====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN497
_____________________________________________________________________

DATE                : 08/09/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running lemonldap-ng versions prior to
                                          2.0.9.

=====================================================================
https://mail.ow2.org/wws/arc/lemonldap-ng-announces/2020-09/msg00000.html
_____________________________________________________________________

This release contains fixes for 2 CVE: CVE-2020-24660 and
CVE-2020-16093. Please read instructions to upgrade your installation:

*
https://lemonldap-ng.org/documentation/latest/upgrade.html#required-changes-in-nginx-handler-rules-cve-2020-24660

*
https://lemonldap-ng.org/documentation/latest/upgrade.html#ldap-certificate-validation-cve-2020-16093

Please check the complete upgrade notes for this version:
https://lemonldap-ng.org/documentation/latest/upgrade.html#id1

Main changes are:


Bugs:
RESTProxy doesn't fully work as a UserDB module
Refresh my rights causes error 500 with OIDC provider
StayConnected plugin not working due to error in fingerprint
javascript
Bad default value for portalDisplayOidcConsents
Setting yubikey verification URL to an empty value does not
fallback to Yubikey_Webclient URL
Captcha or OTT is not renewed if Impersonation process failed
Error "Value must be BASE64 encoded" with some specific URL
when Handler redirects on portal
Errors in lemonldap-ng.ini are not correctly reported
Misleading error reporting when failing to save conf in
lemonldap-ng-cli
regression in redirection to SAML urls with query string
SAML SP error with auth kerberos
Local session cache and systemd PrivateTmp
Multivalued attributes are not returned as array in OpenID
Connect userinfo endpoint
Missing country in OpenID Connect Address Claim
Incorrect SOAP Content-Type
Secure flag missing on lemonldappdata cookie and during logout
pdata cookie with SameSite value not equal to NONE is not
removed and logout request leads to an internal server error with
federate flow on SP side
[security:high, CVE-2020-24660] Lack of URL normalization by
Nginx may lead to authorization bypass when URL access rules are used
ldapGroupDecodeSearchedValue does not apply to recursive group search
Password form not displayed when "password change after reset"
is returned by LDAP ppolicy and Combination used for authentication


New features:
Integrate documentation into the codebase
Use 2FA only if and when needed
Add a session command line (CLI) tool


Improvements:
Proxy Backend support for Password Module (passwordDB)
Declare vhost with wildcard and prefix/suffix
Make externally-provisionned yubikeys easier to configure
Manager - Configuration's Author IP address field should honor $ipAddr
Retrieve GPG keys and SSH keys in GitHub authentication module
add option to make convertConfig easier in most cases
REST session server is too intolerant of clock drift (2)
Mail reset token should not be deleted at first page access
Add CAS App management to the manager API
Display new supported grant_types in OIDC discovery page
Use configuration key in user log messages for all Issuer modules
Check password policy on the client side when changing password
No host in logs to use with Fail2ban
Manage SameSite default behavior
Improve Notifications explorer to display done notifications content
Request "do not minify" json config option
Erroneous use of NTLM should be explicitely reported to the user
Healthcheck endpoint for manager API
Add del method to lemonldap-ng-cli

See full changelog:
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/milestones/72

Download: https://lemonldap-ng.org/download


They made this release:
Core team: Maxime Besson, Xavier Guimard, Christophe Maudoux and
Clément Oudot
Organizations : Gendarmerie Nationale, Worteks, CNAMTS, Orange,
FER Genève, Avem Groupe, Urgences Santé Québec
Community (issues opening, tests, patches, pull requests) : David
Coutadeuri, Xavier Bachelot, Soisik Froger, Ross Steiner, pgnd,
Mickael Bride, Carl R., Côme Chilliet, Andreas Deschka, Guillaume
Debaisieux, Baptiste Pecatte, Grégory ROY, Erik Anders, Gilles
Filippini, Dave Conroy, Mathieu Lecompte-melançon

If you use LemonLDAP::NG and enjoy it, please let us know:

https://lemonldap-ng.org/references
https://www.openhub.net/p/lemonldap-ng
http://alternativeto.net/software/lemonldap-ng/
https://comptoir-du-libre.org/softwares/view/101
https://framalibre.org/content/lemonldapng
http://twitter.com/lemonldapng
https://www.facebook.com/lemonldapng/



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================