| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| javascript-path.patch | preserve javascript-common path | Xavier Guimard <x.guimard@free.fr> | not-needed | 2018-10-30 | ||
| Avoid-developer-tests.patch | Avoid some heavy developer tests | Xavier Guimard <x.guimard@free.fr> | no | debian | 2016-12-26 | |
| fix-for-pod2man.diff | restore directory removed during import | Xavier Guimard <yadd@debian.org> | not-needed | 2020-03-29 | ||
| replace-api-doc-by-link.diff | replace api doc by external link api is a compiled webpage (swagger-codegen). Since there is now good Open-API doc generator in Debian archive, this doc is excluded and replaced by a link to upstream website |
Xavier Guimard <yadd@debian.org> | yes | 2020-05-06 | ||
| CVE-2021-35472.patch | fix session cache corruption | Yadd <yadd@debian.org> | not-needed | upstream | upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/b6a1f946 | 2021-06-25 |
| CVE-2021-35473.patch | Add missing access token expiration check in OAuth2 handler | Maxime Besson <maxime.besson@worteks.com> | not-needed | upstream | upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/23a8a100 | 2021-06-25 |
| fix-trusted-domain-wildcard.patch | Reject hashes in URL | Yadd <yadd@debian.org> | not-needed | upstream | upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/4b20e54b | 2021-06-25 |
| fix-trusted-domain-regex.patch | fix trusted domain regex | Yadd <yadd@debian.org> | not-needed | upstream | upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/3b8222ae8 | 2021-06-25 |
| fix-xss-on-register-form.patch | fix XSS on register form https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/297dc830a | Maxime Besson <maxime.besson@worteks.com> | not-needed | upstream | upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/d6968535 | 2021-06-25 |
| dont-display-totp-secret.patch | don't display TOTP secret to connected user neither in logs | Maxime Besson | not-needed | upstream | upstream | 2021-06-25 |
| CVE-2021-40874.patch | Fix auth process in password-testing plugins (#2611) | Maxime Besson <maxime.besson@worteks.com> | not-needed | upstream | upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/66946e8 | 2022-01-14 |
| CVE-2022-37186.patch | Improve session destroy propagation | Yadd <yadd@debian.org> | not-needed | upstream | upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/59c781b3 | 2022-09-11 |
| fix-url-validation-bypass.patch | Fix URL validation bypass An attacker can forge a redirection on a malicious site using a fake credentials in URL value. . Example: . Portal : https://auth.openid.club Allowed application : https://test1.openid.club Malicious site : https://google.fr Malicious URL : https://test1.openid.club:test@google.fr Malicious URL base 64 : aHR0cHM6Ly90ZXN0MS5vcGVuaWQuY2x1Yjp0ZXN0QGdvb2dsZS5mcgo= Malicious redirection trigger : https://auth.openid.club/?url=aHR0cHM6Ly90ZXN0MS5vcGVuaWQuY2x1Yjp0ZXN0QGdvb2dsZS5mcgo= |
Maxime Besson <maxime.besson@worteks.com> | not-needed | upstream | upstream, commit:88d3507d commit:e6156db0 | 2023-02-05 |
| CVE-2023-28862.patch | fix AuthBasic security issue when used with second factor To simplify, AuthBasic accepted connections even if 2FA failed | Yadd <yadd@debian.org> | not-needed | upstream | 2023-03-29 | |
| fix-open-redirection-without-OIDC-redirect-uris.patch | Fix open redirection when OIDC RP has no oidcRPMetaDataOptionsRedirectUris This issue concerns only people that modify config by hand. The manager refuses already a relying party without redirect URIs. |
Yadd <yadd@debian.org> | not-needed | upstream | upstream, commit:c1de35ad | 2023-09-20 |
| fix-open-redirection.patch | fix open redirection Maxime Besson <maxime.besson@worteks.com> | Yadd <yadd@debian.org> | not-needed | upstream | upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/342/diffs | 2023-09-20 |
| SSRF-issue.patch | fix SSRF vulnerability Issue described here: https://security.lauritz-holtmann.de/post/sso-security-ssrf/ | Maxime Besson <maxime.besson@worteks.com> | not-needed | upstream | upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs | 2023-09-23 |
| CVE-2024-48933/01-288a506.patch | Do not rely on JS variable for autofocus | Maxime Besson <maxime.besson@worteks.com> | yes | debian upstream | https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/288a5061d42d7e6a5a2932a4d3914dca100f9c25 | 2024-09-04 |
| CVE-2024-48933/02-2bacbb4.patch | Escape login in HTML templates | Maxime Besson <maxime.besson@worteks.com> | yes | debian upstream | https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/2bacbb4aa76a3f58f0156d453d1745d40d490ca8 | 2024-09-05 |
| CVE-2024-52946/01-63a045e.patch | Do not run adaptativeAuthenticationLevel during refresh | Maxime Besson <maxime.besson@worteks.com> | yes | debian upstream | https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/63a045e4a4ad579559cfe04e644b0cefe2f1137b | 2024-10-28 |
| CVE-2024-52946/02-065b71b.patch | Unit test for #3255 | Maxime Besson <maxime.besson@worteks.com> | yes | debian upstream | https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/065b71ba4e97d7f8dbfe61900e9d4d587109f11b | 2024-10-28 |
| CVE-2024-52947.patch | Check XSS in ::Plugins::Upgrade | Maxime Besson <maxime.besson@worteks.com> | yes | debian upstream | https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/600ba2c0b3d4bb0a4dd2eb9d8b612edcca8805dc | 2024-10-27 |