LemonLDAP::NG 2.0.7 is out!


This release contains some security fixes, including CVE-2019-19791

This new release fixes more than 60 issues. Here are some of bugfixes and improvements of this release:

  • Security:
    • [Security: medium, CVE-2019-19791] Apache access rules and SOAP/REST endpoints
    • [Security:medium] Redirection in OpenID Connect is granted by default if no URI defined in oidcRPMetaDataOptionsRedirectUris
    • [Security:low] afterData plugins (grantSession) cannot prevent session establishment when 2FA is in use
  • Bugs:
    • Issuer urldc is lost after error in 2F flow or notification flow
    • Outgoing emails are missing a Date: field
    • Zimbra preauth not working
    • REST config service not working
    • Server Error with OpenID Connect register endpoint
    • Manager version comparator does not work with minified JS
    • Reset expired password doesn't trigger when using Combination
    • Kerberos not working with session upgrade
    • After temporary ldap failure, ldap connections stop working forever
    • Authenticating with external OpenID Connect Provider fails because of special chars in user name
  • Improvements:
    • Possibility to configure new plugins in Manager
    • Append overScheme for persistent sessions
    • Allow differents type of managerDN
    • Append a requiredAuthenticationLevel option for each uri
    • Add an option to force claims in ID token
    • Possibility to set attributes and extra claims in OIDC registration endpoints
    • Specific message and error code for 2F failure
  • New features:
    • Add per-service macros
    • New script to convert sessions between backends
    • Renew Captcha button
    • Provide refresh tokens in OpenID Connect
    • Certificate reset by mail
    • Possibility to view/close other sessions opened for the same user
    • Create a web service for "refresh my rights"

The full changelog can be seen here: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/milestones/69

Upgrade notes: https://lemonldap-ng.org/documentation/latest/upgrade#section207

Download: https://lemonldap-ng.org/download

They made this release:

  • Core team: Maxime Besson, Xavier Guimard, Christophe Maudoux and Clément Oudot
  • Organizations : Gendarmerie Nationale, Worteks, CNAMTS, Orange, CSTB, Urgences Santé Québec, FER Genève, Linagora, SITIV, Métropole Européenne de Lille
  • Community (issues opening, tests, patches, pull requests) :  David Coutadeur, Andreas Deschka,  Daniel Berteaud, Grégory Roy, Antoine Rosier, Mickael Bride, Vincent Filali-Ansary, Dave Conroy, Julien Ledoux, Louis Chemineau, Vincent Mazenod, Xavier Bachelot

If you use LemonLDAP::NG and enjoy it, please let us know: