Please apply general caution as you would with any software: have
backups and a rollback plan ready!
2.0.14
Security
- CVE-2021-40874: RESTServer pwdConfirm always returns true with Combination + Kerberos (see issue 2612)
U2F deprecation in Chrome 98
Chrome 98 removed U2F support by default. You can enable them back temporarily in chrome://flags
by setting Enable the U2F Security Key API to Enabled and Enable a permission prompt for the U2F Security Key API to Disabled
LemonLDAP::NG provides a newer alternative: WebAuthn as a second factor, which is compatible with U2F security keys. Please read Migrating existing U2F devices for instructions on how to convert U2F secrets to WebAuthn.
After migration, you will need to disable U2F from the configuration and enable WebAuthn instead, in General Parameters » Second Factors » WebAuthn
Weak encryption used for password-protected SAML keys
Previous versions of LemonLDAP::NG used a weak encryption algorithm to protect
SAML keys when a password was set during certificate generation.
Run the following command to check if this is your case:
lemonldap-ng-cli get samlServicePrivateKeySig
lemonldap-ng-cli get samlServicePrivateKeyEnc
If the output of either command starts with BEGIN ENCRYPTED PRIVATE KEY
,
then it probably means you generated your keys using the vulnerable manager
code.
In this case, you can convert your existing keys to a stronger encryption using
the following command
# Extract your existing keys. If samlServicePrivateKeyEnc is empty, you can
# skip it entirely
lemonldap-ng-cli get samlServicePrivateKeySig | \
sed 's/samlServicePrivateKeySig = //' > saml-sig.pem
lemonldap-ng-cli get samlServicePrivateKeyEnc | \
sed 's/samlServicePrivateKeyEnc = //' > saml-enc.pem
# Re-encrypt the private key, using the same passphrase
openssl pkey -in saml-sig.pem -aes256 -out saml-sig-aes.pem
openssl pkey -in saml-enc.pem -aes256 -out saml-enc-aes.pem
#Or, if you are using OpenSSL 3+
openssl pkey -provider legacy -provider default -in saml-sig.pem \
-aes256 -out saml-sig-aes.pem
openssl pkey -provider legacy -provider default -in saml-enc.pem \
-aes256 -out saml-enc-aes.pem
Then, simply reimport your keys
lemonldap-ng-cli set samlServicePrivateKeySig "$(cat saml-sig-aes.pem)"
lemonldap-ng-cli set samlServicePrivateKeyEnc "$(cat saml-enc-aes.pem)"
If is recommended to keep the same password as before, if not, adjust the
samlServicePrivateKeySigPwd
and samlServicePrivateKeyEncPwd
variables as well.
This operation is transparent and does not require any change to your existing
SAML configuration or SAML applications
LemonLDAP::NG version is returned by the CheckState plugin
If you use the /checkstate URL to monitor LemonLDAP::NG, you may notice a slight change in the output format:
2.0.13 :
`
{"result":1}
`
2.0.14 :
`
{"result":1,"version":"2.0.14"}
`
Depending on your load balancer or monitoring configuration, this can cause false negatives.
This plugin is disabled by default, and you may use a shared secret to hide this information to regular users and bots, please check the Check state plugin documentation for more information.
Empty scopes now rejected in OAuth2.0 grants
Previously, it was possible to be granted an empty scope, or an automatic
openid
scope when doing OAuth2.0 Password Grant or Client Credentials Grant.
Starting with 2.0.14, empty scopes are no longer allowed (RFC 6749#section-3.3).
You need to either add a scope parameter to your request, or define a default
scope in your Relying Party’s Scope Rules.
Portal templates changes
If you defined the “Register page URL” or the password “Reset page URL” to an external application, you need to fix the standardform.tpl
template by applying the following patch:
diff --git a/lemonldap-ng-portal/site/templates/bootstrap/standardform.tpl b/lemonldap-ng-portal/site/templates/bootstrap/standardform.tpl
index 3a6256e59..d5192f0ce 100644
--- a/lemonldap-ng-portal/site/templates/bootstrap/standardform.tpl
+++ b/lemonldap-ng-portal/site/templates/bootstrap/standardform.tpl
@@ -48,14 +48,14 @@
<div class="actions">
<TMPL_IF NAME="DISPLAY_RESETPASSWORD">
- <a class="btn btn-secondary" href="<TMPL_VAR NAME="MAIL_URL">?skin=<TMPL_VAR NAME="SKIN"><TMPL_IF NAME="key">&<TMPL_VAR NAME="CHOICE_PARAM">=<TMPL_VAR NAME="key"></TMPL_IF><TMPL_IF NAME="AUTH_URL">&url=<TMPL_VAR NAME="AUTH_URL"></TMPL_IF>">
+ <a class="btn btn-secondary" href="<TMPL_VAR NAME="MAIL_URL"><TMPL_UNLESS NAME="MAIL_URL_EXTERNAL">?skin=<TMPL_VAR NAME="SKIN"><TMPL_IF NAME="key">&<TMPL_VAR NAME="CHOICE_PARAM">=<TMPL_VAR NAME="key"></TMPL_IF><TMPL_IF NAME="AUTH_URL">&url=<TMPL_VAR NAME="AUTH_URL"></TMPL_IF></TMPL_UNLESS>">
<span class="fa fa-info-circle"></span>
<span trspan="resetPwd">Reset my password</span>
</a>
</TMPL_IF>
<TMPL_IF NAME="DISPLAY_UPDATECERTIF">
- <a class="btn btn-secondary" href="<TMPL_VAR NAME="MAILCERTIF_URL">?skin=<TMPL_VAR NAME="SKIN"><TMPL_IF NAME="key">&<TMPL_VAR NAME="CHOICE_PARAM">=<TMPL_VAR NAME="key"></TMPL_IF><TMPL_IF NAME="AUTH_URL">&url=<TMPL_VAR NAME="AUTH_URL"></TMPL_IF>">
+ <a class="btn btn-secondary" href="<TMPL_VAR NAME="MAILCERTIF_URL"><TMPL_UNLESS NAME="MAILCERTIF_URL_EXTERNAL">?skin=<TMPL_VAR NAME="SKIN"><TMPL_IF NAME="key">&<TMPL_VAR NAME="CHOICE_PARAM">=<TMPL_VAR NAME="key"></TMPL_IF><TMPL_IF NAME="AUTH_URL">&url=<TMPL_VAR NAME="AUTH_URL"></TMPL_IF></TMPL_UNLESS>">
<span class="fa fa-refresh"></span>
<span trspan="certificateReset">Reset my certificate</span>
</a>
@@ -69,7 +69,7 @@
</TMPL_IF>
<TMPL_IF NAME="DISPLAY_REGISTER">
- <a class="btn btn-secondary" href="<TMPL_VAR NAME="REGISTER_URL">?skin=<TMPL_VAR NAME="SKIN"><TMPL_IF NAME="key">&<TMPL_VAR NAME="CHOICE_PARAM">=<TMPL_VAR NAME="key"></TMPL_IF><TMPL_IF NAME="AUTH_URL">&url=<TMPL_VAR NAME="AUTH_URL"></TMPL_IF>">
+ <a class="btn btn-secondary" href="<TMPL_VAR NAME="REGISTER_URL"><TMPL_UNLESS NAME="REGISTER_URL_EXTERNAL">?skin=<TMPL_VAR NAME="SKIN"><TMPL_IF NAME="key">&<TMPL_VAR NAME="CHOICE_PARAM">=<TMPL_VAR NAME="key"></TMPL_IF><TMPL_IF NAME="AUTH_URL">&url=<TMPL_VAR NAME="AUTH_URL"></TMPL_IF></TMPL_UNLESS>">
<span class="fa fa-plus-circle"></span>
<span trspan="createAccount">Create an account</span>
</a>
Manager API
The service parameter set in a request to create or update a CAS application must now be an array, and no more a string.
Changes impacting plugin developpers
- If you are using Custom authentication modules, userDB modules or password
modules,
$portal->loadedPlugins
no longer contains a key with the name of
your module. You should use $portal->_authentication
, $portal->_userDB
,
or $portal->_passwordDB
instead to get your module instance.
2.0.12
Security
- CVE-2021-35473: Access token lifetime is not verified with OAuth2 Handler (see issue 2549)
- CVE-2021-35472: Session cache corruption can lead to authorization bypass or spoofing (see issue 2539)
- 2FA bypass with sfOnlyUpgrade and totp2fDisplayExistingSecret (see issue 2543)
- Incorrect regexp construction in isTrustedUrl lets attacker steal session on CDA application (see issue 2535)
- XSS on register form (see issue 2495)
- Wildcard in virtualhost allows being redirected to untrusted domains (see issue 2477)
Portal templates changes
Email templates
If you customized the HTML email templates, you must update them to use HTML::Template variables (this was changed to fix XSS injections).
In the following files: mail_2fcode.tpl
mail_certificateReset.tpl
mail_footer.tpl
mail_password.tpl
mail_register_done.tpl
mail_certificateConfirm.tpl
mail_confirm.tpl
mail_header.tpl
mail_register_confirm.tpl
Replace the following variables:
Old syntax |
New syntax |
$code |
<TMPL_VAR NAME="code" ESCAPE=HTML> |
$url |
<TMPL_VAR NAME="url" ESCAPE=HTML> |
$login |
<TMPL_VAR NAME="login" ESCAPE=HTML> |
$password |
<TMPL_VAR NAME="password" ESCAPE=HTML> |
$firstname |
<TMPL_VAR NAME="firstname" ESCAPE=HTML> |
$lastname |
<TMPL_VAR NAME="lastname" ESCAPE=HTML> |
Replace all other variables such as $cn
by <TMPL_VAR NAME="session_cn" ESCAPE=HTML>
.
FindUser, CheckDevOps templates
Some changes have been made to include new plugins (FindUser and CheckDevOps), you need to report them only if you have a custom theme and you want to use these plugins
Client Credential sessions missing expiration time
If you started using Client Credential grants in 2.0.11, you may have encountered
issue 2481.
Because of this bug, the created sessions may never be purged by the purgeCentralCache
script.
In order to detect these sessions, you can run the following command:
lemonldap-ng-sessions search --where _session_kind=SSO --select _session_id --select _utime | \
jq -r '. | map(select(._utime == null)) | map(._session_id) | join ("\n")'
This will output a list of SSO sessions with no expiration time.
Review them manually using
lemonldap-ng-sessions get <session_id>
You can then remove them with
lemonldap-ng-sessions delete <session_id> <session_id> <etc.>
Brute-force protection plugin may cause duplicate persistent sessions
Because of bug #2482 , some users may notice that the persistent session database is filling with duplicate sessions. Some examples include:
- An uppercase version of the regular persistent session (dwho vs DWHO)
- An unqualified version (dwho vs dwho@idp.com)
This bug was fixed in 2.0.12, but administrators are advised to clean up their persistent session database to remove any duplicate persistent sessions remaining after the upgrade.
OpenID Connect check session iframe
The OIDC check session iframe is not working, it has been removed from OIDC configuration metadata. It should not impact any installation as this feature was already broken.
Simplification of TOTP options
The following options have been removed from TOTP configuration:
- Display existing secret (
totp2fDisplayExistingSecret
)
- Change existing secret (
totp2fUserCanChangeKey
)
As a consequence, users who are not using the default bootstrap
skin may need to ajust their totp2fregister.tpl
template:
2.0.10
Security
A vulnerability affecting LemonLDAP::NG installations has been found out when ALL following criteria apply:
- Your handler server uses Nginx
- Your virtual host configuration contains per-URL
skip
or unprotect
access rule
In this situation, you have to update your LUA configuration file like /etc/nginx/nginx-lua-headers.conf
. See also issue 2434.
Other minor security fixes:
- It is now possible to hide sessions identifier in Manager (parameter
displaySessionId
). See also issue 2350.
- Second factor management by end user now requires safer conditions. See also issue 2332, issue 2337 and issue 2338.
Main changes
- New dependency: IO::Socket::Timeout
- TOTP check tolerates forward AND backward clock drift (totp2fRange)
- Avoid assignment in expressions option is disabled by default
- RHEL/CentOS SELinux users should install the new
lemonldap-ng-selinux
package to fix an issue with the new default cache directory
- If you use Mattermost Team Edition with OpenID Connect, you need to set the
id
claim type to Integer
- BruteForceProtection plugin now prevents authentication on backend if an account is locked
- In the Manager API, postLogoutRedirectUri is now returned and consumed as an array
- We fixed a bug that caused SAML sessions to be created and never deleted, you should check your session databases for sessions that have
"_session_kind": "ISAML"
but no _utime
. You can safely delete SAML sessions with no _utime
during the upgrade.
Portal templates changes
If you created your own skin and modified some template files, you may need to update them, see below if they have been modified.
No change is required if you are using the default bootstrap
theme.
2FA manager
In 2fregisters.tpl
you need to add the remove2f
class to the button that triggers second factor removal:
- <span device='<TMPL_VAR NAME="type">' epoch='<TMPL_VAR NAME="epoch">' class="btn btn-danger" role="button">
+ <span device='<TMPL_VAR NAME="type">' epoch='<TMPL_VAR NAME="epoch">' class="btn btn-danger remove2f" role="button">
Or, better yet, integrate the changes in 2fregisters.tpl
and skin.min.js
into your custom theme to benefit from the new 2F removal confirmation dialog
Checkboxes
A CSS change has been done in styles.css
to avoid checkbox labels overflow. See issue 2301.
The form-check-input
class is missing in register.tpl
and notifinclude.tpl
. See issue 2374.
Password checker
Input id values have been modified in mail.tpl
to work with password checker. See issue 2355.
Tables caption
Tables captions have been added in sessionArray.tpl
. See issue 2356.
Stay connected
A small change is required in checklogins.tpl
for issue 2365.
Other changes needed in 2fchoice.tpl
, ext2check.tpl
, totp2fcheck.tpl
, u2fcheck.tpl
and utotp2fcheck.tpl
for issue 2366.
Mails
The HTML alt
attribute has been added on img
in all mail_*.tpl
. See issue 2422.
2.0.9
- Bad default value to display OIDC Consents tab has been fixed.
The default value is now:
$_oidcConsents && $_oidcConsents =~ /\w+/
- Some user log messages have been modified, check logs documentation
(see also #2244)
- SAML SOAP calls are now using
text/xml
instead of application/xml
as the MIME Content Type, as required by the SOAP standard
- Incremental lock times values can now be set in BruteForceProtection plugin through Manager.
It MUST be a list of comma separated values. Default values are
5, 15, 60, 300, 600
- This version is not compatible with Mattermost Team Edition
Cookie issues with Chrome
This release fixes several issues related to the change in SameSite cookie
policy for Google Chrome users. The new default value of the SameSite
configuration parameter will set SameSite to Lax
unless you are using SAML,
in which case it will be set to None
.
This means that from now on, any LemonLDAP::NG installation using SAML must be
served over HTTPS, as SameSite None
value requires the Secure
flag in cookie.
Change in default cache directory
The default config/session cache directory has been moved from /tmp
to
/var/cache/lemonldap-ng
in order to avoid issues with cache purges when using
Systemd. This change is only applied to new installations. If your
installation is experiencing cache purge issues, you need to manually change
your existing localSessionStorageOptions/cache_root
parameter from /tmp
to /var/cache/lemonldap-ng
. Be sure to create this directory on your
file system before modifying your configuration.
If you are using SELinux, you also need to run the following commands
semanage fcontext --add -t httpd_cache_t -f a '/var/cache/lemonldap-ng(/.*)?'
restorecon -R /var/cache/lemonldap-ng/
Required changes in NGINX handler rules (CVE-2020-24660)
We discovered a vulnerability that affects LemonLDAP::NG installations when ALL of the following criteria apply:
- You are using the LemonLDAP::NG Handler to protect applications
- Your handler server uses Nginx
- Your virtual host configuration contains per-URL access rules based on
regular expressions in addition to the built-in default access rule.
Note
You are safe from this vulnerability if your virtualhost only uses a regexp-based rule to trigger logout
If you are in this situation, you need to modify all your handler-protected
virtualhosts by making the following change:
Replace fastcgi_param X_ORIGINAL_URI $request_uri
by fastcgi_param X_ORIGINAL_URI $original_uri
if you are using FastCGI
Replace uwsgi_param X_ORIGINAL_URI $request_uri
by uwsgi_param X_ORIGINAL_URI $original_uri
if you are using uWSGI
Right after auth_request /lmauth;
, add the following line
set $original_uri $uri$is_args$args;
You can check the Manage virtual hosts page for more information
LDAP certificate validation (CVE-2020-16093)
LDAP server certificates were previously not verified by default when using secure transports (LDAPS or TLS), see CVE-2020-16093. Starting from this release, certificate validation is now enabled by default, including on existing installations.
If you have configured your CA certificates incorrectly, LemonLDAP::NG will now start complaining about invalid certificates. You may temporarily disable it again with the following command
/your/path/to/lemonldap-ng-cli set ldapVerify none
If you use LDAP as a configuration storage, and want to temporarily disable certificate validation, you must make the following addition to /etc/lemonldap-ng/lemonldap-ng.ini
[configuration]
...
ldapVerify = none
If you use LDAP as a session backend, you are strongly encouraged to also upgrade corresponding Apache::Session
modules (Apache::Session::LDAP
or Apache::Session::Browseable
). After this upgrade, if you want to temporarily disable certificate validation, you can add the following parameter to the list of Apache::Session module options:
- key:
ldapVerify
- value:
none
Please note that it is HIGHLY recommended to set certificate validation to require when contacting LDAP servers over a secure transport to avoid man-in-the-middle attacks.