validation fails in RHEL9 + Lasso 2.8.0
* #2912: Non reproducible error when redirect to another url (SAML,..)
* #2920: invalid entry in SAML IDP list after logout error
* #2922: Remove | as separator for Choice configuration values
* #2931: [Security:medium] open redirection due to incorrect escape handling in URI userinfo
* #2932: unreachable LDAP server blocks initialization for too long
* #2935: importMetadata causes encoding issues when saving conf
* #2938: POST to /oauth2/token responds error 400 "This endpoint is not supposed to be called by authenticated users"
* #2939: Unexpected token type: auth_token_krb when using SSL and Kerberos in a Combination
* #2942: Logout shouldn't fail when a OIDC/SAML partner doesn't respond
* #2943: eduPersonTargetedID missing from Plugins::SamlFederation
* #2946: userControl regexp is not applied by authSlave
* #2948: Manager should accept mobile-style URL in OIDC callbacks
* #2952: Unable to change password if LDAP returns PE_PP_CHANGE_AFTER_RESET and captcha is enabled
* #2962: timeoutActivity feature makes Offline sessions expire prematurely
* #2966: SAML federation plugin incorrectly skips entityIDs
* #2979: forced saveConf does not correctly report success on MySQL/MariaDB
* #2984: Test fails with Perl 5.38
* #2987: Cannot use single quote in passwordPolicySpecialChar
* New features:
* #1194: OIDC: implement Back-Channel and Front-Channel logout
* #2853: Add ability to use applications icons instead of images
* #2862: OIDC: include `sid` claim
* #2867: Add configuration extension hooks for OIDC
* #2884: Manager API: add methods to get login history
* #2885: Add plugin hook at sendHtml
* #2903: Add a function in Safelib to match IP addresses reliably
* #2940: Allow custom attributes to be sent for radius/radius2f access requests
* #2959: Send Access-Request without password when preparing Radius 2FA validation
* #2960: Add option to drop CSP headers from OIDC response
* #2965: Add cassandra support (conf & sessions)
* Improvements:
* #2255: Improvements on OpenID Connect logout (id_token_hint, user consent, ...)
* #2623: refactor code of Lemonldap::NG::Portal::Lib::Net::LDAP
* #2701: Possibility to configure which OIDC attribute from ID token should be used as pivot
* #2850: Improve CAS logout
* #2858: Improve accountability of 2FA devices
* #2878: Regexp to hide session attributes
* #2881: StayConnected: do not try to fingerprint browser if fingerprint check is disabled
* #2897: When Radius is in use login failure does not log if its due to wrong credentials or to radius unavailability
* #2908: GlobalLogout plugin does not take into account confirm URL parameter
* #2911: Manager warning when a config test needs confirmation is confusing
* #2928: Extra '/' in 2FA urls
* #2929: Set more than one class on LDAP group filter
* #2934: Implement urn:oasis:names:tc:SAML:profiles:subject-id:req in SAML federations
* #2949: Reset captcha input when renewing captcha & translate tooltip
* #2950: Hide password policy when ticking 'Generate the password automatically' box
* #2954: Add userData to log4perl placeholders
* #2956: Allow custom jquery event handlers to block default processing
* #2957: Add new jquery events for webauthn, SSL, Kerberos
* #2961: Make RS256 the default ID Token signature algorithm
* #2964: Allow customization of some error codes in templates
* #2970: Provide all applications informations trought REST service GET /myapplications
* #2972: Better OIDC keys management
* #2975: Allow admin to choose key size during certificate generation
* Templates:
* #2949: Reset captcha input when renewing captcha & translate tooltip
* #2950: Hide password policy when ticking 'Generate the password automatically' box
* #2987: Cannot use single quote in passwordPolicySpecialChar
-- Clément <clem.oudot@gmail.com> Wed, 30 Aug 2023 17:14:33 +0200
lemonldap-ng (2.16.2) jammy; urgency=medium
* Bugs:
* #2852: Allow multiple SSL choices
* #2899: When Portal language is configured to follow browser language, change in browser language requires clearing a cookie
* #2905: No applications displayed in menu for all users when one of the user has no rights to see them
* #2907: Manager customCSS not available with minified files
* #2909: Manager viewer uses the wrong endpoints to read conf
* #2915: jsRedirect does not preserve GET parameter order
* #2926: "Federation not found on login" SAML error when NameID not specified in request
* Improvements:
* #2906: Improve CheckUser display if there is no session data
* #2910: OIDC option is missing or not well documented
* #2917: Fix doc about REST server protection
* #2921: Jquery-UI - Vulnerable version in use
* Templates:
* #2906: Improve CheckUser display if there is no session data
* #2907: Manager customCSS not available with minified files
-- Clément <clem.oudot@gmail.com> Fri, 12 May 2023 18:50:33 +0200
lemonldap-ng (2.16.1) jammy; urgency=medium
* Bugs:
* #2871: Possible bug in manager related to adaptativeAuthenticationLevelRules
* #2876: Errors in Manager FR translations
* #2877: Captcha in login form is not displayed in case of back-end error
* #2879: llnglanguage cookie should set "Secure" flag
* #2887: URL parameter for Register and CertificateResetByMail plugins are not taken into account
* #2896: [Security][CVE-2023-28862] AuthBasic does not handle failure correctly
-- Clément <clem.oudot@gmail.com> Tue, 28 Mar 2023 16:34:54 +0200
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
lemonldap-ng (2.0.16) jammy; urgency=medium
* Bugs:
* #2798: Can't locate Net/SSLeay.pm
* #2799: Auth::SAML logout not performed when using a logout_sso $URL rule when using HTTP-POST binding
* #2801: Auth::SAML generates invalid SAML requests by default
* #2802: CDA does not work with wildcard vhosts containing a dash
* #2803: [Security:low] Adding registrable 2F does not test the current authn level
* #2806: SingleSession/StayConnected does not run other plugins (such as SingleSession) after login
* #2807: Result of passwordAfterChange hook not used
* #2809: portalSkinRules do not allow special characters in skin name
* #2816: Redirection loop with jsRedirect
* #2817: CrowdSec plugin broken: "URL must be absolute
* #2832: [Security:medium] Redirection URL validation bypass using credentials in URL
* #2835: We can't duplicate a virtual host with a wildcard
* #2839: Advanced sessions functions broken with Apache::Session::Redis
* #2840: password toggle visibility on mobile does not work
* #2841: Using Auth::OpenIDConnect twice in Auth::Choice leads to route redefined warning
* #2842: Cannot hook storeHistory method after 2FA failure
* #2845: "No change detected" when removing the last exported attribute/macro/scope, etc
* #2846: Incorrect handling of custom schemes when auto-setting CSP form-action (with jsRedirect=1)
* #2854: Confusing error message when trying to verify webauthn credential while there is no available credential
