--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:lemonldap-ng
User: [email protected]
Usertags: pu
[ Reason ]
Upstream released a new LTS version for 2.21.x branch. This update
fixes:
- OIDC ignored non default signature algorithm
- OIDC dynamic registration didn't register Front-Channel-Logout URL
when set
- Really hide passwords in session-explorer when stored in session
- Update documentation to avoid using unsecured Nginx variable
The last point is related to Nginx proposed update (#1134654)
[ Impact ]
Medium security issues
[ Tests ]
Test added for the main code fix
[ Risks ]
No risk: test coverage is good, no reverse dependencies, fixes are
trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
- Fix typo that ignored non default signature algorithm in OIDC
- Fix typo that ignored Front-Channel-Logout URL during OIDC dynamic
registration
- Fix regression introduced in 2.17.0 that no more hide passwords in
session explorer when SSO was configured to store passwords in session
(rare, only used for old apps compatibility)
diff --git a/debian/changelog b/debian/changelog
index 47d85474f..72464ce46 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+lemonldap-ng (2.21.2+ds-1+deb13u2) trixie; urgency=medium
+
+ * Import main 2.21.4 changes:
+ - OIDC ignored non default signature algorithm
+ - OIDC dynamic registration didn't register Front-Channel-Logout URL when
+ set
+ - Really hide passwords in session-explorer when stored in session
+ - Update documentation to avoid using unsecured Nginx variable
+
+ -- Xavier Guimard <[email protected]> Fri, 01 May 2026 08:23:09 +0200
+
lemonldap-ng (2.21.2+ds-1+deb13u1) trixie; urgency=medium
* Fix shell injection from admin interface (Closes: CVE-2025-59518)
diff --git a/debian/patches/3478-fix-oidc-alg.patch
b/debian/patches/3478-fix-oidc-alg.patch
new file mode 100644
index 000000000..93022ba2c
--- /dev/null
+++ b/debian/patches/3478-fix-oidc-alg.patch
@@ -0,0 +1,18 @@
+From: Yadd <[email protected]>
+Date: mai, 01 2026 05:49:52 +0200
+Subject: [PATCH] fix typo that breaks alg
+ Sadly the test OP was named "op"
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/work_items/3478
+Forwarded: not-needed
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
+@@ -490,7 +490,7 @@
+ iat => time,
+ %$authorize_request_params,
+ },
+- $self->opOptions->{op}
++ $self->opOptions->{$op}
+ ->{oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg} || 'RS256',
+ $op
+ );
diff --git a/debian/patches/fix-oidc-frontchannel.patch
b/debian/patches/fix-oidc-frontchannel.patch
new file mode 100644
index 000000000..d724c65fb
--- /dev/null
+++ b/debian/patches/fix-oidc-frontchannel.patch
@@ -0,0 +1,18 @@
+From: Yadd <[email protected]>
+Date: mai, 01 2026 06:07:59 +0200
+Subject: [PATCH] fix typo that broke OIDC front-channel-logout
+Origin: upstream, commit:c4dde51
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/work_items/3592
+Forwarded: not-needed
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
+@@ -2431,7 +2431,7 @@
+ my $backchannel_logout_uri = $client_metadata->{backchannel_logout_uri};
+ my $backchannel_logout_session_required =
+ $client_metadata->{backchannel_logout_session_required};
+- my $frontchannel_logout_uri = $client_metadata->{backchannel_logout_uri};
++ my $frontchannel_logout_uri = $client_metadata->{frontchannel_logout_uri};
+ my $frontchannel_logout_session_required =
+ $client_metadata->{frontchannel_logout_session_required};
+ my $jwksUri = $client_metadata->{jwks_uri};
diff --git a/debian/patches/really-hide-password-in-session-explorer.patch
b/debian/patches/really-hide-password-in-session-explorer.patch
new file mode 100644
index 000000000..29f8755d7
