| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| javascript-path.patch | preserve javascript-common path | Xavier Guimard <x.guimard@free.fr> | not-needed | 2018-10-30 | ||
| Avoid-developer-tests.patch | Avoid some heavy developer tests | Xavier Guimard <x.guimard@free.fr> | not-needed | debian | 2016-12-26 | |
| fix-for-pod2man.diff | restore directory removed during import | Xavier Guimard <yadd@debian.org> | not-needed | 2020-03-29 | ||
| replace-api-doc-by-link.diff | replace api doc by external link api is a compiled webpage (swagger-codegen). Since there is now good Open-API doc generator in Debian archive, this doc is excluded and replaced by a link to upstream website |
Xavier Guimard <yadd@debian.org> | yes | 2020-05-06 | ||
| drop-network-test.patch | drop network test | Yadd <yadd@debian.org> | not-needed | 2023-03-29 | ||
| fix-OP-acr-parsing.patch | fix incorrect parsing of OP-provided acr Bug description: . * Configure Auth::OIDC with an OP that always returns acr: 1 in the ID token * Set oidcOPMetaDataOptionsAcrValues to loa-1 ACR value 1 is accepted despite not being part of the list ['loa-1'] . The problem is in this regexp: . unless ( $acr_values =~ /\b$acr\b/i ) { . because \b matches too many things (in the example: it matches -) |
Maxime Besson <maxime.besson@worteks.com> | not-needed | upstream | upstream, commit: 3691978f | 2023-05-09 |
| fix-viewer-endpoint.patch | fix viewer endpoint Regression introduced in 2.16.1 | Maxime Besson <maxime.besson@worteks.com> | not-needed | upstream | upstream, commit:c330347f | 2023-05-09 |
| apply-user-control-to-authslave.patch | [Security] apply user-control to authSlave | Christophe Maudoux <chrmdx@gmail.com> | not-needed | upstream | upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/351/diffs | 2023-09-01 |
| fix-open-redirection.patch | fix open redirection Maxime Besson <maxime.besson@worteks.com> | Yadd <yadd@debian.org> | not-needed | upstream | upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/342/diffs | 2023-09-01 |
| fix-open-redirection-without-OIDC-redirect-uris.patch | Fix open redirection when OIDC RP has no oidcRPMetaDataOptionsRedirectUris This issue concerns only people that modify config by hand. The manager refuses already a relying party without redirect URIs. |
Yadd <yadd@debian.org> | not-needed | upstream | upstream, commit:c1de35ad | 2023-09-20 |
| SSRF-issue.patch | fix SSRF vulnerability Issue described here: https://security.lauritz-holtmann.de/post/sso-security-ssrf/ | Maxime Besson <maxime.besson@worteks.com> | not-needed | upstream | upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs | 2023-09-22 |
| CVE-2024-48933.patch | Fix XSS vulnerability A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.19.3 allows remote attackers to inject arbitrary web script or HTML into the login page via a username if userControl has been set to a non-default value that allows special HTML characters. |
Maxime Besson | not-needed | debian upstream | 2024-10-15 | |
| fix-auth-level-escalation.patch | Do not run adaptativeAuthenticationLevel during refresh | Maxime Besson <maxime.besson@worteks.com> | not-needed | upstream | upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/5df0f833 | 2024-11-09 |
| fix-xss-in-upgrade-plugin.patch | Check XSS in ::Plugins::Upgrade | Maxime Besson <maxime.besson@worteks.com> | not-needed | upstream | upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/614 | 2024-11-09 |