* #2859: Password policy does not work with underscore
* New features:
* #2174: Support OIDC response_mode=form_post option
* #2652: Integrate Pwned Passwords API from haveibeenpwned.com
* #2684: Get the geolocation of the user
* #2731: Handle SAML federations as a single configuration object
* #2734: 2FA passphrase (low security level)
* #2795: Generic 2FA register module
* #2805: Support Traefik forwardAuth
* #2819: Read attributes in Radius module
* #2836: Implement basic SLO for CAS applications
* Improvements:
* #2415: Append a field to set a comment for each IdP or SP
* #2588: "Bad URL" should be clarified
* #2631: Change error message when SAML provider is unknown
* #2778: Plugin authenticated routes don't have $req->sessionInfo by default
* #2792: Rework AJAX-based authentication to enable 2FA, notifications, etc
* #2808: Append a comment box into VHost options
* #2814: --help on /usr/share/lemonldap-ng/bin/lemonldap-ng-sessions displays source code if perl-doc is missing
* #2815: Simplify OIDC claims configuration
* #2821: Inconsistent behavior among issuers when app is unknown or unauthorized
* #2823: Append an option to define tooltip box with CAS, SAML and OIdC IDP
* #2824: Add more attributes on the OpenID JWKS endpoints (alg, x5c, x5t)
* #2826: Automatic password generation won't proceed without filling the new password text boxes
* #2827: StayConnected: add a single session option
* #2828: StayConnected: invalidate long-lived session on logout
* #2830: Allow more characters in 2FA device names
* #2831: Send client_id in logout request sent by OIDC RP
* #2833: Display a message if none application is allowed
* #2834: Append an option to sort tabs in portal menu
* #2838: Allow custom implementations of OAuth 2.0 Token Exchange
* #2848: Allow generic translation of HTML attributes
* #2849: Allow to define ServiceToken scope with RegExp
* #2855: Append an option to override manager drop-down menu links
* #2857: Improve password policy definition and display
* Templates:
* #2734: 2FA passphrase (low security level)
* #2795: Generic 2FA register module
* #2823: Append an option to define tooltip box with CAS, SAML and OIdC IDP
* #2826: Automatic password generation won't proceed without filling the new password text boxes
* #2833: Display a message if none application is allowed
* #2844: Use instance name to build SPA title
* WebServer Confs:
* #2786: provide nginx integration that doesn't use Lua
-- Clément <clem.oudot@gmail.com> Wed, 01 Feb 2023 10:49:47 +0100
lemonldap-ng (2.0.15.1) jammy; urgency=medium
* Bugs:
* #2796: "Internal Server Error" during MFA flow when using LDAP as UserDB in 2.0.15
-- Clément <clem.oudot@gmail.com> Thu, 15 Sep 2022 15:58:47 +0200
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
lemonldap-ng (2.0.15) jammy; urgency=medium
* Bugs:
* #2615: Redirection issue with Issue SAML + ForceAuthn=true + Kerberos authentication
* #2650: Empty SCRIPT_NAME breaks the portal
* #2690: Second factor logo/label not used on registration screen
* #2708: Auth::OpenIDConnect redirects in a loop when invalid JSON metadata is provided
* #2712: 2fSelfRegistration == 0 + 2fActivation == 1 leads to registrable second factor being presented every time
* #2714: Session upgrade link in 2FA manager not working
* #2716: 2FA registration does not auto-redirect to only available provider after deleting an existing 2FA
* #2724: one importMetadata Script default option isn't correct
* #2733: Allowing ALL special characters does not work with reset password form
* #2742: convertConfig no error but nothing converted
* #2758: [CVE-2022-37186] Session destroyed on portal but still valid on handlers while there is activity
* #2760: Userinfo does not show updated attributs when using Offline sessions
* #2769: missing handler logs with default Nginx + LemonLDAP
* #2772: translation overrides from skin json files are not used when sending emails
* #2773: translation override from skin bypasses llng.ini
* #2785: Invalid <Organization> in SAML metadata can crash portal startup
* #2787: Status: Unknown command line during OIDC flow
* #2789: $portal->templateDir causes skin mix-up
* #2791: After token timeout during 2FA flow, login form is left in broken state
* #2793: samlGotAuthnRequest cannot modify $login->request when signature validation is enabled
* New features:
* #2491: Use environment variables placeholder in lemonldap json configuration
* #2713: handle refresh tokens in Auth::OpenIDConnect
* #2737: remember previous authentication choice
* #2763: Install LL::NG on EL9
* Improvements:
* #2607: bypass OIDC logout confirmation
* #2674: Add HSTS as new security parameter in the Manager
* #2692: New API for CAPTCHA plugins
* #2719: importMetadata should handle conflicts between multiple federations
* #2720: importMetadata should be configurable
* #2723: Cannot specify custom urn:oasis:names:tc:SAML:2.0:assertion:AuthnContextClassRef values for LemonLDAP IdPs
* #2725: Add session data to oidcGenerateUserInfoResponse
* #2726: Add a session variable for used 2F module
* #2732: Add userLogger event when a specific 2FA is selected
* #2739: Provide a specific package to install LLNG FastCGI client
* #2745: portalEnablePasswordDisplay is not used in password change form
* #2746: SAML metadata without SingleLogoutService leads to error at logout
* #2753: Add IDP selection rules for CAS and OIDC
* #2755: OIDC : issue on token endpoint with method client_secret_basic
* #2756: Allow customization of portal JS code with jQuery events
* #2757: Allow admins to change the 2FA timeout
* #2759: Append a go-back-to-top button
* #2761: Append an option to customize Manager CSS
* #2762: Add re-send option to code-based OTPs
* #2768: Add new hooks on Access Token refresh
* #2775: Notification process can not be continued with JSON response
* #2780: New lemonldap-ng-cli subcommand: merge
* #2782: Notifications are not sorted by sessions explorer and epoch is not converted into local date
* #2784: Allow history fields to be translated in templates
* Templates:
* #2690: Second factor logo/label not used on registration screen
* #2714: Session upgrade link in 2FA manager not working
* #2737: remember previous authentication choice
* #2745: portalEnablePasswordDisplay is not used in password change form
* #2750: Option to define the favicon
* #2759: Append a go-back-to-top button
* #2761: Append an option to customize Manager CSS
-- Clément <clem.oudot@gmail.com> Fri, 09 Sep 2022 10:13:43 +0200
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
lemonldap-ng (2.0.14) focal; urgency=medium
* Bugs:
* #2519: first authentication returns 500 code after inactivity period
* #2566: No configuration available in fresh LemonLDAP 2.0.12
* #2594: Double slashes in _pdata->{_url} when LLNG is OIDC RP
* #2595: Portal does not run correctly with portalRequireOldPassword=0
* #2596: [security:low] open redirect in CAS gateway mode
