Debian Patches
Status for lemonldap-ng/2.16.1+ds-deb12u6
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| javascript-path.patch | preserve javascript-common path | Xavier Guimard <x.guimard@free.fr> | not-needed | 2018-10-30 | ||
| Avoid-developer-tests.patch | Avoid some heavy developer tests | Xavier Guimard <x.guimard@free.fr> | not-needed | debian | 2016-12-26 | |
| fix-for-pod2man.diff | restore directory removed during import | Xavier Guimard <yadd@debian.org> | not-needed | 2020-03-29 | ||
| replace-api-doc-by-link.diff | replace api doc by external link api is a compiled webpage (swagger-codegen). Since there is now good Open-API doc generator in Debian archive, this doc is excluded and replaced by a link to upstream website |
Xavier Guimard <yadd@debian.org> | yes | 2020-05-06 | ||
| drop-network-test.patch | drop network test | Yadd <yadd@debian.org> | not-needed | 2023-03-29 | ||
| fix-jwt.patch | fix bad JWT header | Yadd <yadd@debian.org> | yes | 2025-01-20 | ||
| fix-OP-acr-parsing.patch | fix incorrect parsing of OP-provided acr Bug description: . * Configure Auth::OIDC with an OP that always returns acr: 1 in the ID token * Set oidcOPMetaDataOptionsAcrValues to loa-1 ACR value 1 is accepted despite not being part of the list ['loa-1'] . The problem is in this regexp: . unless ( $acr_values =~ /\b$acr\b/i ) { . because \b matches too many things (in the example: it matches -) |
Maxime Besson <maxime.besson@worteks.com> | not-needed | upstream | upstream, commit: 3691978f | 2023-05-09 |
| fix-viewer-endpoint.patch | fix viewer endpoint Regression introduced in 2.16.1 | Maxime Besson <maxime.besson@worteks.com> | not-needed | upstream | upstream, commit:c330347f | 2023-05-09 |
| apply-user-control-to-authslave.patch | [Security] apply user-control to authSlave | Christophe Maudoux <chrmdx@gmail.com> | not-needed | upstream | upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/351/diffs | 2023-09-01 |
| fix-open-redirection.patch | fix open redirection Maxime Besson <maxime.besson@worteks.com> | Yadd <yadd@debian.org> | not-needed | upstream | upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/342/diffs | 2023-09-01 |
| fix-open-redirection-without-OIDC-redirect-uris.patch | Fix open redirection when OIDC RP has no oidcRPMetaDataOptionsRedirectUris This issue concerns only people that modify config by hand. The manager refuses already a relying party without redirect URIs. |
Yadd <yadd@debian.org> | not-needed | upstream | upstream, commit:c1de35ad | 2023-09-20 |
| SSRF-issue.patch | fix SSRF vulnerability Issue described here: https://security.lauritz-holtmann.de/post/sso-security-ssrf/ | Maxime Besson <maxime.besson@worteks.com> | not-needed | upstream | upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs | 2023-09-22 |
| CVE-2024-48933.patch | Fix XSS vulnerability A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.19.3 allows remote attackers to inject arbitrary web script or HTML into the login page via a username if userControl has been set to a non-default value that allows special HTML characters. |
Maxime Besson | not-needed | debian upstream | 2024-10-15 | |
| fix-auth-level-escalation.patch | Do not run adaptativeAuthenticationLevel during refresh | Maxime Besson <maxime.besson@worteks.com> | not-needed | upstream | upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/5df0f833 | 2024-11-09 |
| fix-xss-in-upgrade-plugin.patch | Check XSS in ::Plugins::Upgrade | Maxime Besson <maxime.besson@worteks.com> | not-needed | upstream | upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/614 | 2024-11-09 |
| CVE-2024-52948.patch | fix CSRF on 2FA registration | Maxime Besson <maxime.besson@worteks.com> | not-needed | upstream | upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/644 | 2025-01-22 |
| fix-test-when-ldap-server-exists.patch | fix test when a LDAP server is run on build machine | Christophe Maudoux <chrmdx@gmail.com> | not-needed | 2025-02-02 | ||
| CVE-2025-31510.patch | fix XSS/HTML Injection through tab parameter (Choice) An input validation vulnerability has been identified in the tab parameter when authentication is set to Choice. This issue allows for the injection of malicious content, including HTML, iframes, or JavaScript, with varying impacts depending on the applied Content Security Policy (CSP) configuration. |
Yadd <yadd@debian.org> | not-needed | upstream | upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/a790b15e9 | 2025-03-29 |
All known versions for source package 'lemonldap-ng'
- 2.21.2+ds-2 (forky, sid)
- 2.21.2+ds-1 (trixie)
- 2.21.2+ds-1~bpo12+1 (bookworm-backports)
- 2.16.1+ds-deb12u6 (bookworm-security, bookworm)