--- /dev/null
+++ b/debian/patches/really-hide-password-in-session-explorer.patch
@@ -0,0 +1,238 @@
+From: Yadd <[email protected]>
+Date: mai, 01 2026 06:03:56 +0200
+Subject: [PATCH] really hide passwords from session explorer
+Origin: upstream, commit:d9ba579
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/work_items/3568
+Forwarded: not-needed
+
+--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Session/REST.pm
++++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Session/REST.pm
+@@ -14,6 +14,11 @@
+ # Boolean value to tell if storage ID is hashed or not
+ has hashedSessionStore => ( is => 'rw' );
+
++sub hiddenAttributes {
++ my ($self) = @_;
++ return $self->{hiddenAttributes} || $self->conf->{hiddenAttributes};
++}
++
+ sub setTypes {
+ my ( $self, $conf ) = @_;
+ foreach my $type (@sessionTypes) {
+@@ -467,7 +472,8 @@
+ my %session = %{ $apacheSession->data };
+ unless ($raw) {
+ foreach ( keys %session ) {
+- $session{$_} = '******' if isHiddenAttr( $self->conf, $_ );
++ $session{$_} = '******'
++ if isHiddenAttr( $self->hiddenAttributes, $_ );
+ }
+ }
+
+--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Util.pm
++++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Util.pm
+@@ -37,7 +37,7 @@
+ }
+
+ sub isHiddenAttr {
+- my ( $conf, $attr, @extra_hidden_attributes ) = @_;
++ my ( $hiddenAttributes, $attr, @extra_hidden_attributes ) = @_;
+ my ( @regexps, $match );
+
+ my %hiddenAttributes = map { $_ => 1 } grep {
+@@ -48,8 +48,7 @@
+ else {
+ 1;
+ }
+- } ( split( /[,\s]+/, $conf->{hiddenAttributes} ),
+- @extra_hidden_attributes );
++ } ( split( /[,\s]+/, $hiddenAttributes ), @extra_hidden_attributes );
+
+ my $regex =
+ keys %hiddenAttributes
+@@ -112,7 +111,7 @@
+
+ This method formats device name for logging purpose
+
+-=head3 isHiddenAttr( $conf, $attr, @extra_hidden_attributes )
++=head3 isHiddenAttr( $conf_value, $attr, @extra_hidden_attributes )
+
+ This method tests if the attribute is hidden.
+ @extra_hidden_attributes is an array of additional attributes to hide.
+--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/DevOps.pm
++++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/DevOps.pm
+@@ -99,7 +99,8 @@
+ foreach ( keys %{ $json->{headers} } ) {
+ my $header = $json->{headers}->{$_};
+ $header =~ s/^\$//;
+- if ( isHiddenAttr( $class->localConfig, $header ) ) {
++ if ( isHiddenAttr( $class->localConfig->{hiddenAttributes}, $header )
)
++ {
+ delete $json->{headers}->{$_};
+ $class->auditLog(
+ $req,
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
+@@ -6,8 +6,8 @@
+
+ use strict;
+ use MIME::Base64;
+-use POSIX qw(strftime);
+-use Lemonldap::NG::Common::Util qw(isHiddenAttr);
++use POSIX qw(strftime);
++use Lemonldap::NG::Common::Util qw(isHiddenAttr);
+ use Lemonldap::NG::Portal::Main::Constants qw(portalConsts);
+ use URI;
+
+@@ -617,7 +617,8 @@
+ foreach my $k ( sort keys %{ $req->{sessionInfo} } ) {
+ next unless defined $req->{sessionInfo}->{$k};
+ my $displayValue = $req->{sessionInfo}->{$k};
+- $displayValue = '****' if isHiddenAttr( $self->conf, $k );
++ $displayValue = '****'
++ if isHiddenAttr( $self->conf->{hiddenAttributes}, $k );
+ $self->logger->debug("Store $displayValue in session key $k");
+ $self->_dump($displayValue) if ref($displayValue);
+ $infos->{$k} = $req->{sessionInfo}->{$k};
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckDevOps.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckDevOps.pm
+@@ -193,7 +193,7 @@
+ foreach ( keys %{ $json->{headers} } ) {
+ my $header = $json->{headers}->{$_};
+ $header =~ s/^\$//;
+- if ( isHiddenAttr( $self->conf, $header ) ) {
++ if ( isHiddenAttr( $self->conf->{hiddenAttributes}, $header ) ) {