* #2597: External password reset URL is called with skin= and url= parameters
* #2600: RESTProxy authentication does not work with AuthChoice-enabled internal Portal
* #2603: Saving configuration drops OIDC scope rules
* #2606: FindUser plugin: SpoofId field is not updated if a value has been already set before the Ajax request
* #2612: [Security: low, CVE-2021-40874] RESTServer pwdConfirm always returns true with Combination + Kerberos
* #2613: ProxyAuth cookie name can not be modified
* #2616: Login is not remembered when password is incorrect
* #2618: DevOps handler does not work if RULES_URL uWSGI/FastCGI parameter is set
* #2620: Net::LDAP::Control::PasswordPolicy is not always loaded
* #2622: Fail oauth2 grants when resulting scope is empty
* #2626: Portal fatal errors cause "Conflict detected between 2 extensions, aborting 1 route" message to appear in logs
* #2632: Handler::Server::Nginx does not use logger config from lemonldap-ng.ini
* #2637: Error with default locationRules
* #2645: importMetadata does not set NameIDFormat to "persistent" for new providers
* #2648: "Authentication module succeed but has not set $req->user" when using SAML Artifact mode with some, but not all IDPs
* #2655: 'afterData' plugins loaded after Impersonation will be never executed
* #2656: CAS: multiple proxies is not correctly implemented
* #2658: Macros based on '_XXX' and authenticationLevel attributes are not computed by refresh function
* #2660: Combination is not compatible with LDAP password policies
* #2663: Radius authentication fails when radius used as authentication module
* #2671: xss attack detected on a relayState parameter
* #2675: Auth::Custom calls module init twice
* #2676: UserDB::Custom and Password::Custom loads module twice and calls init three times
* #2677: *::Custom do not allow config overrides
* #2678: Auth::Custom getDisplayType is broken with choice
* #2682: Fails to create password-protected X509 certificates with OpenSSL 3.0
* #2689: REST server: 400 bad request with DELETE /session/my
* #2691: Error when using has2f in a manager rule
* #2693: "Status: Unknown command line -> " log line for each SKIP and EXPIRED accesses
* #2703: OIDC RP menu attributes name do not refresh live
* New features:
* #1411: Web Authentication API (webauthn)
* #2325: "Warn on new network location" plugin
* #2679: CheckDevOps: Append an option to check if used attributes are existing
* #2686: Web service for application list
* Improvements:
* #1714: Check logLevel value
* #2277: pdata cookie is not removed if SAML flow fails
* #2457: Do not translate OIDC RP exported attributes
* #2476: $groups is not initialize for at least LDAP authentication
* #2508: Look configuration timestamp to dismiss cache
* #2558: Add a new portal error code for Auth::OIDC issues
* #2565: Adding per-request information in logs
* #2570: RGAA: Adding a role attribute into messages
* #2577: RGAA: placeholder only should not be used as label
* #2591: stayconnected plugin: allow to disable browser fingerprint check and update documentation
* #2593: Contextual / Adaptive authentication / Risk-based authentication
* #2599: Certificate reset templates are not translated
* #2601: RESTProxy authentication does not support Impersonation
* #2602: Export OIDC grant type in rules
* #2604: Append an option to normalize HTTP headers with CheckDevOps plugin
* #2605: llnglanguage cookie will be rejected if sameSite attribute is not set
* #2609: Better history management for plugins
* #2614: display precise error while sending direct SOAP SAML message
* #2617: SafeJail must be enabled with CheckDevOps plugin
* #2619: Brazilian translation
* #2621: SAML: HTTP-Artifact mode should be discouraged
* #2625: Add an option to encrypt TOTP secrets
* #2627: Append an option in Manager to be able to set RULES_URL param
* #2638: Redirect to 2fregisters is missing a slash
* #2644: No error displayed in logs in DevOps Handler when rules file can't be downloaded
* #2646: bruteForceProtectionMaxAge and bruteForceProtectionMaxLockTime missing from manager
* #2647: Display logins history with CheckUser plugin
* #2649: Portal plugins should not require an "init" method
* #2651: Hebrew Translation
* #2654: CAS temporary tickets should have a short expiration time
* #2657: Hidden attributes, custom functions and plugins declarations are inconsistent
* #2662: CheckUser plugin: Append a rule to allow some users to display hidden attributes
* #2664: impossible to use getModule in the Password modules
* #2667: Add RP confkey to oidcGenerateUserInfoResponse plugin hook
* #2668: CheckDevOps: prevent portal crash/loop if a bad rules.json file is provided
* #2672: DBI password hash list is too restrictive
* #2673: Allow to configure multiple service URL per CAS application
* #2679: CheckDevOps: Append an option to check if used attributes are existing
* #2683: Possibility to set an activation rule for "remember me" option
* #2685: DevOps handler uses default HTTPS redirection if no VH is defined
* #2694: Chrome warns about compromised data when using form replay
* #2698: Avoid useless warning messages in log
* Templates:
* #2325: "Warn on new network location" plugin
* #2570: RGAA: Adding a role attribute into messages
* #2577: RGAA: placeholder only should not be used as label
* #2597: External password reset URL is called with skin= and url= parameters
-- Clément <clem.oudot@gmail.com> Sat, 19 Feb 2022 17:49:18 +0100
lemonldap-ng (2.0.13) focal; urgency=medium
* Bugs:
* #2428: Correctly report the number of purged sessions when using deleteIfLowerThan
* #2566: No configuration available in fresh LemonLDAP 2.0.12
* #2567: CORS headers not sent in userinfo endpoint error response
* #2568: SafeJail does not report errors correctly
* #2573: convertConfig does not work when target backend is empty
* #2589: FindUser plugin: minor improvements and several issues
* Improvements:
* #2558: Add a new portal error code for Auth::OIDC issues
* #2564: Missing options to use text emails for some features
* #2585: RGAA: to use autocomplete when possible
* #2589: FindUser plugin: minor improvements and several issues
* #2592: Bad error reporting during portal init
* Templates:
* #2585: RGAA: to use autocomplete when possible
* #2589: FindUser plugin: minor improvements and several issues
-- Clément <clem.oudot@gmail.com> Fri, 20 Aug 2021 18:30:23 +0200
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
lemonldap-ng (2.0.12) focal; urgency=medium
* Bugs:
* #2153: logout forward url pointing to a protected application cause infinite redirection (pdata)
* #2439: Unable to configure oidcOPMetaDataJSON and oidcOPMetaDataJWKS trough lemonldap-ng-cli
* #2453: Manager API: missing doc and array handling of additional audiences
* #2455: llng-fastcgi-server exited with signal 13
* #2459: Debian packages: missing dependency to gsfonts may break Captcha
* #2460: "Underlying object can't load conf" in v2.0.11
* #2463: Portal plugin hooks triggered multiple times after reload
* #2469: mySessionAuthorizedRWKeys causes internal server error when removing OIDC consent
* #2474: OAuth2 endpoints should return an error when multiple client authentication methods are used
* #2475: OIDC: Invalid error code returned in badAuthRequest
* #2477: [security:low] Wildcard in virtualhost allows being redirected to untrusted domains
* #2480: Set an authLevel and disable ReAuthentication plugin leads to an endless loop
* #2481: missing _utime in OIDC Client Credential sessions
* #2482: unexpected persistent sessions appear since 2.0.10
* #2483: Second factor removal does not work when hiding session ids from manager
* #2487: Incorrect error reporting in convertSessions
* #2489: Do not grant the openid scope during Resource Owner Password Grant
* #2493: Unable to register a new configuration attribute with CLI when option force is enabled and backend is RDBI
* #2495: [security:medium] XSS on register form
* #2498: convertSessions does not filter sessionKind correctly
* #2503: REST/SOAP exported attributes are not sent by REST server
* #2509: Local password policy: Allowing ALL special characters does not work
* #2511: expires_in in token response has the wrong JSON type in some cases
* #2513: LLNG 2.0.11 : SAML SLO from IDP to SP with POST Binding blocked by browser
* #2518: SAML: persistent NameID is empty when using "unspecified" format on SP side
* #2520: Missing translations for DBI configuration
* #2525: Gracefully handle invalid perl expression in CAS/SAML/OIDC
* #2529: [bug] OIDC userinfo as jwt not readable
* #2531: calling to_json with hash containing file handle fails
* #2534: CDA does not work with wildcard vhosts
* #2535: [security:low] Incorrect regexp construction in isTrustedUrl lets attacker steal session on CDA application
* #2539: [security:high, CVE-2021-35472] session cache corruption can lead to authorization bypass or spoofing
* #2541: Misleading TOTP options
* #2543: [security:low] 2FA bypass with sfOnlyUpgrade and totp2fDisplayExistingSecret
* #2547: Parameter oidcRPMetaDataOptionsUserInfoSignAlg is missing in Manager
* #2548: OpenID Connect ACR value can't be configured with something else than 'loa-...'
* #2549: [security:low, CVE-2021-35473] OAuth2 handler does not verify access token validity
* #2550: Token endpoint should only emit ID token when scope contains "openid"
* New features:
* #1976: FindUser plugin
* #2451: CrowdSec plugin to query Crowdsec server
* #2458: CheckDevOps plugin
* #2510: Hook on password change
* #2532: add oidcGenerateCode hook
* #2554: Remove OIDC checksession iframe from metadata
* Improvements:
* #2260: Missing elements in sphinx documentation (mongodb)
* #2419: Support JWT as OAuth 2.0 Bearer Access Tokens
* #2424: Feature: Scope Rules
* #2454: Append a Show/Hide password button into login form
* #2456: Prevent DevOps handler to send hidden session attributes
* #2462: Use timezone provided in input dates in extended function "checkDate"
* #2465: Force OIDC error messages to use JSON
* #2472: Loading metadata can be slow due to parsing of default certificate bundle
* #2484: Hook for populating client credential session
* #2488: Allow selection of AssertionConsumerServiceURL in IDP-Initiated SAML login
* #2496: Add new option to ignore undeclared OIDC scopes
* #2499: add key mapper for convertSession
* #2502: Resource Owner Password fails with PE_FIRSTACCESS when using Auth::Choice
* #2506: CAS: add an option to forbid host-based matching
* #2521: Avoid browsers parameter hide placeholder
* #2533: add hooks for CAS issuer
* #2536: optimize SingleSession to avoid unneeded session fetches
* #2544: Default 2FA register timeout is too low
* #2557: Avoid browsers to store new, old and confirmed password during update process
* #2562: Add --user/--group options to lmConfigEditor and lemonldap-ng-cli (user:group hardcoded to apache may not work correctly)
* Templates:
* #1976: FindUser plugin
* #2454: Append a Show/Hide password button into login form
* #2458: CheckDevOps plugin
* #2495: [security:medium] XSS on register form
* #2521: Avoid browsers parameter hide placeholder
* #2541: Misleading TOTP options
* #2557: Avoid browsers to store new, old and confirmed password during update process
-- Clément <clem.oudot@gmail.com> Thu, 22 Jul 2021 17:41:44 +0200
lemonldap-ng (2.0.11) focal; urgency=medium
* Bugs:
* #2445: lmAuth param sent to protected application
* #2446: Incorrect MIME type on /psgi.js
* #2448: Adaptative Authentication rule triggered several times
* #2449: SAML SLO using Redirect/POST binding does not work with multiple SP
* New features:
* #1987: add grant_type=client_credentials in OIDC
* Improvements:
* #2397: OAuth2 handler should make client_id and scopes of the access token available to rules and headers
* #2436: CheckUser displays headers as they have been defined in conf intead of how they are sent
* #2444: set oidcServiceKeyIdSig by default
-- Clément <clem.oudot@gmail.com> Sat, 30 Jan 2021 18:33:37 +0100
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
lemonldap-ng (2.0.10) stable; urgency=medium
* Bugs:
* #1978: can't configure variables to post in virtual host's form replay with lemonldap-cli
* #2245: Manager API does not call reloadUrls
* #2262: SAML: SP-initiated logout does not propagate to external authentication modules
* #2267: LDAP timeout does not apply to search/bind/etc
* #2293: LL:NG 2.0.8 Manager test for external/working SMTP fails @ SSL handshake, terminates connections
* #2304: Error when using SMTP over SSL in CentOS 7
* #2310: Misspelled parameter in call to ldap->search()
* #2315: CheckUser plugin: option rules rely on checked user rather than connected user
* #2318: Manager API: translate JSON booleans to int
* #2332: [security:low] removal of registrable 2F does not test the current authn level
* #2340: lemonldap-ng-cli restore does not work if the config backend is empty
* #2342: Calling logout page for unauthenticated user forces login
* #2344: Enable keepalive on LDAP connections
* #2347: [Manager API] postLogoutRedirectUris should be an array
* #2348: [Manager API] Bad URL in documentation
* #2352: skipRenewConfirmation and skipUpgradeConfirmation options do not work
* #2354: Lemonldap::NG::Common::Conf::msg is never reset and grows indefinitely
* #2355: Password policy checker broken in password reset by mail template
* #2357: CDA query parameter not parsed when query params are reordered
* #2361: Cannot remove OIDC consent from session explorer
* #2364: llngconnexion cookie in the StayConnected-Plugin rejected
* #2365: Check my last logins option does not work with StayConnected plugin
* #2366: StayConnected plugin does not work with 2FA
* #2367: skip rule doesn't work with DevOps handler
* #2369: Memory leak in Issuer::_redirect
* #2373: Remove spaces from generated login when user register account
* #2374: Missing form-check-input class in form groups
* #2375: Refresh session plugin: refresh result is not checked before returning JSON answer
* #2377: Reset expired password process does not work without _whatToTrace macro or if old password is not required
* #2378: Error in inGroup expansion
* #2383: Vhost with wildcard with % sign, configuration not loaded in manager
* #2387: logout does not clear handler cache
* #2399: Local password policy check should be disabled when clicking on "generate password" checkbox
* #2401: Selinux policy blocks cache after restorecon
* #2403: Missing Ldap attribute in CAS ticket if equals 0
* #2410: LDAP connectivity issues on startup cause fatal initialization error when passwordDB=LDAP
* #2411: Javascript error when local password policy configured and password tab disabled in menu
* #2413: checkstate returns error 500 with user parameter
* #2417: Error in cookie name used by lemonldap regexp
* #2420: Auth::SAML should handle missing NameID
* #2425: "Configuration error: xxx SAML metadata has no EntityID" when updating SAML sp in manager API
* #2426: twitter auth fails when coming from oidc/saml/cas service
* #2429: SAML sessions fill up with logout sessions that do not expire
* #2430: Password not updated in session after password change
* #2440: OIDC api: redirect URI not handled at top level during get/update operations
* New features:
* #2336: Adaptative Authentication Plugin
* #2391: Add extended function to test for registered second factor
* #2408: Add Chinese (Taiwan) translation
* Improvements:
* #714: Make password change compatible with Combination
* #716: Make password reset work with Combination
* #2232: lmAttrOrMacro test in Manager is too restrictive
* #2266: local password policy conflicts with LDAP password policy
* #2301: password reset page(s) CSS issues
* #2309: Unintialized $app in CAS Issuer during test
* #2314: CheckUser plugin: Append an option to display computed sessions data
* #2316: "New keys" in saml security configuration should generate a certificate
* #2317: Combination and fail2ban logs
* #2319: Allow the SAML signature alg to be set per-provider
* #2321: Can't save configuration with 2 CAS applications sharing the same hostname
* #2322: Support for SHA384 and SHA512 saml signatures
* #2329: Display a warning if password module is enabled without password backend
* #2330: Allow to configure OIDC claims type
* #2331: Warning in default Nginx configuration
* #2334: GlobalLogout plugin can sometimes found some non-SSO or corrupted sessions
* #2335: apache handler: allow users to override the port/scheme for redirections
* #2339: Plugins refactoring
* #2341: Make SHA256 the default signature method for SAML
* #2345: RGAA recommand alt tags to be empty for decoration images
* #2350: [security:low] Hiding session ids from the manager
* #2356: RGAA 5.4 requires arrays to have defined captions
* #2359: plugin engine for issuers
* #2360: Avoid assignment in expressions
* #2368: StayConnected-Plugin: when user-agent changes login is only possible after deleting cookies
* #2372: Add a domain whitelist to Auth::Kerberos
* #2380: CORS headers not sent by sendError
* #2381: Append a hook to be able to overwrite access log
* #2386: CheckUser does not resolve vhost aliases
* #2388: Allow custom SSL logos when using choice
* #2393: All messages printed in userLogger should use whatToTrace value to log user name
* #2398: CheckUser: Append an option to hide specific headers value depending on tested VHost
* #2404: Force deletion of corrupted sessions in DBI and LDAP backends
* #2406: Possibility to use a different mail for 2FA and password reset
* #2409: Update Spanish translation
* #2414: Manager evaluates macros with Safe Jail whereas useSafeJail has been disabled
* #2422: Missing alt attributes in mail HTML templates
* #2427: Make AssertionConsumerServiceURL available to SAML rules
* #2438: Add a confirmation when deleting second factor
* Templates:
* #2301: password reset page(s) CSS issues
* #2355: Password policy checker broken in password reset by mail template
* #2356: RGAA 5.4 requires arrays to have defined captions
* #2365: Check my last logins option does not work with StayConnected plugin
* #2366: StayConnected plugin does not work with 2FA
* #2374: Missing form-check-input class in form groups
* #2422: Missing alt attributes in mail HTML templates
* #2438: Add a confirmation when deleting second factor
* WebServer Confs:
* #2331: Warning in default Nginx configuration
* #2434: [security:medium] Headers are not deleted for unprotected or skip locations with nginx handler
-- Clément <clem.oudot@gmail.com> Sun, 17 Jan 2021 16:52:38 +0100
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
lemonldap-ng (2.0.9) stable; urgency=medium
* Bugs:
* #1659: RESTProxy doesn't fully work as a UserDB module
* #1980: Refresh my rights causes error 500 with OIDC provider
* #2190: 2.0.6 -> 2.0.8 sends "ARRAY (xxxx)" instead of Groups
* #2196: Unable do display integer field with other fields in Manager
* #2199: StayConnected plugin not working due to error in fingerprint javascript
* #2200: Bad default value for portalDisplayOidcConsents
* #2211: Setting yubikey verification URL to an empty value does not fallback to Yubikey_Webclient URL
* #2212: Captcha or OTT is not renewed if Impersonation process failed
* #2215: CheckUser idRule is checked only if session is computed
* #2217: Error "Value must be BASE64 encoded" with some specific URL when Handler redirects on portal
* #2221: Bad error message when conf backend fails to load
* #2222: Errors in lemonldap-ng.ini are not correctly reported
* #2223: Misleading error reporting when failing to save conf in lemonldap-ng-cli
* #2224: regression in redirection to SAML urls with query string after #2085
* #2229: Impersonation plugin: real_hGroup value is overwritten when specified groups are merged
* #2230: LLNG 2.0.8 - Error on portal.js with IE 11
* #2234: Prevent browser caching in sendJSONresponse
* #2237: SAML SP error with auth kerberos
* #2250: [CVE-2020-16093] Peer certificate not checked when using LDAPS
* #2253: clearing oidcRPMetaDataOptionsLogoutUrl leads to Bad URL error
* #2254: Local session cache and systemd PrivateTmp
* #2256: Multivalued attributes are not returned as array in OpenID Connect userinfo endpoint
* #2257: Missing country in OpenID Connect Address Claim
* #2258: Error when using lougout_app_sso
* #2261: Refresh my rights fails when Auth=SAML and UserDB=LDAP
* #2263: Incorrect SOAP Content-Type
* #2271: Labels are not working in auth form
* #2272: Secure flag missing on lemonldappdata cookie and during logout
* #2274: pdata cookie with SameSite value not equal to NONE is not removed and logout request leads to an internal server error with federate flow on SP side
* #2275: sgRequired option does not work when global storage is enabled for token
