LemonLDAP::NG 2.0.4 is out!

This release contains a security fix for a major vulnerability, so upgrade must be done as soon as possible!

To check if your current installation is concerned by the security breach, you can download this script and execute it:

$ sh llng-1742-test.sh <your portal URL>

More details:

Here are some of bugfixes and improvements of this release:

  • Security:
    • HIGH: Setting tokenUseGlobalStorage allows unauthenticated users to access the portal (and applications without rules)
    • LOW: register_token used for account creation can be used as a valid session identifier
    • MINOR: Update jQuery
  • Bugs:
    • [CAS] /validate endpoint does not return username
    • [Kerberos] Duplicate session opening when using multiple Kerberos instances in Combination
    • [Manager] Deleted category is not detected as a change when saving conf
    • [Manager] Configuration version in Manager is different from software version
  • Improvements:
    • [REST] Return Session ID when authentication is done via REST
    • [CAS] Allow per application CAS login override
    • [OIDC] Allow unauthenticated clients on token endpoint
    • [UI] Redirection page is now included in template
    • [UI] Highlight valid SSO sessions in sessions explorer
  • New features:

The full changelog can be seen here: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/milestones/64

They made this release:

  • Core team: Maxime Besson, Xavier Guimard, Christophe Maudoux and Clément Oudot
  • Organizations : Gendarmerie Nationale, Worteks, CNAMTS
  • Community (issues opening, tests, patches, pull requests) : Carl R., Moritz Jordan, Mathieu Lecompte-melançon, Julien Ledoux

If you use LemonLDAP::NG and enjoy it, please let us know: