--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:lemonldap-ng
User: [email protected]
Usertags: pu
[ Reason ]
Lemonldap-NG community published a new LTS version: 2.16.6. The main
changed inported here are:
* Fix sessions tablename when not default
* Fix OpenID-Connect flow when user encountered an error on server side
* Fix Kerberos JavaScript when used with "Choice"
* Improve CORS check
* Fix path_info
[ Impact ]
Some annonying bugs
[ Tests ]
New patches includes tests
[ Risks ]
Low risk, test coverage is good
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
Best regards,
Xavier
diff --git a/debian/changelog b/debian/changelog
index a2a7ee804..aededc82a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+lemonldap-ng (2.16.1+ds-deb12u7) bookworm; urgency=medium
+
+ * Fix sessions tablename when not default
+ * Fix OpenID-Connect flow when user encountered an error on server side
+ * Fix Kerberos JavaScript when used with "Choice"
+ * Improve CORS check
+ * Fix path_info
+
+ -- Yadd <[email protected]> Sat, 12 Jul 2025 20:12:21 +0200
+
lemonldap-ng (2.16.1+ds-deb12u6) bookworm-security; urgency=high
* Fix XSS vulnerability in Choice module (Closes: CVE-2025-31510)
diff --git a/debian/patches/fix-bad-table-name.patch
b/debian/patches/fix-bad-table-name.patch
new file mode 100644
index 000000000..d49b65114
--- /dev/null
+++ b/debian/patches/fix-bad-table-name.patch
@@ -0,0 +1,20 @@
+Description: fix fixed tablename
+Author: Yadd <[email protected]>
+Origin: upstream,
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/d9db2a6b
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3405
+Forwarded: not-needed
+Applied-Upstream: 2.16.6, commit:25663e12
+Last-Update: 2025-07-12
+
+--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session.pm
++++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session.pm
+@@ -212,7 +212,8 @@
+ my $dbh =
+ DBI->connect( $args->{DataSource}, $args->{UserName}, $args->{Password}
)
+ or die("$!$@");
+- my $sth = $dbh->prepare('SELECT id,a_session from sessions');
++ my $sth = $dbh->prepare(
++ 'SELECT id,a_session from ' . ( $args->{TableName} || 'sessions' ) );
+ $sth->execute;
+ my %res;
+ while ( my @row = $sth->fetchrow_array ) {
diff --git a/debian/patches/fix-kerberos-js.patch
b/debian/patches/fix-kerberos-js.patch
new file mode 100644
index 000000000..470de834b
--- /dev/null
+++ b/debian/patches/fix-kerberos-js.patch
@@ -0,0 +1,103 @@
+Description: make Kerberos module not submit form in case of error in choice
menu
+Author: Yadd <[email protected]>
+Origin: upstream,
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/752
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3406
+Forwarded: not-needed
+Applied-Upstream: 2.16.6, commit:bc193ef9
+Last-Update: 2025-07-12
+
+--- a/lemonldap-ng-portal/site/coffee/kerberosChoice.coffee
++++ b/lemonldap-ng-portal/site/coffee/kerberosChoice.coffee
+@@ -16,5 +16,30 @@
+ $('#lformKerberos').submit()
+ # Case else, will display PE_BADCREDENTIALS or fallback to next
auth
+ # backend
+- error: () ->
+- $('#lformKerberos').submit()
++ error: (xhr, status, _error) ->
++ e = jQuery.Event "kerberosFailure"
++ $(document).trigger e, [xhr, status, _error]
++
++ # Check if we are in a choice menu
++ authMenu = $('#authMenu')
++
++ # If this is a choice menu, don't submit form
++ if authMenu.length
++ msgBox = $('#errormsg')
++ msgBoxContent = '<div class="message
message-negative' + ' alert alert-danger" role="alert">'
++ # If this is a regular Kerberos authentication
error,
++ # display the appropriate error message
++ if _error.match /Unauthorized/i
++ msgBoxContent += '<span trmsg="5">' +
translate('PE5') + '</span>'
++ # Display generic error message
++ else
++ msgBoxContent += '<span trmsg="24">' +
translate('PE24') + '</span>'
++ # If this is an unexpected Kerberos
error,
++ # display the error in console
++ console.error "Error while trying
Kerberos authentication: ", _error
++ msgBoxContent += '</div>'
++ msgBox.html msgBoxContent
++ # If this is NOT a choice menu, submit form
++ else
++ if !e.isDefaultPrevented()
++ $('#lformKerberos').submit()
+--- a/lemonldap-ng-portal/site/htdocs/static/common/js/kerberosChoice.js
++++ b/lemonldap-ng-portal/site/htdocs/static/common/js/kerberosChoice.js
+@@ -1,21 +1,54 @@
+-// Generated by CoffeeScript 1.12.8
++// Generated by CoffeeScript 2.7.0
+ (function() {
++ // Launch Kerberos request
+ $(document).ready(function() {
+ return $.ajax(portal + '/authkrb', {
+ dataType: 'json',
++ // Called if browser can't find Kerberos ticket, will display
++ // PE_BADCREDENTIALS
+ statusCode: {
+ 401: function() {
+ return $('#lformKerberos').submit();
+ }
+ },
++ // If request succeed cookie is set, posting form to get redirection
++ // or menu
+ success: function(data) {
+ if (data.ajax_auth_token) {
+
$('#lformKerberos').find('input[name="ajax_auth_token"]').attr("value",
data.ajax_auth_token);
+ }
+ return $('#lformKerberos').submit();
+ },
+- error: function() {
+- return $('#lformKerberos').submit();
++ // Case else, will display PE_BADCREDENTIALS or fallback to next auth
++ // backend
++ error: function(xhr, status, _error) {
++ var authMenu, e, msgBox, msgBoxContent;
++ e = jQuery.Event("kerberosFailure");
++ $(document).trigger(e, [xhr, status, _error]);
++ // Check if we are in a choice menu
++ authMenu = $('#authMenu');
++ // If this is a choice menu, don't submit form
++ if (authMenu.length) {
++ msgBox = $('#errormsg');
++ msgBoxContent = '<div class="message message-negative' + ' alert
alert-danger" role="alert">';
++ // If this is a regular Kerberos authentication error,
++ // display the appropriate error message
++ if (_error.match(/Unauthorized/i)) {
++ msgBoxContent += '<span trmsg="5">' + translate('PE5') +
'</span>';
++ } else {
++ // Display generic error message
++ msgBoxContent += '<span trmsg="24">' + translate('PE24') +
'</span>';
++ // If this is an unexpected Kerberos error,
++ // display the error in console
++ console.error("Error while trying Kerberos authentication: ",
_error);
++ }
++ msgBoxContent += '</div>';
++ return msgBox.html(msgBoxContent);
++ } else {
++ if (!e.isDefaultPrevented()) {
++ return $('#lformKerberos').submit();
++ }
++ }
+ }
+ });
+ });
diff --git a/debian/patches/fix-oidc-fixed-server-in-case-of-error.patch
b/debian/patches/fix-oidc-fixed-server-in-case-of-error.patch
new file mode 100644
index 000000000..06fa90df0
--- /dev/null
+++ b/debian/patches/fix-oidc-fixed-server-in-case-of-error.patch
@@ -0,0 +1,97 @@
+Description: fix "when Auth::OpenIDConnect returns an error, the user cannot
try again"
+Author: Maxime Besson <[email protected]>
+Origin: upstream,
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/762
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3427
+Forwarded: not-needed
+Applied-Upstream: v2.16.6, commit:17cdbbed
+Reviewed-By: Yadd <[email protected]>
+Last-Update: 2025-07-12
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/OpenIDConnect.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/OpenIDConnect.pm
+@@ -102,7 +102,13 @@
+ my ( $self, $req ) = @_;
+
+ # Check callback
+- if ( $req->param( $self->conf->{oidcRPCallbackGetParam} ) ) {
++ if ( $req->param( $self->conf->{oidcRPCallbackGetParam} )
++ and not $req->param('oidc_callback_processed') )
++ {
++ # This makes sure we don't go through the callback code when
re-posting
++ # a login form
++ $self->p->setHiddenFormValue( $req, "oidc_callback_processed", "1",
"",
++ 0 );
+
+ $self->logger->debug(
+ 'OpenIDConnect callback URI detected: ' . $req->uri );
+--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
++++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
+@@ -409,6 +409,68 @@
+
+ #print STDERR Dumper($res);
+
++# Test OIDC auth retry (#3427)
++ok(
++ $res = $rp->_get(
++ "/", accept => 'text/html',
++ ),
++ "Initiate login"
++);
++count(1);
++
++( $url, $query ) =
++ expectRedirection( $res, qr#http://auth.op.com(/oauth2/authorize)\?(.*)$# );
++
++my $state = do {
++ my $u = URI->new;
++ $u->query($query);
++ $u->query_param('state');
++};
++
++ok(
++ $res = $rp->_get(
++ "/",
++ query => {
++ openidconnectcallback => 1,
++ error => "canceled",
++ state => $state,
++ },
++ accept => 'text/html',
++ ),
++ "Return with error"
++);
++count(1);
++expectPortalError( $res, 106 );
++
++( $host, $url, $query ) =
++ expectForm( $res, '#', undef, 'oidc_callback_processed' );
++
++ok(
++ $res = $rp->_post(
++ "/", $query,
++ query => {
++ openidconnectcallback => 1,
++ error => "canceled",
++ state => $state,
++ },
++ accept => 'text/html',
++ ),
++ "Submit form again"
++);
++count(1);
++
++( $url, $query ) =
++ expectRedirection( $res, qr#http://auth.op.com(/oauth2/authorize)\?(.*)$# );
++
++my $new_state = do {
++ my $u = URI->new;
++ $u->query($query);
++ $u->query_param('state');
++};
++ok( $new_state, "New state was generated" );
++isnt( $new_state, $state, "New state is different than previous" );
++count(2);
++
+ clean_sessions();
+ done_testing( count() );
+
diff --git a/debian/patches/fix-path-info.patch
b/debian/patches/fix-path-info.patch
new file mode 100644
index 000000000..5ce71207a
--- /dev/null
+++ b/debian/patches/fix-path-info.patch
@@ -0,0 +1,49 @@
+Description: fix path_info
+Author: Maxime Besson <[email protected]>
+Origin: upstream,
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/763
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3338
+Forwarded: not-needed
+Applied-Upstream: 2.16.6, commit:8dfc8be2
+Reviewed-By: Xavier Guimard <[email protected]>
+Last-Update: 2025-07-12
+
+--- a/e2e-tests/llng-server.psgi
++++ b/e2e-tests/llng-server.psgi
+@@ -51,10 +51,13 @@
+ psgi => sub {
+ return sub {
+
+- # Fix PATH_INFO when using Nginx with default uwsgi_params
+- # See #2031
+- ( $_[0]->{PATH_INFO} ) =
+- $_[0]->{REQUEST_URI} =~ /^(?:\Q$_[0]->{SCRIPT_NAME}\E)?([^?]*)/;
++ # Reimplement split_pathinfo
++ if ( $_[0]->{SCRIPT_NAME}
++ and rindex( $_[0]->{PATH_INFO}, $_[0]->{SCRIPT_NAME}, 0 ) ==
0 )
++ {
++ $_[0]->{PATH_INFO} =
++ substr( $_[0]->{PATH_INFO}, length( $_[0]->{SCRIPT_NAME} )
);
++ }
+
+ my $script = $_[0]->{SCRIPT_FILENAME};
+ return $_apps{$script}->(@_) if ( $_apps{$script} );
+--- a/lemonldap-ng-handler/eg/llng-server.psgi
++++ b/lemonldap-ng-handler/eg/llng-server.psgi
+@@ -53,10 +53,13 @@
+ psgi => sub {
+ return sub {
+
+- # Fix PATH_INFO when using Nginx with default uwsgi_params
+- # See #2031
+- ( $_[0]->{PATH_INFO} ) =
+- $_[0]->{REQUEST_URI} =~ /^(?:\Q$_[0]->{SCRIPT_NAME}\E)?([^?]*)/;
++ # Reimplement split_pathinfo
++ if ( $_[0]->{SCRIPT_NAME}
++ and rindex( $_[0]->{PATH_INFO}, $_[0]->{SCRIPT_NAME}, 0 ) ==
0 )
++ {
++ $_[0]->{PATH_INFO} =
++ substr( $_[0]->{PATH_INFO}, length( $_[0]->{SCRIPT_NAME} )
);
++ }
+
+ my $script = $_[0]->{SCRIPT_FILENAME};
+ return $_apps{$script}->(@_) if ( $_apps{$script} );
diff --git a/debian/patches/improve-cors.patch
b/debian/patches/improve-cors.patch
new file mode 100644
index 000000000..e90865ee9
--- /dev/null
+++ b/debian/patches/improve-cors.patch
@@ -0,0 +1,86 @@
+Description: improve CORS checks
+Author: Maxime Besson <[email protected]>
+Origin: upstream,
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/767
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3430
+Forwarded: not-needed
+Applied-Upstream: 2.16.6, commit:a34389a6
+Reviewed-By: Xavier Guimard <[email protected]>
+Last-Update: 2025-07-12
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
+@@ -1249,9 +1249,7 @@
+ # If this is a cross-domain request from the portal itself
+ # (Ajax SSL to a different VHost)
+ # we allow CORS
+- if ( $req->origin
+- and index( $self->conf->{portal}, $req->origin ) == 0 )
+- {
++ if ( $self->_checkSelfCors($req) ) {
+ $self->logger->debug('AJAX request from portal, allowing CORS');
+ push @{ $res->[1] },
+ "Access-Control-Allow-Origin" => $req->origin,
+@@ -1265,6 +1263,21 @@
+ return $res;
+ }
+
++sub _checkSelfCors {
++ my ( $self, $req ) = @_;
++
++ if ( $req->origin ) {
++ my $origin = URI->new( $req->origin );
++ my $portal = URI->new( $self->conf->{portal} );
++
++ return ( $origin->scheme
++ and $portal->scheme eq $origin->scheme
++ and $origin->host_port
++ and $origin->host_port eq $portal->host_port );
++ }
++ return;
++}
++
+ sub sendRawHtml {
+ my ($self) = $_[0];
+ my $res = Lemonldap::NG::Common::PSGI::sendRawHtml(@_);
+--- a/lemonldap-ng-portal/t/01-CSP-and-CORS-headers.t
++++ b/lemonldap-ng-portal/t/01-CSP-and-CORS-headers.t
+@@ -23,6 +23,14 @@
+ }
+ );
+
++# Test request from alternate vhost to portal
++checkCorsAllowed( $client, "http://auth.example.com";, 1 );
++checkCorsAllowed( $client, "http://auth.example.com:80";, 1 );
++checkCorsAllowed( $client, "http://auth.example.comm";, 0 );
++checkCorsAllowed( $client, "http://auth.example.co";, 0 );
++checkCorsAllowed( $client, "http://example.com";, 0 );
++checkCorsAllowed( $client, "https://auth.example.com";, 0 );
++
+ # Test normal first access
+ # ------------------------
+ ok( $res = $client->_get('/'), 'Unauth JSON request' );
+@@ -157,6 +165,24 @@
+
+ done_testing( count() );
+
++sub checkCorsAllowed {
++ my ( $client, $origin, $result ) = @_;
++ ok(
++ my $res = $client->_get( '/', custom => { HTTP_ORIGIN => "$origin" }
),
++ "Unauth JSON request from $origin"
++ );
++ my %headers = @{ $res->[1] };
++ if ($result) {
++ is( $headers{'Access-Control-Allow-Origin'},
++ $origin, "$origin is allowed" );
++ }
++ else {
++ ok( !$headers{'Access-Control-Allow-Origin'},
++ "$origin is not allowed" );
++ }
++ count(2);
++}
++
+ sub checkCorsPolicy {
+ my ($res) = @_;
+ my %headers = @{ $res->[1] };
diff --git a/debian/patches/series b/debian/patches/series
index bbd446de9..dbe6dbcf9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -16,3 +16,8 @@ fix-xss-in-upgrade-plugin.patch
CVE-2024-52948.patch
fix-test-when-ldap-server-exists.patch
CVE-2025-31510.patch
+fix-bad-table-name.patch
+fix-oidc-fixed-server-in-case-of-error.patch
+fix-kerberos-js.patch
+improve-cors.patch
+fix-path-info.patch
--- End Message ---