* #2287: LL:NG-provided lua-header snippet -> "writing a global lua variable ('i') which may lead to race conditions between concurrent requests"
* #2288: LL:NG 2.0.8 manager missing doc-referenced "Login History" tab
* #2289: Special chars password policy is not displayed if password is expired
* #2290: [security:high, CVE-2020-24660] Lack of URL normalization by Nginx may lead to authorization bypass when URL access rules are used
* #2296: skippedGlobalTests / skippedUnitTests have no effect (again)
* #2305: Error in call to _launch in Lemonldap::NG::Common::Conf delete() method
* #2306: ldapGroupDecodeSearchedValue does not apply to recursive group search
* #2307: Password form not displayed when "password change after reset" is returned by LDAP ppolicy and Combination used for authentication
* New features:
* #1646: integrate documentation into the codebase
* #2124: use 2FA only if and when needed
* #2205: Add a session command line (CLI) tool
* Improvements:
* #1598: Proxy Backend support for Password Module (passwordDB)
* #2188: Declare vhost with wildcard and prefix/suffix
* #2189: Make externally-provisionned yubikeys easier to configure
* #2193: Polish translation
* #2195: Manager - Configuration's Author IP address field should honor $ipAddr
* #2201: Avoid Portal to crash with bad GrantSession rule
* #2203: Retrieve GPG keys and SSH keys in GitHub authentication module
* #2207: Append an "Unrestricted users" rule to CheckUser, ContextSwitching and Impersonation plugins
* #2214: add option to make convertConfig easier in most cases
* #2225: REST ression server is too intolerant of clock drift (2)
* #2233: Error/Warnings id not replaced with CLI
* #2239: Mail reset token should not be deleted at first page access
* #2240: Add tests for CAS service URL and OIDC client ID (presence/unicity) when configuration is saved
* #2241: Add CAS App management to the manager API
* #2242: Display new supported grant_types in OIDC discovery page
* #2244: Use configuration key in user log messages for all Issuer modules
* #2249: Check password policy on the client side when changing password
* #2251: Add a parameter for Syslog options
* #2252: No host in logs to use with Fail2ban
* #2265: increase log level for mail sending and password reset
* #2273: URL is not set to Portal URL after ContextSwitching
* #2276: Using bruteForceProtectionIncrementalTempo lock user at first attempt
* #2278: Display instance name when prompting a message
* #2280: User attribute based on local macro in Openid rp
* #2281: Manage SameSite default behavior
* #2283: Improve Notifications explorer to display done notifications content
* #2284: Improve serviceToken debug logs
* #2292: request "do not minify" json config option
* #2295: Erroneous use of NTLM should be explicitely reported to the user
* #2299: healthcheck endpoint for manager API
* #2302: correct usage of invalid vs unvalid in code & messaging
* #2303: Add del method to lemonldap-ng-cli
-- Clément <clem.oudot@gmail.com> Sun, 06 Sep 2020 19:59:22 +0200
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
lemonldap-ng (2.0.8) stable; urgency=medium
* Bugs:
* #1314: Workaround for memory Leak in perl-fcgi with Perl < 5.18
* #1659: RESTProxy doesn't fully work as a UserDB module
* #1776: Manager breaks when moving a newly created category or application
* #1939: expired issuer context is not reset when starting new authentication
* #1990: [warn] Route xxx redefined when using the fastCGI server
* #1992: Memory leak issue on CentOS 7 / perl 5.16
* #2048: t/32-OIDC-Refresh-Token.t fails randomly
* #2049: Unable to display notifications marked as done (DBI)
* #2050: Wrong message displayed by CheckUser plugin
* #2051: SAML Service Provider Macros are incorrectly displayed/saved by the manager
* #2057: Log in request without captcha returns an internal server error
* #2058: Use of configuration cache can mix global and local configuration parameters
* #2059: Error in Manager / CLI / Editor when an attribute is not defined
* #2061: pdata not cleaned with Kerberos authentication
* #2063: Javascript error: window.datas is undefined
* #2072: Configuration comparator error on application menu "order"
* #2074: Portal menu : display condition with sp: does not work for SAML SP
* #2080: SAML POST to SP becomes GET when an info is displayed
* #2081: Parameter added to external redirect URL when info.tpl is used
* #2082: SSLVarIf cannot be set in manager
* #2085: OIDC provider doesn't work when info is displayed during the login process
* #2086: LDAP notifications backend does not work
* #2089: Old format notifications with file backend don t work
* #2090: Session creation mixup when supplying an existing _session_id
* #2097: Error after activating userLogger (Apache)
* #2099: Error 500 when SAML Session is expired
* #2101: Wildcard in virtualhost names : URL contains a non protected host
* #2104: Sessions are not well computed by CheckUser plugin
* #2105: Using RS* ID Token signature algorithm without a RSA key causes ID Token to be returned as "null"
* #2111: Bad translation tag for password policy remaining grace message
* #2113: Password policy warning before password expiration is badly displayed
* #2116: Missing goToPortal translation for mails
* #2118: Multivalued attributes received from CAS server stored as string "ARRAY" in session
* #2120: OIDC: hybrid flow does not issue ID token
* #2123: Rest2F does not transmit session attributes to Verify URL
* #2127: Cache reload throw an error if status enabled
* #2128: Manager with CDA issue
* #2133: Issues with removed second factors notification system
* #2138: logout forward doesn't work anymore
* #2141: Auth Combination SSL/LDAP + VHOSTTYPE AuthBasic broken
* #2142: OIDC consent validation fails after second factor form or redirection from external IDP
* #2143: Enable redirection on forbidden access with self protected Portal URLs leads to an endless loop
* #2144: OTT is not sent if SSL authentication fails with Choice
* #2148: Bad request with Notification SPA
* #2151: Session upgrade does not work with multiple second factors
* #2152: Nginx configuration files do not work with IPv6
* #2159: Single session module configuration
* #2165: Server error with rule on Combination
* #2167: OAuth2 handler should return 401 when access token is missing or invalid
* #2168: LLNG is too strict on OIDC scope syntax
* #2169: duplicates in _oidcConsents when scope is updated
* #2171: Introspection endpoint does not recognize refreshed Access Tokens
* #2179: refresh my rights downgrades authentication level set by 2FA
* #2180: SingleSession plugin does not work if history is displayed
* New features:
* #2033: Manager API to reset 2FA
* #2034: Manager API to manage SAML and OIDC clients
* #2069: Manage Cookie SameSite value
* #2136: Possibility to override language with a parameter in URL
* #2154: Github authentication backend
* Improvements:
* #1598: Proxy Backend support for Password Module (passwordDB)
* #1877: Option to run setMacros after setGroups
* #1902: Configuration is saved even with errors with lemonldap-ng-cli
* #1957: Provide packages for CentOS 8
* #2046: compactConf is confusing
* #2064: Do not show action buttons on portal when displaying waiting message (Kerberos or SSL Ajax call)
* #2065: Improve diff.html templates to display Author, Date and Summary of both configurations
* #2068: Append an option to set CSP frame ancestors header
* #2070: LemonLDAP session cookie - SameSite attribute
* #2071: Allow users to see and display theirs accepted notifications
* #2073: Improve notifications SPA
* #2076: Possibility to configure a custom CSS file
* #2084: Make "error" the default log level for lasso
* #2088: BruteForce module: increase delay between each login attempt
* #2091: Better look for buttons in 2FA choice screen
* #2093: CheckUser - Remove persistent session attributes if required
* #2096: Improve introspection endpoint
* #2102: Bad Autologin rule lead to error 500 and crash the portal
* #2103: Add a rollback option to lemonldap-ng-cli
* #2106: CheckUser: Append an option to hide empty headers
* #2108: "Underlying object can't load conf" is a bad error message
* #2109: Securing the new API endpoints for 2.0.8 release
* #2114: Improve adaptive display and show instance name
* #2115: Possibility to select choice tab, as for menu tab
* #2117: Remove warning messages "uninitialized value $encryption_mode"
* #2119: Rely on "isRequired" XML field in importMetadata script to mark SAML attributes as mandatory
* #2121: Prevent Portal to crash if Custom Functions module is not found
* #2125: Internal Server Error when REST backend does not return a JSON Object
* #2126: Prevent Portal to crash if a bad rule is used for enabling a plugin
* #2129: AuthenticationLevel based macros and groups should be updated with second factor
* #2130: Append password policy options to define and require special characters
* #2131: Make json does nothing if only a Portal constant is appended
* #2132: Application icons are displayed with real sizes by the Manager and It is not particularly convenient
* #2135: Remove 'underscore' in notification reference
* #2140: Append an option to define applications tooltip
* #2145: Display a custom param with GlobalLogout plugin
* #2149: Add an easy way to set level of additional second factors
* #2155: Implement Resource Owner Password Credentials Grant
* #2156: "Require 2FA" should be renamed
* #2161: DBI should test that "table" is set
* #2164: Make SingleSession options configurable by a rule
* #2166: Configuration parser does not check validity of SAML/OIDC/CAS/vhost options
* #2173: Make CheckUser options configurable by a rule
* #2175: Reorganize OIDC RP options in manager
* #2177: OIDC: Allow additional audiences for ID Token
* #2178: Make require old password option configurable by a rule
* #2182: Append a Show/Hide password button into change password form
* #2184: SAML logout request returns 400 error code if session is not found
* #2185: Append a rule to display sfaManager link
-- Clément <clem.oudot@gmail.com> Mon, 04 May 2020 22:43:29 +0200
lemonldap-ng (2.0.7) stable; urgency=medium
* Bugs:
* #1893: Issuer urldc is lost after error in 2F flow
* #1909: Reset password by email issue
* #1943: [Security: medium, CVE-2019-19791] Apache access rules and SOAP/REST endpoints
* #1945: passwordpolicy.tpl contains wrong tag
* #1948: Tranlation menu does not work with Diff.html
* #1949: Don't Store Password shows password in cleartext
* #1952: "Attributes and macros" session keys should not be translated
* #1954: zimbra preauth not working
* #1955: Redirection lost after notification validation
* #1960: REST config service not working
* #1961: IDP selection rule regression in 2.0.0
* #1963: Server Error with OpenID Connect register endpoint
* #1964: Diff.html does not work with minified JS
* #1966: Configuration reload does not apply changes to location rules
* #1968: skippedUnitTests/skippedGlobalTests have no effect
* #1969: Force password reset with LDAP password policy does not work if macro _whatToTrace is not defined
* #1974: ServiceToken handler TTL value always set to default
* #1984: Reset expired password doesn't trigger when using Combination
* #2005: Error in portal "refresh my rights" feature when whatToTrace value is not equal to login
* #2009: Display authentication error on login form with Combination Kerberos + LDAP
* #2010: Kerberos not working with session upgrade
* #2012: Several issues with notification system
* #2013: Handler, yum install
* #2018: After temporary ldap failure, ldap connections stop working forever
* #2038: Missing type attribute in 2FA HTML inputs
* #2045: Authenticating with external OpenID Connect Provider fails because of special chars in user name
* New features:
* #1605: certificate reset by mail
* #1956: DecryptValue plugin
* #1999: Possibility to view/close other sessions opened for the same user
* #2006: Create a web service for "refresh my rights"
* Improvements:
* #1590: Possibility to configure new plugins in Manager
* #1905: Append overScheme for persistent sessions
* #1941: After logged out from SP we are always redirected to IdP - Unable to go back to SP Portal
* #1947: Highlight active module with Diff.html
* #1967: allow differents type of managerDN
* #1983: The script purgeCentralCache should be more fault tolerant
* #1988: Append a requiredAuthenticationLevel option for each uri
* #1989: Main logo and lang icons are missing with upgradesession template
* #1991: Some user logs not using whatToTrace for username
* #1993: Same issue like (#1884) occures with Issuer redirection
* #1994: Append varInUri extended function
* #1995: Add an option to force claims in ID token
* #1996: REQUEST_URI env variable is not set by CheckUser plugin
* #1997: Enable checkTime option by default
* #2003: Possibility to set attributes and extra claims in OIDC registration endpoints
* #2007: Password change prompt displayed even if initial auth fails
* #2008: Specific message and error code for 2F failure
* #2011: Create a function to test if a value belongs to a list
* #2012: Several issues with notification system
* #2014: New script to convert sessions between backends
* #2019: Renew Captcha button
* #2024: Change default value for cspFormAction
* #2042: Add per-service macros
-- Clément <clem.oudot@gmail.com> Sat, 21 Dec 2019 16:59:22 +0100
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
lemonldap-ng (2.0.6) stable; urgency=medium
* Bugs:
* #1834: Use base64 URL for JWT generation
* #1838: Return claims from scope values in ID token if no access token requested
* #1852: SAML request lost after notification
* #1853: Adding a second notification with same reference is not refused
* #1856: Unable to validate more than one notification (JSON format)
* #1857: Message "session is expired" if a notification is refused
* #1861: Persistent data and notification validation
* #1863: Duplicate Set-Cookie header when sending lemonldappdata and lemonldap cookies
* #1864: incorrect loading of SAML metadata when entityID containts html-encoded characters
* #1865: Dependencies missing in RPM
* #1866: Skin parameter is lost in second factor choice
* #1867: Bad error template with Combination and OTT timeout
* #1868: Yubikey enrolment failed on Internet Explorer
* #1869: [Security:low] psessions case sensitivity might impact security of 2FA when using case-insensitive auth backends
* #1874: OTT not regenerated after submitting TOTP form with an expired OTT
* #1875: Variables from Users module DBI is not used when Authentication module is LDAP (chain: [LDAP,DBI]
* #1876: $_ no longer works in macros, rules and headers since 2.0
* #1878: Pdata cookie not cleared after cross domain Auth request
* #1880: [Security:low] Restricted users can edit conf by using default route
* #1881: [Security:high] oidc authorization codes are not tied to their RP
* #1883: Infinite loop when displaying sessions by IP address
* #1889: No changes detected by Manager when removing CAS/OIDC attributes from a CAS application / OIDC RP or provider
* #1890: LinkedIn v1 API is not available anymore
* #1891: GET parameter "cancel" with Choice and CAS authentication
* #1897: Emails are sometimes sent in the wrong language
* #1898: Handler SecureToken is not working anymore
* #1901: Handler error if a header definition is empty
* #1903: Mail password reset and Combination with LDAP does not work
* #1906: Missing MAIN_LOGO variable in redirect.tpl
* #1910: Issue with "force password change on next login" feature with LDAP
* #1915: Skin selected by rule is lost in 2FA process
* #1922: Accentuated UTF-8 value of header is UTF-8 encoded again by handler
* #1925: AuthBasic handler does not work with AuthChoice
* #1933: [Security:low] nginx portal example file does not filter REST urls
* #1935: [Security:medium] AuthSlave does not check credential headers
* New features:
* #993: Define a local password policy
* #1783: ContextSwitching plugin
* #1843: OAuth2 introspection endpoint
* #1847: Radius 2F module
* #1860: Multiple instances of 2F modules
* Improvements:
* #1619: Support IBM Tivoli Directory Server (ITDS)
* #1702: Improve log generated by lemonldap
* #1825: Possibility to disable persistent sessions
* #1829: Redirection lost between SSL/Ajax and SAML
* #1831: Warning in lemonldap-ng-cli
* #1832: Add save/restore in CLI help message and control restore parameters
* #1833: Show cli errors on file access
* #1835: [Security:improvement] Do not accept a "none" signature in JWT if we enforce signature verification
* #1842: Merge userLogger notice with logger debug
* #1844: CheckUser plugin does not compute real session attributes if Impersonation is enabled
* #1846: Adapt response_types_supported / grant_types_supported attributes in OpenID Connect metadata depending on configured flows
* #1849: CDA is not compatible with Handler::PSGI::Try
* #1850: No "Session granted" log if grantSession plugin not enabled
* #1851: Append notification REST services
* #1862: When displaying notifications, sort them by date and references
* #1870: REST Api endpoint "error"
* #1873: Labels for 2FA choices
* #1879: [security:low] Access token expiration time is not enforced on userinfo or OAuth handler
* #1882: Confusing default OIDC issuer setting
* #1884: Force Upgrade tokens to be stored into global storage if auth and authssl are served by different load balancers
* #1885: Append an option to log an extra parameter
* #1888: Javascript error on textContent method with .Net framework and WPF
* #1896: Add _session_kind to default SOAP/REST exported attributes
* #1899: Fix portal and manager display for Internet Explorer
* #1904: Append an option "don t compact conf" + debug log + compact CAS parameters if not enabled
* #1908: Complete blackout probably due to uncontroled SQL connexion timeout
* #1913: Append an option to allow / forbid browsers to store users password
* #1916: Issuer OTT timeout
* #1919: Customizable error message when a required SAML attribute is missing
* #1923: REST ression server is too intolerant of clock drift
* #1927: Implement CORS preflight request
* #1928: Option to hide password generation checkbox in mail password reset plugin
* #1929: Custom functions are not imported into Safe Jail
* #1930: Display password change form after a password policy error in mail reset password plugin
* #1931: Disable password input field until font is fully downloaded by browser
* #1932: REST session server should return both session and _httpSession id
* #1936: Append an option to display Slave logo
* #1938: CheckUser plugin : include search parameters
-- Clément <clem.oudot@gmail.com> Tue, 24 Sep 2019 11:13:39 +0200
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
lemonldap-ng (2.0.5) stable; urgency=medium
* Bugs:
* #1521: The manager renames the id of applications created by lemonldap-ng-cli
* #1655: Can't delete notifications from the manager
* #1717: Warnings "Devel::StackTrace" when using unnative Perl functions
* #1746: Impersonation does not work with double cookies authentication
* #1749: Authentication with "Double Cookies for a single session" (securedCookie==3) does not work
* #1753: Logout with CASv2 is not working (Bad URL)
* #1754: Configuration caching issue when overriding globalStorage in lemonldap-ng.ini
* #1755: CheckUser plugin fails if OTT globalStrorage is enabled
* #1759: Server Error when OpenID Connect provider enabled without any RP
* #1762: CDA sessions are not removed when handler uses SOAP
* #1775: Authentication with double cookies fails when uniq session is enabled
* #1777: Server Error with SAML SLO and expired SSO session
* #1779: Go to portal message not translated in register confirmation mail
* #1795: [Security: low] CAS 3.0 Logout does not validate redirect URL
* #1800: Auth::Slave is unusable with Choice
* #1802: No error returned if no code provided on OpenID Connect token endpoint
* #1805: Auth::LDAP unusable in combination if UserDB::LDAP isn't called
* #1809: UserDB::DBI with Auth::LDAP seems to not work properly
* #1810: [Security: low] llng-fastcgi-server could fail to setgid
* #1811: Lua-headers file is missing
* #1813: searchOn* does not work when a portal uses REST session backend
* #1814: Local cache not fully purged
* #1818: [Security:low] XXE vulnerability in SOAP notification server
* #1819: Portal Notification server unusable with old XML format
* #1821: Pdata not cleared after session upgrade
* #1822: Session upgrade does not work with 2FA
* #1824: lmConfigEditor does not work anymore
* #1826: Race condition on SSL login form button
* New features:
* #1796: Display a message if an expired 2f device is removed
* Improvements: