Skip to content
changelog 169 KiB
Newer Older
lemonldap-ng (2.17.1) jammy; urgency=medium

  * Bugs:
    * #2992: WAYF not triggered when using SAML federation plugin + one other provider
    * #2996: Invalid URL for application logo in myapplications web service
    * #2998: [Security:low] SSRF vulnerability in OIDC SSO
    * #3001: Conf::LDAP options in lemonldap-ng.ini overrides Auth options in portal
    * #3003: [Security:low] Open redirection when OIDC RP isn't configured with redirection uri
    * #3010: oidcServiceAllowOnlyDeclaredScopes option drop offline_access scope

 -- Clément <clem.oudot@gmail.com>  Mon, 25 Sep 2023 16:46:45 +0200

Clément OUDOT's avatar
Clément OUDOT committed
lemonldap-ng (2.17.0) jammy; urgency=medium

  * Bugs:
    * #2055: Vhosts options hash key is removed after a while
    * #2641: Unable to remove value for casAppMetaDataOptionsAuthnLevel
    * #2711: Cannot override configuration in lemonldap-ng.ini when value is "0"
    * #2847: Configuration corruption due to accented characters
    * #2863: OIDC: `sid` in Front-Channel-Logout request is wrong
    * #2873: AjaxInitScript/InitCmd not called after Choice error
    * #2874: Removing oidcOPMetaDataOptionsAcrValues causes OIDC auth to fail
    * #2882: SAML signature validation fails in RHEL9 + Lasso 2.8.0
    * #2912: Non reproducible error when redirect to another url (SAML,..)
    * #2920: invalid entry in SAML IDP list after logout error
    * #2922: Remove | as separator for Choice configuration values
    * #2931: [Security:medium] open redirection due to incorrect escape handling in URI userinfo
    * #2932: unreachable LDAP server blocks initialization for too long
    * #2935: importMetadata causes encoding issues when saving conf
    * #2938: POST to /oauth2/token responds error 400 "This endpoint is not supposed to be called by authenticated users"
    * #2939: Unexpected token type: auth_token_krb when using SSL and Kerberos in a Combination
    * #2942: Logout shouldn't fail when a OIDC/SAML partner doesn't respond
    * #2943: eduPersonTargetedID missing from Plugins::SamlFederation
    * #2946: userControl regexp is not applied by authSlave
    * #2948: Manager should accept mobile-style URL in OIDC callbacks
    * #2952: Unable to change password if LDAP returns PE_PP_CHANGE_AFTER_RESET and captcha is enabled
    * #2962: timeoutActivity feature makes Offline sessions expire prematurely
    * #2966: SAML federation plugin incorrectly skips entityIDs
    * #2979: forced saveConf does not correctly report success on MySQL/MariaDB
    * #2984: Test fails with Perl 5.38
    * #2987: Cannot use single quote in passwordPolicySpecialChar

  * New features:
    * #1194: OIDC: implement Back-Channel and Front-Channel logout
    * #2853: Add ability to use applications icons instead of images
    * #2862: OIDC: include `sid` claim
    * #2867: Add configuration extension hooks for OIDC
    * #2884: Manager API: add methods to get login history
    * #2885: Add plugin hook at sendHtml
    * #2903: Add a function in Safelib to match IP addresses reliably
    * #2940: Allow custom attributes to be sent for radius/radius2f access requests
    * #2959: Send Access-Request without password when preparing Radius 2FA validation
    * #2960: Add option to drop CSP headers from OIDC response
    * #2965: Add cassandra support (conf & sessions)

  * Improvements:
    * #2255: Improvements on OpenID Connect logout (id_token_hint, user consent, ...)
    * #2623: refactor code of Lemonldap::NG::Portal::Lib::Net::LDAP
    * #2701: Possibility to configure which OIDC attribute from ID token  should be used as pivot
    * #2850: Improve CAS logout
    * #2858: Improve accountability of 2FA devices
    * #2878: Regexp to hide session attributes
    * #2881: StayConnected: do not try to fingerprint browser if fingerprint check is disabled
    * #2897: When Radius is in use login failure does not log if its due to wrong credentials or to radius unavailability
    * #2908: GlobalLogout plugin does not take into account confirm URL parameter
    * #2911: Manager warning when a config test needs confirmation is confusing
    * #2928: Extra '/' in 2FA urls
    * #2929: Set more than one class on LDAP group filter
    * #2934: Implement urn:oasis:names:tc:SAML:profiles:subject-id:req in SAML federations
    * #2949: Reset captcha input when renewing captcha & translate tooltip
    * #2950: Hide password policy when ticking 'Generate the password automatically' box
    * #2954: Add userData to log4perl placeholders
    * #2956: Allow custom jquery event handlers to block default processing
    * #2957: Add new jquery events for webauthn, SSL, Kerberos
    * #2961: Make RS256 the default ID Token signature algorithm
    * #2964: Allow customization of some error codes in templates
    * #2970: Provide all applications informations trought REST service GET /myapplications
    * #2972: Better OIDC keys management
    * #2975: Allow admin to choose key size during certificate generation

  * Templates:
    * #2949: Reset captcha input when renewing captcha & translate tooltip
    * #2950: Hide password policy when ticking 'Generate the password automatically' box
    * #2987: Cannot use single quote in passwordPolicySpecialChar

 -- Clément <clem.oudot@gmail.com>  Wed, 30 Aug 2023 17:14:33 +0200

Clément OUDOT's avatar
Clément OUDOT committed
lemonldap-ng (2.16.2) jammy; urgency=medium

  * Bugs:
    * #2852: Allow multiple SSL choices
    * #2899: When Portal language is configured to follow browser language, change in browser language requires clearing a cookie
    * #2905: No applications displayed in menu for all users when one of the user has no rights to see them
    * #2907: Manager customCSS not available with minified files
    * #2909: Manager viewer uses the wrong endpoints to read conf
    * #2915: jsRedirect does not preserve GET parameter order
    * #2926: "Federation not found on login" SAML error when NameID not specified in request

  * Improvements:
    * #2906: Improve CheckUser display if there is no session data
    * #2910: OIDC option is missing or not well documented
    * #2917: Fix doc about REST server protection
    * #2921: Jquery-UI - Vulnerable version in use

  * Templates:
    * #2906: Improve CheckUser display if there is no session data
    * #2907: Manager customCSS not available with minified files

 -- Clément <clem.oudot@gmail.com>  Fri, 12 May 2023 18:50:33 +0200

Clément OUDOT's avatar
Clément OUDOT committed
lemonldap-ng (2.16.1) jammy; urgency=medium

  * Bugs:
    * #2871: Possible bug in manager related to adaptativeAuthenticationLevelRules
    * #2876: Errors in Manager FR translations
    * #2877: Captcha in login form is not displayed in case of back-end error
    * #2879: llnglanguage cookie should set "Secure" flag
    * #2887: URL parameter for Register and CertificateResetByMail plugins are not taken into account
    * #2896: [Security][CVE-2023-28862] AuthBasic does not handle failure correctly

 -- Clément <clem.oudot@gmail.com>  Tue, 28 Mar 2023 16:34:54 +0200

lemonldap-ng (2.0.16) jammy; urgency=medium

  * Bugs:
    * #2798: Can't locate Net/SSLeay.pm
    * #2799: Auth::SAML logout not performed when using a logout_sso $URL rule when using HTTP-POST binding
    * #2801: Auth::SAML generates invalid SAML requests by default
    * #2802: CDA does not work with wildcard vhosts containing a dash
    * #2803: [Security:low] Adding registrable 2F does not test the current authn level
    * #2806: SingleSession/StayConnected does not run other plugins (such as SingleSession) after login
    * #2807: Result of passwordAfterChange hook not used
    * #2809: portalSkinRules do not allow special characters in skin name
    * #2816: Redirection loop with jsRedirect
    * #2817: CrowdSec plugin broken: "URL must be absolute
    * #2832: [Security:medium] Redirection URL validation bypass using credentials in URL
    * #2835: We can't duplicate a virtual host with a wildcard
    * #2839: Advanced sessions functions broken with Apache::Session::Redis
    * #2840: password toggle visibility on mobile does not work
    * #2841: Using Auth::OpenIDConnect twice in Auth::Choice leads to route redefined warning
    * #2842: Cannot hook storeHistory method after 2FA failure
    * #2845: "No change detected" when removing the last exported attribute/macro/scope, etc
    * #2846: Incorrect handling of custom schemes when auto-setting CSP form-action (with jsRedirect=1)
    * #2854: Confusing error message when trying to verify webauthn credential while there is no available credential
    * #2859: Password policy does not work with underscore

  * New features:
    * #2174: Support OIDC response_mode=form_post option
    * #2652: Integrate Pwned Passwords API from haveibeenpwned.com
    * #2684: Get the geolocation of the user
    * #2731: Handle SAML federations as a single configuration object
    * #2734: 2FA passphrase (low security level)
    * #2795: Generic 2FA register module
    * #2805: Support Traefik forwardAuth
    * #2819: Read attributes in Radius module
    * #2836: Implement basic SLO for CAS applications

  * Improvements:
    * #2415: Append a field to set a comment for each IdP or SP
    * #2588: "Bad URL" should be clarified
    * #2631: Change error message when SAML provider is unknown
    * #2778: Plugin authenticated routes don't have $req->sessionInfo by default
    * #2792: Rework AJAX-based authentication to enable 2FA, notifications, etc
    * #2808: Append a comment box into VHost options
    * #2814: --help on  /usr/share/lemonldap-ng/bin/lemonldap-ng-sessions displays source code if perl-doc is missing
    * #2815: Simplify OIDC claims configuration
    * #2821: Inconsistent behavior among issuers when app is unknown or unauthorized
    * #2823: Append an option to define tooltip box with CAS, SAML and OIdC IDP
    * #2824: Add more attributes on the OpenID JWKS endpoints (alg, x5c, x5t)
    * #2826: Automatic password generation won't proceed without filling the new password text boxes
    * #2827: StayConnected: add a single session option
    * #2828: StayConnected: invalidate long-lived session on logout
    * #2830: Allow more characters in 2FA device names
    * #2831: Send client_id in logout request sent by OIDC RP
    * #2833: Display a message if none application is allowed
    * #2834: Append an option to sort tabs in portal menu
    * #2838: Allow custom implementations of OAuth 2.0 Token Exchange
    * #2848: Allow generic translation of HTML attributes
    * #2849: Allow to define ServiceToken scope with RegExp
    * #2855: Append an option to override manager drop-down menu links
    * #2857: Improve password policy definition and display

  * Templates:
    * #2734: 2FA passphrase (low security level)
    * #2795: Generic 2FA register module
    * #2823: Append an option to define tooltip box with CAS, SAML and OIdC IDP
    * #2826: Automatic password generation won't proceed without filling the new password text boxes
    * #2833: Display a message if none application is allowed
    * #2844: Use instance name to build SPA title

  * WebServer Confs:
    * #2786: provide nginx integration that doesn't use Lua

 -- Clément <clem.oudot@gmail.com>  Wed, 01 Feb 2023 10:49:47 +0100

Clément OUDOT's avatar
Clément OUDOT committed
lemonldap-ng (2.0.15.1) jammy; urgency=medium

  * Bugs:
    * #2796: "Internal Server Error" during MFA flow when using LDAP as UserDB in 2.0.15

 -- Clément <clem.oudot@gmail.com>  Thu, 15 Sep 2022 15:58:47 +0200

Clément OUDOT's avatar
Clément OUDOT committed
lemonldap-ng (2.0.15) jammy; urgency=medium

  * Bugs:
    * #2615: Redirection issue with Issue SAML + ForceAuthn=true + Kerberos authentication
    * #2650: Empty SCRIPT_NAME breaks the portal
    * #2690: Second factor logo/label not used on registration screen
    * #2708: Auth::OpenIDConnect redirects in a loop when invalid JSON metadata is provided
    * #2712: 2fSelfRegistration == 0 + 2fActivation == 1 leads to registrable second factor being presented every time
    * #2714: Session upgrade link in 2FA manager not working
    * #2716: 2FA registration does not auto-redirect to only available provider after deleting an existing 2FA
    * #2724: one importMetadata Script default option isn't correct
    * #2733: Allowing ALL special characters does not work with reset password form
    * #2742: convertConfig no error but nothing converted
    * #2758: [CVE-2022-37186] Session destroyed on portal but still valid on handlers while there is activity
    * #2760: Userinfo does not show updated attributs when using Offline sessions
    * #2769: missing handler logs with default Nginx + LemonLDAP
    * #2772: translation overrides from skin json files are not used when sending emails
    * #2773: translation override from skin bypasses llng.ini
    * #2785: Invalid <Organization> in SAML metadata can crash portal startup
    * #2787: Status: Unknown command line during OIDC flow
    * #2789: $portal->templateDir causes skin mix-up
    * #2791: After token timeout during 2FA flow,  login form is left in broken state
    * #2793: samlGotAuthnRequest cannot modify $login->request when signature validation is enabled

  * New features:
    * #2491: Use environment variables placeholder in lemonldap json configuration
    * #2713: handle refresh tokens in Auth::OpenIDConnect
    * #2737: remember previous authentication choice
    * #2763: Install LL::NG on EL9

  * Improvements:
    * #2607: bypass OIDC logout confirmation
    * #2674: Add HSTS as new security parameter in the Manager
    * #2692: New API for CAPTCHA plugins
    * #2719: importMetadata should handle conflicts between multiple federations
    * #2720: importMetadata should be configurable
    * #2723: Cannot specify custom urn:oasis:names:tc:SAML:2.0:assertion:AuthnContextClassRef values for LemonLDAP IdPs
    * #2725: Add session data to oidcGenerateUserInfoResponse
    * #2726: Add a session variable for used 2F module
    * #2732: Add userLogger event when a specific 2FA is selected
    * #2739: Provide a specific package to install LLNG FastCGI client
    * #2745: portalEnablePasswordDisplay is not used in password change form
    * #2746: SAML metadata without SingleLogoutService leads to error at logout
    * #2753: Add IDP selection rules for CAS and OIDC
    * #2755: OIDC : issue on token endpoint with method client_secret_basic
    * #2756: Allow customization of portal JS code with jQuery events
    * #2757: Allow admins to change the 2FA timeout
    * #2759: Append a go-back-to-top button
    * #2761: Append an option to customize Manager CSS
    * #2762: Add re-send option to code-based OTPs
    * #2768: Add new hooks on Access Token refresh
    * #2775: Notification process can not be continued with JSON response
    * #2780: New lemonldap-ng-cli subcommand: merge
    * #2782: Notifications are not sorted by sessions explorer and epoch is  not converted into local date
    * #2784: Allow history fields to be translated in templates

  * Templates:
    * #2690: Second factor logo/label not used on registration screen
    * #2714: Session upgrade link in 2FA manager not working
    * #2737: remember previous authentication choice
    * #2745: portalEnablePasswordDisplay is not used in password change form
    * #2750: Option to define the favicon
    * #2759: Append a go-back-to-top button
    * #2761: Append an option to customize Manager CSS

 -- Clément <clem.oudot@gmail.com>  Fri, 09 Sep 2022 10:13:43 +0200

Clément OUDOT's avatar
Clément OUDOT committed
lemonldap-ng (2.0.14) focal; urgency=medium

  * Bugs:
    * #2519: first authentication returns 500 code after inactivity period
    * #2566: No configuration available in fresh LemonLDAP 2.0.12
    * #2594: Double slashes in _pdata->{_url} when LLNG is OIDC RP
    * #2595: Portal does not run correctly with portalRequireOldPassword=0
    * #2596: [security:low] open redirect in CAS gateway mode
    * #2597: External password reset URL is called with skin= and url= parameters
    * #2600: RESTProxy authentication does not work with AuthChoice-enabled internal Portal
    * #2603: Saving configuration drops OIDC scope rules
    * #2606: FindUser plugin: SpoofId field is not updated if a value has been already set before the Ajax request
    * #2612: [Security: low, CVE-2021-40874] RESTServer pwdConfirm always returns true with Combination + Kerberos
    * #2613: ProxyAuth cookie name can not be modified
    * #2616: Login is not remembered when password is incorrect
    * #2618: DevOps handler does not work if RULES_URL uWSGI/FastCGI parameter is set
    * #2620: Net::LDAP::Control::PasswordPolicy is not always loaded
    * #2622: Fail oauth2 grants when resulting scope is empty
    * #2626: Portal fatal errors cause "Conflict detected between 2 extensions, aborting 1 route" message to appear in logs
    * #2632: Handler::Server::Nginx does not use logger config from lemonldap-ng.ini
    * #2637: Error with default locationRules
    * #2645: importMetadata does not set NameIDFormat to "persistent" for new providers
    * #2648: "Authentication module succeed but has not set $req->user" when using SAML Artifact mode with some, but not all IDPs
    * #2655: 'afterData' plugins loaded after Impersonation will be never executed
    * #2656: CAS: multiple proxies is not correctly implemented
    * #2658: Macros based on '_XXX' and authenticationLevel attributes are not computed by refresh function
    * #2660: Combination is not compatible with LDAP password policies
    * #2663: Radius authentication fails when radius used as authentication module
    * #2671: xss attack detected on a relayState parameter
    * #2675: Auth::Custom calls module init twice
    * #2676: UserDB::Custom and Password::Custom loads module twice and calls init three times
    * #2677: *::Custom do not allow config overrides
    * #2678: Auth::Custom getDisplayType is broken with choice
    * #2682: Fails to create password-protected X509 certificates with OpenSSL 3.0
    * #2689: REST server: 400 bad request with DELETE /session/my
    * #2691: Error when using has2f in a manager rule
    * #2693: "Status: Unknown command line -> " log line for each SKIP and EXPIRED accesses
    * #2703: OIDC RP menu attributes name do not refresh live

  * New features:
    * #1411: Web Authentication API (webauthn)
    * #2325: "Warn on new network location" plugin
    * #2679: CheckDevOps: Append an option to check if used attributes are existing
    * #2686: Web service for application list

  * Improvements:
    * #1714: Check logLevel value
    * #2277: pdata cookie is not removed if SAML flow fails
    * #2457: Do not translate OIDC RP exported attributes
    * #2476: $groups is not initialize  for  at least LDAP authentication
    * #2508: Look configuration timestamp to dismiss cache
    * #2558: Add a new portal error code for Auth::OIDC issues
    * #2565: Adding per-request information in logs
    * #2570: RGAA: Adding a role attribute into messages
    * #2577: RGAA: placeholder only should not be used as label
    * #2591: stayconnected plugin: allow to disable browser fingerprint check and update documentation
    * #2593: Contextual / Adaptive authentication / Risk-based authentication
    * #2599: Certificate reset templates are not translated
    * #2601: RESTProxy authentication does not support Impersonation
    * #2602: Export OIDC grant type in rules
    * #2604: Append an option to normalize HTTP headers with CheckDevOps plugin
    * #2605: llnglanguage cookie will be rejected if sameSite attribute is not set
    * #2609: Better history management for plugins
    * #2614: display precise error while sending direct SOAP SAML message
    * #2617: SafeJail must be enabled with CheckDevOps plugin
    * #2619: Brazilian translation
    * #2621: SAML: HTTP-Artifact mode should be discouraged
    * #2625: Add an option to encrypt TOTP secrets
    * #2627: Append an option in Manager to be able to set RULES_URL param
    * #2638: Redirect to 2fregisters is missing a slash
    * #2644: No error displayed in logs in DevOps Handler when rules file can't be downloaded
    * #2646: bruteForceProtectionMaxAge and bruteForceProtectionMaxLockTime missing from manager
    * #2647: Display logins history with CheckUser plugin
    * #2649: Portal plugins should not require an "init" method
    * #2651: Hebrew Translation
    * #2654: CAS temporary tickets should have a short expiration time
    * #2657: Hidden attributes, custom functions and plugins declarations are inconsistent
    * #2662: CheckUser plugin: Append a rule to allow some users to display hidden attributes
    * #2664: impossible to use getModule in the Password modules
    * #2667: Add RP confkey to oidcGenerateUserInfoResponse plugin hook
    * #2668: CheckDevOps: prevent portal crash/loop if a bad rules.json file is provided
    * #2672: DBI password hash list is too restrictive
    * #2673: Allow to configure multiple service URL per CAS application
    * #2679: CheckDevOps: Append an option to check if used attributes are existing
    * #2683: Possibility to set an activation rule for "remember me" option
    * #2685: DevOps handler uses default HTTPS redirection if no VH is defined
    * #2694: Chrome warns about compromised data when using form replay
    * #2698: Avoid useless warning messages in log

  * Templates:
    * #2325: "Warn on new network location" plugin
    * #2570: RGAA: Adding a role attribute into messages
    * #2577: RGAA: placeholder only should not be used as label
    * #2597: External password reset URL is called with skin= and url= parameters

 -- Clément <clem.oudot@gmail.com>  Sat, 19 Feb 2022 17:49:18 +0100

Clément OUDOT's avatar
Clément OUDOT committed
lemonldap-ng (2.0.13) focal; urgency=medium

  * Bugs:
    * #2428: Correctly report the number of purged sessions when using deleteIfLowerThan
    * #2566: No configuration available in fresh LemonLDAP 2.0.12
    * #2567: CORS headers not sent in userinfo endpoint error response
    * #2568: SafeJail does not report errors correctly
    * #2573: convertConfig does not work when target backend is empty
    * #2589: FindUser plugin: minor improvements and several issues

  * Improvements:
    * #2558: Add a new portal error code for Auth::OIDC issues
    * #2564: Missing options to use text emails for some features
    * #2585: RGAA: to use autocomplete when possible
    * #2589: FindUser plugin: minor improvements and several issues
    * #2592: Bad error reporting during portal init

  * Templates:
    * #2585: RGAA: to use autocomplete when possible
    * #2589: FindUser plugin: minor improvements and several issues

 -- Clément <clem.oudot@gmail.com>  Fri, 20 Aug 2021 18:30:23 +0200

Clément OUDOT's avatar
Clément OUDOT committed
lemonldap-ng (2.0.12) focal; urgency=medium

  * Bugs:
    * #2153: logout forward url pointing to a protected application cause infinite redirection (pdata)
    * #2439: Unable to configure oidcOPMetaDataJSON and oidcOPMetaDataJWKS trough lemonldap-ng-cli
    * #2453: Manager API: missing doc and array handling of additional audiences
    * #2455: llng-fastcgi-server exited with signal 13
    * #2459: Debian packages: missing dependency to gsfonts may break Captcha
    * #2460: "Underlying object can't load conf" in v2.0.11
    * #2463: Portal plugin hooks triggered multiple times after reload
    * #2469: mySessionAuthorizedRWKeys causes internal server error when removing OIDC consent
    * #2474: OAuth2 endpoints should return an error when multiple client authentication methods are used
    * #2475: OIDC: Invalid error code returned in badAuthRequest
    * #2477: [security:low] Wildcard in virtualhost allows being redirected to untrusted domains
    * #2480: Set an authLevel and disable ReAuthentication plugin leads to an endless loop
    * #2481: missing _utime in OIDC Client Credential sessions
    * #2482: unexpected persistent sessions appear since 2.0.10
    * #2483: Second factor removal does not work when hiding session ids from manager
    * #2487: Incorrect error reporting in convertSessions
    * #2489: Do not grant the openid scope during Resource Owner Password Grant
    * #2493: Unable to register a new configuration attribute with CLI when option force is enabled and backend is RDBI
    * #2495: [security:medium] XSS on register form
    * #2498: convertSessions does not filter sessionKind correctly
    * #2503: REST/SOAP exported attributes are not sent by REST server
    * #2509: Local password policy: Allowing ALL special characters does not work
    * #2511: expires_in in token response has the wrong JSON type in some cases
    * #2513: LLNG 2.0.11 : SAML SLO from IDP to SP with POST Binding blocked by browser
    * #2518: SAML: persistent NameID is empty when using "unspecified" format on SP side
    * #2520: Missing translations for DBI configuration
    * #2525: Gracefully handle invalid perl expression in CAS/SAML/OIDC
    * #2529: [bug] OIDC userinfo as jwt not readable
    * #2531: calling to_json with hash containing file handle fails
    * #2534: CDA does not work with wildcard vhosts
    * #2535: [security:low] Incorrect regexp construction in isTrustedUrl lets attacker steal session on CDA application
    * #2539: [security:high, CVE-2021-35472] session cache corruption can lead to authorization bypass or spoofing
    * #2541: Misleading TOTP options
    * #2543: [security:low] 2FA bypass with sfOnlyUpgrade and totp2fDisplayExistingSecret
    * #2547: Parameter oidcRPMetaDataOptionsUserInfoSignAlg is missing in Manager
    * #2548: OpenID Connect ACR value can't be configured with something else than 'loa-...'
    * #2549: [security:low, CVE-2021-35473] OAuth2 handler does not verify access token validity
    * #2550: Token endpoint should only emit ID token when scope contains "openid"

  * New features:
    * #1976: FindUser plugin
    * #2451: CrowdSec plugin to query Crowdsec server
    * #2458: CheckDevOps plugin
    * #2510: Hook on password change
    * #2532: add oidcGenerateCode hook
    * #2554: Remove OIDC checksession iframe from metadata

  * Improvements:
    * #2260: Missing elements in sphinx documentation (mongodb)
    * #2419: Support JWT as OAuth 2.0 Bearer Access Tokens
    * #2424: Feature: Scope Rules
    * #2454: Append a Show/Hide password button into login form
    * #2456: Prevent DevOps handler to send hidden session attributes
    * #2462: Use timezone provided in input dates in extended function "checkDate"
    * #2465: Force OIDC error messages to use JSON
    * #2472: Loading metadata can be slow due to parsing of default certificate bundle
    * #2484: Hook for populating client credential session
    * #2488: Allow selection of AssertionConsumerServiceURL in IDP-Initiated SAML login
    * #2496: Add new option to ignore undeclared OIDC scopes
    * #2499: add key mapper for convertSession
    * #2502: Resource Owner Password fails with PE_FIRSTACCESS when using Auth::Choice
    * #2506: CAS: add an option to forbid host-based matching
    * #2521: Avoid browsers parameter hide placeholder
    * #2533: add hooks for CAS issuer
    * #2536: optimize SingleSession to avoid unneeded session fetches
    * #2544: Default 2FA register timeout is too low
    * #2557: Avoid browsers to store new, old and confirmed password during update process
    * #2562: Add --user/--group options to lmConfigEditor and lemonldap-ng-cli (user:group hardcoded to apache may not work correctly)

  * Templates:
    * #1976: FindUser plugin
    * #2454: Append a Show/Hide password button into login form
    * #2458: CheckDevOps plugin
    * #2495: [security:medium] XSS on register form
    * #2521: Avoid browsers parameter hide placeholder
    * #2541: Misleading TOTP options
    * #2557: Avoid browsers to store new, old and confirmed password during update process

 -- Clément <clem.oudot@gmail.com>  Thu, 22 Jul 2021 17:41:44 +0200

Clément OUDOT's avatar
Clément OUDOT committed
lemonldap-ng (2.0.11) focal; urgency=medium

  * Bugs:
    * #2445: lmAuth param sent to protected application
    * #2446: Incorrect MIME type on /psgi.js
    * #2448: Adaptative Authentication rule triggered several times
    * #2449: SAML SLO using Redirect/POST binding does not work with multiple SP

  * New features:
    * #1987: add grant_type=client_credentials in OIDC

  * Improvements:
    * #2397: OAuth2 handler should make client_id and scopes of the access token available to rules and headers
    * #2436: CheckUser displays headers as they have been defined in conf intead of how they are sent
    * #2444: set oidcServiceKeyIdSig by default

 -- Clément <clem.oudot@gmail.com>  Sat, 30 Jan 2021 18:33:37 +0100

lemonldap-ng (2.0.10) stable; urgency=medium

  * Bugs:
    * #1978: can't configure variables to post in virtual host's form replay with lemonldap-cli
    * #2245: Manager API  does not call reloadUrls
    * #2262: SAML: SP-initiated logout does not propagate to external authentication modules
    * #2267: LDAP timeout does not apply to search/bind/etc
    * #2293: LL:NG 2.0.8 Manager test for external/working SMTP fails @ SSL handshake, terminates connections
    * #2304: Error when using SMTP over SSL in CentOS 7
    * #2310: Misspelled parameter in call to ldap->search()
    * #2315: CheckUser plugin: option rules rely on checked user rather than  connected user
    * #2318: Manager API:  translate JSON booleans to int
    * #2332: [security:low] removal of registrable 2F does not test the current authn level
    * #2340: lemonldap-ng-cli restore does not work if the config backend is empty
    * #2342: Calling logout page for unauthenticated user forces login
    * #2344: Enable keepalive on LDAP connections
    * #2347: [Manager API] postLogoutRedirectUris should be an array
    * #2348: [Manager API] Bad URL in documentation
    * #2352: skipRenewConfirmation and skipUpgradeConfirmation options do not work
    * #2354: Lemonldap::NG::Common::Conf::msg is never reset and grows indefinitely
    * #2355: Password policy checker broken in password reset by mail template
    * #2357: CDA query parameter not parsed when query params are reordered
    * #2361: Cannot remove OIDC consent from session explorer
    * #2364: llngconnexion cookie in the StayConnected-Plugin rejected
    * #2365: Check my last logins option does not work with StayConnected plugin
    * #2366: StayConnected plugin does not work with 2FA
    * #2367: skip rule doesn't work with DevOps handler
    * #2369: Memory leak in Issuer::_redirect
    * #2373: Remove spaces from generated login when user register account
    * #2374: Missing form-check-input class in form groups
    * #2375: Refresh session plugin: refresh result is not checked before returning JSON answer
    * #2377: Reset expired password process does not work without _whatToTrace macro or if old password is not required
    * #2378: Error in inGroup expansion
    * #2383: Vhost with wildcard with % sign, configuration not loaded in manager
    * #2387: logout does not clear handler cache
    * #2399: Local password policy check should be disabled when clicking on "generate password" checkbox
    * #2401: Selinux policy blocks cache after restorecon
    * #2403: Missing Ldap attribute in CAS ticket if equals 0
    * #2410: LDAP connectivity issues on startup cause fatal initialization error when passwordDB=LDAP
    * #2411: Javascript error when local password policy configured and password tab disabled in menu
    * #2413: checkstate returns error 500 with user parameter
    * #2417: Error in cookie name used by lemonldap regexp
    * #2420: Auth::SAML should handle missing NameID
    * #2425: "Configuration error: xxx SAML metadata has no EntityID" when updating SAML sp in manager API
    * #2426: twitter auth fails when coming from oidc/saml/cas service
    * #2429: SAML sessions fill up with logout sessions that do not expire
    * #2430: Password not updated in session after password change
    * #2440: OIDC api: redirect URI not handled at top level during get/update operations

  * New features:
    * #2336: Adaptative Authentication Plugin
    * #2391: Add extended function to test for registered second factor
    * #2408: Add Chinese (Taiwan) translation

  * Improvements:
    * #714: Make password change compatible with Combination
    * #716: Make password reset work with Combination
    * #2232: lmAttrOrMacro test in Manager is too restrictive
    * #2266: local password policy conflicts with LDAP password policy
    * #2301: password reset page(s) CSS issues
    * #2309: Unintialized $app in CAS Issuer during test
    * #2314: CheckUser plugin: Append an option to display computed sessions data
    * #2316: "New keys" in saml security configuration should generate a certificate
    * #2317: Combination and fail2ban logs
    * #2319: Allow the SAML signature alg to be set per-provider
    * #2321: Can't save configuration with 2 CAS applications sharing the same hostname
    * #2322: Support for SHA384 and SHA512 saml signatures
    * #2329: Display a warning if password module is enabled without password backend
    * #2330: Allow to configure OIDC claims type
    * #2331: Warning in default Nginx configuration
    * #2334: GlobalLogout plugin can sometimes found some non-SSO or corrupted sessions
    * #2335: apache handler: allow users to override the port/scheme for redirections
    * #2339: Plugins refactoring
    * #2341: Make SHA256 the default signature method for SAML
    * #2345: RGAA recommand alt tags to be empty for decoration images
    * #2350: [security:low] Hiding session ids from the manager
    * #2356: RGAA 5.4 requires arrays to have defined captions
    * #2359: plugin engine for issuers
    * #2360: Avoid assignment in expressions
    * #2368: StayConnected-Plugin: when user-agent changes login is only possible after deleting cookies
    * #2372: Add a domain whitelist to Auth::Kerberos
    * #2380: CORS headers not sent by sendError
    * #2381: Append a hook to be able to overwrite access log
    * #2386: CheckUser does not resolve vhost aliases
    * #2388: Allow custom SSL logos when using choice
    * #2393: All messages printed in userLogger should use whatToTrace value to log user name
    * #2398: CheckUser: Append an option to hide specific headers value depending on tested VHost
    * #2404: Force deletion of corrupted sessions in DBI and LDAP backends
    * #2406: Possibility to use a different mail for 2FA and password reset
    * #2409: Update Spanish translation
    * #2414: Manager evaluates macros with Safe Jail whereas useSafeJail has been disabled
    * #2422: Missing alt attributes in mail HTML templates
    * #2427: Make AssertionConsumerServiceURL available to SAML rules
    * #2438: Add a confirmation when deleting second factor

  * Templates:
    * #2301: password reset page(s) CSS issues
    * #2355: Password policy checker broken in password reset by mail template
    * #2356: RGAA 5.4 requires arrays to have defined captions
    * #2365: Check my last logins option does not work with StayConnected plugin
    * #2366: StayConnected plugin does not work with 2FA
    * #2374: Missing form-check-input class in form groups
    * #2422: Missing alt attributes in mail HTML templates
    * #2438: Add a confirmation when deleting second factor

  * WebServer Confs:
    * #2331: Warning in default Nginx configuration
    * #2434: [security:medium] Headers are not deleted for unprotected or skip locations with nginx handler

 -- Clément <clem.oudot@gmail.com>  Sun, 17 Jan 2021 16:52:38 +0100

Clément OUDOT's avatar
Clément OUDOT committed
lemonldap-ng (2.0.9) stable; urgency=medium

  * Bugs:
    * #1659: RESTProxy doesn't fully work as a UserDB module
    * #1980: Refresh my rights causes error 500 with OIDC provider
    * #2190: 2.0.6 -> 2.0.8 sends "ARRAY (xxxx)" instead of Groups
    * #2196: Unable do display integer field with other fields in Manager
    * #2199: StayConnected plugin not working due to error in fingerprint javascript
    * #2200: Bad default value for portalDisplayOidcConsents
    * #2211: Setting yubikey verification URL to an empty value does not fallback to Yubikey_Webclient URL
    * #2212: Captcha or OTT is not renewed if Impersonation process failed
    * #2215: CheckUser idRule is checked only if session is computed
    * #2217: Error "Value must be BASE64 encoded" with some specific URL when Handler redirects on portal
    * #2221: Bad error message when conf backend fails to load
    * #2222: Errors in lemonldap-ng.ini are not correctly reported
    * #2223: Misleading error reporting when failing to save conf in lemonldap-ng-cli
    * #2224: regression in redirection to SAML urls with query string after #2085
    * #2229: Impersonation plugin: real_hGroup value is overwritten when specified groups are merged
    * #2230: LLNG 2.0.8 - Error on portal.js with IE 11
    * #2234: Prevent browser caching in sendJSONresponse
    * #2237: SAML SP error with auth kerberos
    * #2250: [CVE-2020-16093] Peer certificate not checked when using LDAPS
    * #2253: clearing oidcRPMetaDataOptionsLogoutUrl leads to Bad URL error
    * #2254: Local session cache and systemd PrivateTmp
    * #2256: Multivalued attributes are not returned as array in OpenID Connect userinfo endpoint
    * #2257: Missing country in OpenID Connect Address Claim
    * #2258: Error when using lougout_app_sso
    * #2261: Refresh my rights fails when Auth=SAML and UserDB=LDAP
    * #2263: Incorrect SOAP Content-Type
    * #2271: Labels are not working in auth form
    * #2272: Secure flag missing on lemonldappdata cookie and during logout
    * #2274: pdata cookie with SameSite value not equal to NONE is not removed and logout request leads to an internal server error with federate flow on SP side
    * #2275: sgRequired option does not work when global storage is enabled for token
    * #2287: LL:NG-provided lua-header snippet -> "writing a global lua variable ('i') which may lead to race conditions between concurrent requests"
    * #2288: LL:NG 2.0.8  manager missing doc-referenced "Login History" tab
    * #2289: Special chars password policy is not displayed if password is expired
    * #2290: [security:high, CVE-2020-24660] Lack of URL normalization by Nginx may lead to authorization bypass when URL access rules are used
    * #2296: skippedGlobalTests / skippedUnitTests have no effect (again)
    * #2305: Error in call to _launch in Lemonldap::NG::Common::Conf delete() method
    * #2306: ldapGroupDecodeSearchedValue does not apply to recursive group search
    * #2307: Password form not displayed when "password change after reset" is returned by LDAP ppolicy and Combination used for authentication

  * New features:
    * #1646: integrate documentation into the codebase
    * #2124: use 2FA only if and when needed
    * #2205: Add a session command line (CLI) tool

  * Improvements:
    * #1598: Proxy Backend support for Password Module (passwordDB)
    * #2188: Declare vhost with wildcard and prefix/suffix
    * #2189: Make externally-provisionned yubikeys easier to configure
    * #2193: Polish translation
    * #2195: Manager - Configuration's Author IP address field should honor $ipAddr
    * #2201: Avoid Portal to crash with bad GrantSession rule
    * #2203: Retrieve GPG keys and SSH keys in GitHub authentication module
    * #2207: Append an "Unrestricted users" rule to CheckUser, ContextSwitching and Impersonation plugins
    * #2214: add option to make convertConfig easier in most cases
    * #2225: REST ression server is too intolerant of clock drift (2)
    * #2233: Error/Warnings id not replaced with CLI
    * #2239: Mail reset token should not be deleted at first page access
    * #2240: Add tests for CAS service URL and OIDC client ID (presence/unicity) when configuration is saved
    * #2241: Add CAS App management to the manager API
    * #2242: Display new supported grant_types in OIDC discovery page
    * #2244: Use configuration key in user log messages for all Issuer modules
    * #2249: Check password policy on the client side when changing password
    * #2251: Add a parameter for Syslog options
    * #2252: No host in logs to use with Fail2ban
    * #2265: increase log level for mail sending and password reset
    * #2273: URL is not set to Portal URL after ContextSwitching
    * #2276: Using bruteForceProtectionIncrementalTempo lock user at first attempt
    * #2278: Display instance name when prompting a message
    * #2280: User attribute based on local macro in Openid rp
    * #2281: Manage SameSite default behavior
    * #2283: Improve Notifications explorer to display done notifications content
    * #2284: Improve serviceToken debug logs
    * #2292: request "do not minify" json config option
    * #2295: Erroneous use of NTLM should be explicitely reported to the user
    * #2299: healthcheck endpoint for manager API
    * #2302: correct usage of invalid vs unvalid in code & messaging
    * #2303: Add del method to lemonldap-ng-cli

 -- Clément <clem.oudot@gmail.com>  Sun, 06 Sep 2020 19:59:22 +0200

Clément OUDOT's avatar
Clément OUDOT committed
lemonldap-ng (2.0.8) stable; urgency=medium

  * Bugs:
    * #1314: Workaround for memory Leak in perl-fcgi with Perl < 5.18
    * #1659: RESTProxy doesn't fully work as a UserDB module
    * #1776: Manager breaks when moving a newly created category or application
    * #1939: expired issuer context is not reset when starting new authentication
    * #1990: [warn] Route xxx redefined when using the fastCGI server
    * #1992: Memory leak issue on CentOS 7 / perl 5.16
    * #2048: t/32-OIDC-Refresh-Token.t fails randomly
    * #2049: Unable to display notifications marked as done (DBI)
    * #2050: Wrong message displayed by CheckUser plugin
    * #2051: SAML Service Provider Macros are incorrectly displayed/saved by the manager
    * #2057: Log in request without captcha returns an internal server error
    * #2058: Use of configuration cache can mix global and local configuration parameters
    * #2059: Error in Manager / CLI / Editor when an attribute is not defined
    * #2061: pdata not cleaned with Kerberos authentication
    * #2063: Javascript error: window.datas is undefined
    * #2072: Configuration comparator error on application menu "order"
    * #2074: Portal menu : display condition with sp: does not work for SAML SP
    * #2080: SAML POST to SP becomes GET when an info is displayed
    * #2081: Parameter added to external redirect URL when info.tpl is used
    * #2082: SSLVarIf cannot be set in manager
    * #2085: OIDC provider doesn't work when info is displayed during the login process
    * #2086: LDAP notifications backend does not work
    * #2089: Old format notifications with file backend don t work
    * #2090: Session creation mixup when supplying an existing _session_id
    * #2097: Error after activating userLogger (Apache)
    * #2099: Error 500 when SAML Session is expired
    * #2101: Wildcard in virtualhost names : URL contains a non protected host
    * #2104: Sessions are not well computed by CheckUser plugin
    * #2105: Using RS* ID Token signature algorithm without a RSA key causes ID Token to be returned as "null"
    * #2111: Bad translation tag for password policy remaining grace message
    * #2113: Password policy warning before password expiration is badly displayed
    * #2116: Missing goToPortal translation for mails
    * #2118: Multivalued attributes received from CAS server stored as string "ARRAY" in session
    * #2120: OIDC: hybrid flow does not issue ID token
    * #2123: Rest2F does not transmit session attributes to Verify URL
    * #2127: Cache reload throw an error if status enabled
    * #2128: Manager with CDA issue
    * #2133: Issues with removed second factors notification system
    * #2138: logout forward doesn't work anymore
    * #2141: Auth Combination SSL/LDAP + VHOSTTYPE AuthBasic broken
    * #2142: OIDC consent validation fails after second factor form or redirection from external IDP
    * #2143: Enable redirection on forbidden access with self protected Portal URLs leads to an endless loop
    * #2144: OTT is not sent if SSL authentication fails with Choice
    * #2148: Bad request with Notification SPA
    * #2151: Session upgrade does not work with multiple second factors
    * #2152: Nginx configuration files do not work with IPv6
    * #2159: Single session module configuration
    * #2165: Server error with rule on Combination
    * #2167: OAuth2 handler should return 401 when access token is missing or invalid
    * #2168: LLNG is too strict on OIDC scope syntax
    * #2169: duplicates in _oidcConsents when scope is updated
    * #2171: Introspection endpoint does not recognize refreshed Access Tokens
    * #2179: refresh my rights downgrades authentication level set by 2FA
    * #2180: SingleSession plugin does not work if history is displayed

  * New features:
    * #2033: Manager API to reset 2FA
    * #2034: Manager API to manage SAML and OIDC clients
    * #2069: Manage Cookie SameSite value
    * #2136: Possibility to override language with a parameter in URL
    * #2154: Github authentication backend

  * Improvements:
    * #1598: Proxy Backend support for Password Module (passwordDB)
    * #1877: Option to run setMacros after setGroups
    * #1902: Configuration is saved even with errors with lemonldap-ng-cli
    * #1957: Provide packages for CentOS 8
    * #2046: compactConf is confusing
    * #2064: Do not show action buttons on portal when displaying waiting message (Kerberos or SSL Ajax call)
    * #2065: Improve diff.html templates to display Author, Date and Summary of both configurations
    * #2068: Append an option to set CSP frame ancestors header
    * #2070: LemonLDAP session cookie - SameSite attribute
    * #2071: Allow users to see and display theirs accepted notifications
    * #2073: Improve notifications SPA
    * #2076: Possibility to configure a custom CSS file
    * #2084: Make "error" the default log level for lasso
    * #2088: BruteForce module: increase delay between each login attempt
    * #2091: Better look for buttons in 2FA choice screen
    * #2093: CheckUser - Remove persistent session attributes if required
    * #2096: Improve introspection endpoint
    * #2102: Bad  Autologin rule lead to error 500 and crash the portal
    * #2103: Add a rollback option to lemonldap-ng-cli
    * #2106: CheckUser: Append an option to hide empty headers
    * #2108: "Underlying object can't load conf" is a bad error message
    * #2109: Securing the new API endpoints for 2.0.8 release
    * #2114: Improve adaptive display and show instance name
    * #2115: Possibility to select choice tab, as for menu tab
    * #2117: Remove warning messages "uninitialized value $encryption_mode"
    * #2119: Rely on "isRequired" XML field in importMetadata script to mark SAML attributes as mandatory
    * #2121: Prevent Portal to crash if Custom Functions module is not found
    * #2125: Internal Server Error when REST backend does not return a JSON Object
    * #2126: Prevent Portal to crash if a bad rule is used for enabling a plugin
    * #2129: AuthenticationLevel based macros and groups should be updated with second factor
    * #2130: Append password policy options to define and require special characters
    * #2131: Make json does nothing if only a Portal constant is appended
    * #2132: Application icons are displayed with real sizes by the Manager and It is not particularly convenient
    * #2135: Remove 'underscore' in notification reference
    * #2140: Append an option to define applications tooltip
    * #2145: Display  a custom param with GlobalLogout plugin
    * #2149: Add an easy way to set level of additional second factors
    * #2155: Implement Resource Owner Password Credentials Grant
    * #2156: "Require 2FA" should be renamed
    * #2161: DBI should test that "table" is set
    * #2164: Make SingleSession options configurable by a rule
    * #2166: Configuration parser does not check validity of SAML/OIDC/CAS/vhost options
    * #2173: Make CheckUser options configurable by a rule
    * #2175: Reorganize OIDC RP options in manager
    * #2177: OIDC: Allow additional audiences for ID Token
    * #2178: Make require old password option configurable by a rule
    * #2182: Append a Show/Hide password button into  change password form
    * #2184: SAML logout request returns 400 error code if session is not found
    * #2185: Append a rule to display sfaManager link

 -- Clément <clem.oudot@gmail.com>  Mon, 04 May 2020 22:43:29 +0200

Clément OUDOT's avatar
Clément OUDOT committed
lemonldap-ng (2.0.7) stable; urgency=medium

  * Bugs:
    * #1893: Issuer urldc is lost after error in 2F flow
    * #1909: Reset password by email issue
    * #1943: [Security: medium, CVE-2019-19791] Apache access rules and SOAP/REST endpoints
    * #1945: passwordpolicy.tpl contains wrong tag
    * #1948: Tranlation menu does not work with Diff.html
    * #1949: Don't Store Password shows password in cleartext
    * #1952: "Attributes and macros" session keys should not be translated
Clément OUDOT's avatar
Clément OUDOT committed
    * #1953: Outgoing emails are missing a Date: field
Clément OUDOT's avatar
Clément OUDOT committed
    * #1954: zimbra preauth not working
    * #1955: Redirection lost after notification validation
    * #1960: REST config service not working
    * #1961: IDP selection rule regression in 2.0.0
    * #1963: Server Error with OpenID Connect register endpoint
    * #1964: Diff.html does not work with minified JS
    * #1966: Configuration reload does not apply changes to location rules
    * #1968: skippedUnitTests/skippedGlobalTests have no effect
    * #1969: Force password reset with LDAP password policy does not work if macro _whatToTrace is not defined
    * #1974: ServiceToken handler TTL value always set to default
Clément OUDOT's avatar
Clément OUDOT committed
    * #1984: Reset expired password doesn't trigger when using Combination
Clément OUDOT's avatar
Clément OUDOT committed
    * #2005: Error in portal "refresh my rights" feature when whatToTrace value is not equal to login
    * #2009: Display authentication error on login form with Combination Kerberos + LDAP
    * #2010: Kerberos not working with session upgrade
    * #2012: Several issues with notification system
    * #2013: Handler, yum install
    * #2018: After temporary ldap failure, ldap connections stop working forever
    * #2038: Missing type attribute in 2FA HTML inputs
    * #2045: Authenticating with external OpenID Connect Provider fails because of special chars in user name

  * New features:
Clément OUDOT's avatar
Clément OUDOT committed
    * #813: Provide refresh tokens in OpenID Connect
Clément OUDOT's avatar
Clément OUDOT committed
    * #1605: certificate reset by mail
    * #1956: DecryptValue plugin
    * #1999: Possibility to view/close other sessions opened for the same user
    * #2006: Create a web service for "refresh my rights"

  * Improvements:
    * #1590: Possibility to configure new plugins in Manager
    * #1905: Append overScheme for persistent sessions
    * #1941: After logged out from SP we are always redirected to IdP - Unable to go back to SP Portal
    * #1947: Highlight active module with Diff.html
    * #1967: allow differents type of managerDN
    * #1983: The script purgeCentralCache should be more fault tolerant
    * #1988: Append a requiredAuthenticationLevel option for each uri
    * #1989: Main logo and lang icons are missing with upgradesession template
    * #1991: Some user logs not using whatToTrace for username
    * #1993: Same issue like (#1884) occures with Issuer redirection
    * #1994: Append varInUri extended function
    * #1995: Add an option to force claims in ID token
    * #1996: REQUEST_URI env variable is not set by CheckUser plugin
    * #1997: Enable checkTime option by default
Clément OUDOT's avatar
Clément OUDOT committed
    * #1998: Misleading token ID format
Clément OUDOT's avatar
Clément OUDOT committed
    * #2003: Possibility to set attributes and extra claims in OIDC registration endpoints
    * #2007: Password change prompt displayed even if initial auth fails
    * #2008: Specific message and error code for 2F failure
    * #2011: Create a function to test if a value belongs to a list
    * #2012: Several issues with notification system
    * #2014: New script to convert sessions between backends
    * #2019: Renew Captcha button
    * #2024: Change default value for cspFormAction
    * #2042: Add per-service macros

Clément OUDOT's avatar
Clément OUDOT committed
 -- Clément <clem.oudot@gmail.com>  Sat, 21 Dec 2019 16:59:22 +0100
Clément OUDOT's avatar
Clément OUDOT committed

Clément OUDOT's avatar
Clément OUDOT committed
lemonldap-ng (2.0.6) stable; urgency=medium

  * Bugs:
    * #1834: Use base64 URL for JWT generation
    * #1838: Return claims from scope values in ID token if no access token requested
    * #1852: SAML request lost after notification
    * #1853: Adding a second notification with same reference is not refused
    * #1856: Unable to validate more than one notification (JSON format)
    * #1857: Message "session is expired" if a notification is  refused
    * #1861: Persistent data and notification validation
    * #1863: Duplicate Set-Cookie header when sending lemonldappdata and lemonldap cookies
    * #1864: incorrect loading of SAML metadata when entityID containts html-encoded characters
    * #1865: Dependencies missing in RPM
    * #1866: Skin parameter is lost in second factor choice
    * #1867: Bad error template with Combination and OTT timeout
    * #1868: Yubikey enrolment failed on Internet Explorer
    * #1869: [Security:low] psessions case sensitivity might impact security of 2FA when using case-insensitive auth backends
    * #1874: OTT not regenerated after submitting TOTP form with an expired OTT
    * #1875: Variables from Users module DBI is not used when Authentication module is LDAP (chain: [LDAP,DBI]
    * #1876: $_ no longer works in macros, rules and headers since 2.0
    * #1878: Pdata cookie not cleared after cross domain Auth request
    * #1880: [Security:low] Restricted users can edit conf by using default route
    * #1881: [Security:high] oidc authorization codes are not tied to their RP
    * #1883: Infinite loop when displaying sessions by IP address
    * #1889: No changes detected by Manager when removing CAS/OIDC attributes from a CAS application / OIDC RP or provider
    * #1890: LinkedIn v1 API is not available anymore
    * #1891: GET parameter "cancel" with Choice and CAS authentication
    * #1897: Emails are sometimes sent in the wrong language
    * #1898: Handler SecureToken is not working anymore
    * #1901: Handler error if a header definition is empty
    * #1903: Mail password reset and Combination with LDAP does not work
    * #1906: Missing MAIN_LOGO variable in redirect.tpl
    * #1910: Issue with "force password change on next login" feature with LDAP
    * #1915: Skin selected by rule is lost in 2FA process
    * #1922: Accentuated UTF-8 value of header is UTF-8 encoded again by handler
    * #1925: AuthBasic handler does not work with AuthChoice
    * #1933: [Security:low] nginx portal example file does not filter REST urls
    * #1935: [Security:medium] AuthSlave does not check credential headers

  * New features:
    * #993: Define a local password policy
    * #1783: ContextSwitching plugin
    * #1843: OAuth2 introspection endpoint
    * #1847: Radius 2F module
    * #1860: Multiple instances of 2F modules

  * Improvements:
    * #1619: Support IBM Tivoli Directory Server (ITDS)
    * #1702: Improve log generated by lemonldap
    * #1825: Possibility to disable persistent sessions
    * #1829: Redirection lost between SSL/Ajax and SAML
    * #1831: Warning in lemonldap-ng-cli
    * #1832: Add save/restore in CLI help message and control restore parameters
    * #1833: Show cli errors on file access
    * #1835: [Security:improvement] Do not accept a "none" signature in JWT if we enforce signature verification
    * #1842: Merge userLogger notice with logger debug
    * #1844: CheckUser plugin does not compute real session attributes if Impersonation is enabled
    * #1846: Adapt response_types_supported / grant_types_supported attributes in OpenID Connect metadata depending on configured flows
    * #1849: CDA is not compatible with Handler::PSGI::Try
    * #1850: No "Session granted" log if grantSession plugin not enabled
    * #1851: Append notification REST services
    * #1862: When displaying notifications, sort them by date and references
    * #1870: REST Api endpoint "error"
    * #1873: Labels for 2FA choices
    * #1879: [security:low] Access token expiration time is not enforced on userinfo or OAuth handler
    * #1882: Confusing default OIDC issuer setting
    * #1884: Force Upgrade tokens to be stored into global storage if auth and authssl are served by different load balancers
    * #1885: Append an option to log an extra parameter
    * #1888: Javascript error on textContent method with .Net framework and WPF
    * #1896: Add _session_kind to default SOAP/REST exported attributes
    * #1899: Fix portal and manager display for Internet Explorer
    * #1904: Append an option "don t compact conf" + debug log + compact CAS parameters if not enabled
    * #1908: Complete blackout probably due to uncontroled SQL connexion timeout
    * #1913: Append an option to allow / forbid browsers to store users password
    * #1916: Issuer OTT timeout
    * #1919: Customizable error message when a required SAML attribute is missing
    * #1923: REST ression server is too intolerant of clock drift
    * #1927: Implement  CORS preflight request
    * #1928: Option to hide password generation checkbox in mail password reset plugin
    * #1929: Custom functions are not imported into Safe Jail
    * #1930: Display password change form after a password policy error in mail reset password plugin
    * #1931: Disable password input field until font is fully downloaded by browser
    * #1932: REST session server should return both session and _httpSession id
    * #1936: Append an option to display Slave logo
    * #1938: CheckUser plugin : include search parameters

 -- Clément <clem.oudot@gmail.com>  Tue, 24 Sep 2019 11:13:39 +0200

lemonldap-ng (2.0.5) stable; urgency=medium

  * Bugs:
    * #1521: The manager renames the id of applications created by lemonldap-ng-cli
    * #1655: Can't delete notifications from the manager
    * #1717: Warnings "Devel::StackTrace" when using unnative Perl functions
    * #1746: Impersonation does not work with double cookies authentication
    * #1749: Authentication with "Double Cookies for a single session" (securedCookie==3) does not work
    * #1753: Logout with CASv2 is not working (Bad URL)
    * #1754: Configuration caching issue when overriding globalStorage in lemonldap-ng.ini
    * #1755: CheckUser plugin fails if OTT globalStrorage is enabled
    * #1759: Server Error when OpenID Connect provider enabled without any RP
    * #1762: CDA sessions are not removed when handler uses SOAP
    * #1775: Authentication with double cookies fails when uniq session is enabled
    * #1777: Server Error with SAML SLO and expired SSO session
    * #1779: Go to portal message not translated in register confirmation mail
    * #1795: [Security: low] CAS 3.0 Logout does not validate redirect URL
    * #1800: Auth::Slave is unusable with Choice
    * #1802: No error returned if no code provided on OpenID Connect token endpoint
    * #1805: Auth::LDAP unusable in combination if UserDB::LDAP isn't called
    * #1809: UserDB::DBI with Auth::LDAP seems to not work properly
    * #1810: [Security: low] llng-fastcgi-server could fail to setgid
    * #1811: Lua-headers file is missing
    * #1813: searchOn* does not work when a portal uses REST session backend
    * #1814: Local cache not fully purged
    * #1818: [Security:low] XXE vulnerability in SOAP notification server
    * #1819: Portal Notification server unusable with old XML format
    * #1821: Pdata not cleared after session upgrade
    * #1822: Session upgrade does not work with 2FA
    * #1824: lmConfigEditor does not work anymore
    * #1826: Race condition on SSL login form button

  * New features:
    * #1796: Display a message if an expired 2f device is removed

  * Improvements:
    * #1706: html not interpreted for translated messages
    * #1723: Real authentication is masked when using proxy authentication module
    * #1732: Sessions explorer and Browseable::Postgres
    * #1734: RPM version uses JSON::PP instead of JSON::XS
    * #1747: Logging out from portal cause an error with doubleCookie after refreshing rights
    * #1750: Wrong version / author / IP / log in lemonldap-ng-cli
    * #1758: Warnings in Viewer.pm when saving configuration
    * #1763: Transmission of Authorization header should probably be on by default