+ my $user = $req->userData->{ $self->conf->{whatToTrace} };
+ $self->userLogger->warn(
+ "CheckDevOps: $user tried to retrieve a hidden attribute -> $header"
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm
+@@ -606,7 +606,7 @@
+ push @$array_attrs,
+ { key => $_, value => $attrs->{$_} }
+ unless ( (
+- isHiddenAttr( $self->conf, $_, @hidden )
++ isHiddenAttr( $self->conf->{hiddenAttributes}, $_, @hidden )
+ && !$self->displayHiddenAttributesRule->( $req, $userData )
+ )
+ || ( !$attrs->{$_}
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm
+@@ -2,7 +2,7 @@
+
+ use strict;
+ use Mouse;
+-use Lemonldap::NG::Common::Util qw(isHiddenAttr);
++use Lemonldap::NG::Common::Util qw(isHiddenAttr);
+ use Lemonldap::NG::Portal::Main::Constants qw(
+ PE_MALFORMEDUSER
+ PE_OK PE_BADCREDENTIALS
+@@ -137,7 +137,7 @@
+ next unless defined $req->{sessionInfo}->{$k};
+ }
+ my $spk = $self->prefix . $k;
+- unless ( isHiddenAttr( $self->conf, $k, @hidden )
++ unless ( isHiddenAttr( $self->conf->{hiddenAttributes}, $k, @hidden )
+ || $k =~ /^(?:_imp|token|_type)\w*\b/ )
+ {
+ $realSession->{$spk} = $req->{sessionInfo}->{$k};
+--- /dev/null
++++ b/lemonldap-ng-manager/t/40-sessions-hideId.t
+@@ -0,0 +1,75 @@
++# Test sessions explorer API
++
++use warnings;
++use Test::More;
++use JSON;
++use strict;
++use Lemonldap::NG::Common::Session;
++
++eval { mkdir 't/sessions' };
++`rm -rf t/sessions/*`;
++require 't/test-lib.pm';
++
++sub newSession {
++ my ( $uid, $ip ) = splice @_;
++ my $tmp;
++ ok(
++ $tmp = Lemonldap::NG::Common::Session->new( {
++ storageModule => 'Apache::Session::File',
++ storageModuleOptions => {
++ Directory => 't/sessions',
++ LockDirectory => 't/sessions',
++ generateModule =>
++'Lemonldap::NG::Common::Apache::Session::Generate::SHA256',
++ },
++ }
++ ),
++ 'Sessions module'
++ );
++ count(1);
++ $tmp->update( {
++ ipAddr => $ip,
++ _whatToTrace => $uid,
++ uid => $uid,
++ _utime => time,
++ _session_kind => 'SSO',
++ }
++ );
++ return $tmp->{id};
++}
++
++my $client = LLNG::Manager::Test->new(
++ ini => {
++ displaySessionId => 0,
++ }
++);
++
++my @realids;
++$realids[0] = newSession( 'dwho', '127.10.0.1' );
++$realids[1] = newSession( 'dwho2', '127.2.0.2' );
++@realids = sort @realids;
++
++# "All" query
++my $res = $client->jsonResponse("/sessions/global/");
++ok( $res->{result} == 1, 'Result code = 1' );
++ok( $res->{count} == 2, 'Found 2 sessions' );
++ok( @{ $res->{values} } == 2, 'List 2 sessions' );
++my @obfuscatedids = sort map { $_->{session} } @{ $res->{values} };
++isnt( $realids[0], $obfuscatedids[0], "Obfuscated ID differs from real one" );
++count(4);
++
++# Single session access
++$res = $client->jsonResponse("/sessions/global/$obfuscatedids[0]");
++if ( $res->{uid} eq 'dwho' ) {
++ is( $res->{ipAddr}, '127.10.0.1', 'IP found' );
++}
++else {
++ is( $res->{ipAddr}, '127.2.0.2', 'IP found' );
++}
++is( $res->{_session_id}, '******', "Session ID is obfuscated" );
++count(2);
++
++done_testing( count() );
++
++# Remove sessions directory
++`rm -rf t/sessions`;
+--- a/lemonldap-ng-manager/t/40-sessions.t
++++ b/lemonldap-ng-manager/t/40-sessions.t
+@@ -32,7 +32,8 @@
+ _whatToTrace => $uid,
+ uid => $uid,
+ _utime => time,
+- _session_kind => 'SSO'
++ _session_kind => 'SSO',
++ _password => 'dwho',
+ }
+ );
+ return $tmp->{id};
+@@ -46,7 +47,8 @@
+ ok( ( $res->{uid} and $res->{uid} eq 'dwho' ), 'Uid found' )
+ or print STDERR Dumper($res);
+ ok( ( $res->{ipAddr} and $res->{ipAddr} eq '127.10.0.1' ), 'IP found' );
+-count(2);
++isnt( $res->{_password}, 'dwho', 'Password attribute is hidden' );
++count(3);
+
+ # "All" query
+ $res = &client->jsonResponse("/sessions/global/");
diff --git a/debian/patches/series b/debian/patches/series
