LemonLDAP::NG 2.0.6 is out!

This release contains some security fixes, including CVE-2019-15941

This is a quite big release, with more than 80 issues closed! Here are some of bugfixes and improvements of this release:

  • Security:
    • [Security:high] oidc authorization codes are not tied to their RP (CVE-2019-15941)
    • [Security:medium] AuthSlave does not check credential headers
    • [Security:low] nginx portal example file does not filter REST urls
    • [Security:low] Restricted users can edit conf by using default route
    • [security:low] Access token expiration time is not enforced on userinfo or OAuth handler
    • [Security:low] psessions case sensitivity might impact security of 2FA when using case-insensitive auth backends
    • [Security:improvement] Do not accept a "none" signature in JWT if we enforce signature verification
  • Bugs:
    • [OIDC] Use base64 URL for JWT generation
    • [OIDC] Return claims from scope values in ID token if no access token requested
    • [Notifications] Many fixes with authentication workflow
    • [SAML] incorrect loading of SAML metadata when entityID containts html-encoded characters
    • [LinkedIn] LinkedIn v1 API is not available anymore
    • [Password Reset] Several fixes with LDAP backend / Combination backend
    • Some enconding fixes..
  • Improvements:
    • [LDAP] Support IBM Tivoli Directory Server (ITDS)
    • Better logging
    • [CheckUser plugin] search parameters
    • Implement  CORS preflight request
  • New features:
    • Define a local password policy
    • ContextSwitching plugin
    • OAuth2 introspection endpoint
    • Radius 2F module
    • Multiple instances of 2F modules

The full changelog can be seen here: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/milestones/67

They made this release:

  • Core team: Maxime Besson, Xavier Guimard, Christophe Maudoux and Clément Oudot
  • Organizations : Gendarmerie Nationale, Worteks, CNAMTS, Orange, CSTB, Urgences Santé Québec, FER Genève, Adoma
  • Community (issues opening, tests, patches, pull requests) :  Bastien JEAN, Gilles Ménigot, Emmanuel Langguth, Julien Ledoux, Andreas Deschka, Arnaud Gillard, Alexandre LINTE, Guillaume, Raphael Geissert, Xavier Bachelot

If you use LemonLDAP::NG and enjoy it, please let us know: