Debian Patches

Status for lemonldap-ng/2.16.1+ds-deb12u7

Patch Description Author Forwarded Bugs Origin Last update
javascript-path.patch preserve javascript-common path Xavier Guimard <x.guimard@free.fr> not-needed 2018-10-30
Avoid-developer-tests.patch Avoid some heavy developer tests Xavier Guimard <x.guimard@free.fr> not-needed debian 2016-12-26
fix-for-pod2man.diff restore directory removed during import Xavier Guimard <yadd@debian.org> not-needed 2020-03-29
replace-api-doc-by-link.diff replace api doc by external link api is a compiled webpage (swagger-codegen). Since there is now good
Open-API doc generator in Debian archive, this doc is excluded and
replaced by a link to upstream website		 Xavier Guimard <yadd@debian.org> yes 2020-05-06
drop-network-test.patch drop network test Yadd <yadd@debian.org> not-needed 2023-03-29
fix-jwt.patch fix bad JWT header Yadd <yadd@debian.org> yes 2025-01-20
fix-OP-acr-parsing.patch fix incorrect parsing of OP-provided acr Bug description:
.
* Configure Auth::OIDC with an OP that always returns acr: 1 in the ID token
* Set oidcOPMetaDataOptionsAcrValues to loa-1
ACR value 1 is accepted despite not being part of the list ['loa-1']
.
The problem is in this regexp:
.
unless ( $acr_values =~ /\b$acr\b/i ) {
.
because \b matches too many things (in the example: it matches -)		 Maxime Besson <maxime.besson@worteks.com> not-needed upstream upstream, commit: 3691978f 2023-05-09
fix-viewer-endpoint.patch fix viewer endpoint Regression introduced in 2.16.1 Maxime Besson <maxime.besson@worteks.com> not-needed upstream upstream, commit:c330347f 2023-05-09
apply-user-control-to-authslave.patch [Security] apply user-control to authSlave Christophe Maudoux <chrmdx@gmail.com> not-needed upstream upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/351/diffs 2023-09-01
fix-open-redirection.patch fix open redirection Maxime Besson <maxime.besson@worteks.com> Yadd <yadd@debian.org> not-needed upstream upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/342/diffs 2023-09-01
fix-open-redirection-without-OIDC-redirect-uris.patch Fix open redirection when OIDC RP has no oidcRPMetaDataOptionsRedirectUris This issue concerns only people that modify config by hand. The manager
refuses already a relying party without redirect URIs.		 Yadd <yadd@debian.org> not-needed upstream upstream, commit:c1de35ad 2023-09-20
SSRF-issue.patch fix SSRF vulnerability Issue described here: https://security.lauritz-holtmann.de/post/sso-security-ssrf/ Maxime Besson <maxime.besson@worteks.com> not-needed upstream upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs 2023-09-22
CVE-2024-48933.patch Fix XSS vulnerability A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.19.3
allows remote attackers to inject arbitrary web script or HTML into the
login page via a username if userControl has been set to a non-default
value that allows special HTML characters.		 Maxime Besson not-needed debian upstream 2024-10-15
fix-auth-level-escalation.patch Do not run adaptativeAuthenticationLevel during refresh Maxime Besson <maxime.besson@worteks.com> not-needed upstream upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/5df0f833 2024-11-09
fix-xss-in-upgrade-plugin.patch Check XSS in ::Plugins::Upgrade Maxime Besson <maxime.besson@worteks.com> not-needed upstream upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/614 2024-11-09
CVE-2024-52948.patch fix CSRF on 2FA registration Maxime Besson <maxime.besson@worteks.com> not-needed upstream upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/644 2025-01-22
fix-test-when-ldap-server-exists.patch fix test when a LDAP server is run on build machine Christophe Maudoux <chrmdx@gmail.com> not-needed 2025-02-02
CVE-2025-31510.patch fix XSS/HTML Injection through tab parameter (Choice) An input validation vulnerability has been identified in the tab parameter
when authentication is set to Choice.
This issue allows for the injection of malicious content, including HTML,
iframes, or JavaScript, with varying impacts depending on the applied
Content Security Policy (CSP) configuration.		 Yadd <yadd@debian.org> not-needed upstream upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/a790b15e9 2025-03-29
fix-bad-table-name.patch fix fixed tablename Yadd <yadd@debian.org> not-needed upstream upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/d9db2a6b 2025-07-12
fix-oidc-fixed-server-in-case-of-error.patch fix "when Auth::OpenIDConnect returns an error, the user cannot try again" Maxime Besson <maxime.besson@worteks.com> not-needed upstream upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/762 2025-07-12
fix-kerberos-js.patch make Kerberos module not submit form in case of error in choice menu Yadd <yadd@debian.org> not-needed upstream upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/752 2025-07-12
improve-cors.patch improve CORS checks Maxime Besson <maxime.besson@worteks.com> not-needed upstream upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/767 2025-07-12
fix-path-info.patch fix path_info Maxime Besson <maxime.besson@worteks.com> not-needed upstream upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/763 2025-07-12
CVE-2025-59518.patch fix admin shell injection Maxime Bessons <maxime.besson@worteks.com> not-needed upstream upstream, commit:37116d09f 2025-10-17
dont-expose-session-id-in-ajax-responses.patch don't expose session id into Ajax responses Yadd <yadd@debian.org> not-needed upstream upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/778 2025-10-18

All known versions for source package 'lemonldap-ng'

Links