index 443671b56..ab96cc923 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,7 @@ fix-makefile.patch
CVE-2025-59518.patch
dont-expose-session-id-in-ajax-responses.patch
fix-google-auth.patch
+3478-fix-oidc-alg.patch
+really-hide-password-in-session-explorer.patch
+fix-oidc-frontchannel.patch
+workaround-nginx-issue.patch
diff --git a/debian/patches/workaround-nginx-issue.patch
b/debian/patches/workaround-nginx-issue.patch
new file mode 100644
index 000000000..033d3b6b0
--- /dev/null
+++ b/debian/patches/workaround-nginx-issue.patch
@@ -0,0 +1,336 @@
+From: Yadd <[email protected]>
+Date: mai, 01 2026 06:10:10 +0200
+Subject: [PATCH] workaround Nginx issue
+ This patch is a supplementary security for the Nginx issue fixed in Nginx
+ 1.26.3-3+deb13u4
+ .
+ This avoids using the unsecure $http_host variable.
+Origin: upstream, commit:b82e1abd
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/work_items/3556
+Forwarded: not-needed
+
+--- a/_example/etc/api-nginx.conf
++++ b/_example/etc/api-nginx.conf
+@@ -28,6 +28,7 @@
+ # FastCGI configuration
+ include /etc/nginx/fastcgi_params;
+ fastcgi_pass unix:__FASTCGISOCKDIR__/llng-fastcgi.sock;
++ fastcgi_param HTTP_HOST $host;
+ fastcgi_param LLTYPE psgi;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
+--- a/_example/etc/manager-nginx.conf
++++ b/_example/etc/manager-nginx.conf
+@@ -24,6 +24,7 @@
+ # FastCGI configuration
+ include /etc/nginx/fastcgi_params;
+ fastcgi_pass unix:__FASTCGISOCKDIR__/llng-fastcgi.sock;
++ fastcgi_param HTTP_HOST $host;
+ fastcgi_param LLTYPE psgi;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
+--- a/_example/etc/portal-nginx.conf
++++ b/_example/etc/portal-nginx.conf
+@@ -38,6 +38,7 @@
+ # FastCGI configuration
+ include /etc/nginx/fastcgi_params;
+ fastcgi_pass llng_portal_upstream;
++ fastcgi_param HTTP_HOST $host;
+ fastcgi_param LLTYPE psgi;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
+--- a/_example/etc/test-nginx.conf
++++ b/_example/etc/test-nginx.conf
+@@ -27,8 +27,8 @@
+ # Drop post datas
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+ # Keep original request (LLNG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ fastcgi_param UNIQUE_ID $request_id;
+@@ -43,8 +43,8 @@
+ # Drop post datas
+ #uwsgi_pass_request_body off;
+ #uwsgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- #uwsgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ #uwsgi_param HTTP_HOST $host;
+ # Keep original request (LLNG server will receive /lmauth)
+ #uwsgi_param X_ORIGINAL_URI $original_uri;
+ #uwsgi_param UNIQUE_ID $request_id;
+--- a/doc/sources/admin/applications/bugzilla.rst
++++ b/doc/sources/admin/applications/bugzilla.rst
+@@ -67,8 +67,8 @@
+ # Drop post data
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+ # Keep original request (LL::NG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ }
+--- a/doc/sources/admin/applications/dokuwiki.rst
++++ b/doc/sources/admin/applications/dokuwiki.rst
+@@ -72,8 +72,8 @@
+ # Drop post data
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+ # Keep original request (LL::NG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ }
+--- a/doc/sources/admin/applications/drupal.rst
++++ b/doc/sources/admin/applications/drupal.rst
+@@ -69,8 +69,8 @@
+ # Drop post data
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+ # Keep original request (LL::NG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ }
+--- a/doc/sources/admin/applications/glpi.rst
++++ b/doc/sources/admin/applications/glpi.rst
+@@ -28,8 +28,8 @@
+
+ .. code-block:: nginx
+
+- proxy_set_header Host $http_host;
+- proxy_set_header X-Forwarded-Host $http_host;
++ proxy_set_header Host $host;
++ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+--- a/doc/sources/admin/applications/liferay.rst
++++ b/doc/sources/admin/applications/liferay.rst
+@@ -127,8 +127,8 @@
+ # Drop post data
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+ # Keep original request (LL::NG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ }
+--- a/doc/sources/admin/applications/mediawiki.rst
++++ b/doc/sources/admin/applications/mediawiki.rst
+@@ -156,8 +156,8 @@
+ # Drop post data
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+ # Keep original request (LL::NG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ }
+--- a/doc/sources/admin/applications/obm.rst
++++ b/doc/sources/admin/applications/obm.rst
+@@ -149,8 +149,8 @@
+ # Drop post data
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+ # Keep original request (LL::NG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ }
+--- a/doc/sources/admin/applications/phpldapadmin.rst
++++ b/doc/sources/admin/applications/phpldapadmin.rst
+@@ -71,8 +71,8 @@
+ # Drop post data
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+ # Keep original request (LL::NG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ }
+--- a/doc/sources/admin/applications/sympa.rst
++++ b/doc/sources/admin/applications/sympa.rst
+@@ -146,8 +146,8 @@
+ # Drop post data
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+ # Keep original request (LL::NG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ }
+--- a/doc/sources/admin/configlocation.rst
++++ b/doc/sources/admin/configlocation.rst
+@@ -524,7 +524,7 @@
+ fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- fastcgi_param HOST $http_host;
++ fastcgi_param HTTP_HOST $host;
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ }
+
+--- a/doc/sources/admin/configvhost.rst
++++ b/doc/sources/admin/configvhost.rst
+@@ -151,8 +151,8 @@
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+
+ # Keep original request (LLNG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+@@ -226,8 +226,8 @@
+ # Drop post data
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+ # Keep original request (LLNG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ }
+@@ -287,8 +287,8 @@
+ # Drop post data
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+ # Keep original request (LLNG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ }
+@@ -321,7 +321,7 @@
+
+ .. code-block:: nginx
+
+- proxy_set_header Host $http_host;
++ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+@@ -345,7 +345,7 @@
+ uwsgi_pass 127.0.0.1:5000;
+ uwsgi_pass_request_body off;
+ uwsgi_param CONTENT_LENGTH "";
+- uwsgi_param HOST $http_host;
++ uwsgi_param HTTP_HOST $host;
+ uwsgi_param X_ORIGINAL_URI $original_uri;
+ # Improve performances
+ uwsgi_buffer_size 32k;
+@@ -360,7 +360,7 @@
+ uwsgi_pass 127.0.0.1:5000;
+ uwsgi_pass_request_body off;
+ uwsgi_param CONTENT_LENGTH "";
+- uwsgi_param HOST $http_host;
++ uwsgi_param HTTP_HOST $host;
+ uwsgi_param X_ORIGINAL_URI $original_uri;
+ uwsgi_param VHOSTTYPE AuthBasic;
+ # Improve performances
+@@ -376,7 +376,7 @@
+ uwsgi_pass 127.0.0.1:5000;
+ uwsgi_pass_request_body off;
+ uwsgi_param CONTENT_LENGTH "";
+- uwsgi_param HOST $http_host;
++ uwsgi_param HTTP_HOST $host;
+ uwsgi_param X_ORIGINAL_URI $original_uri;
+ uwsgi_param VHOSTTYPE ServiceToken;
+ # Improve performances
+--- a/doc/sources/admin/docker.rst
++++ b/doc/sources/admin/docker.rst
+@@ -286,8 +286,8 @@
+ # Drop post data
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+ # Keep original request (LLNG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ }
+--- a/doc/sources/admin/nodehandler.rst
++++ b/doc/sources/admin/nodehandler.rst
+@@ -67,8 +67,8 @@
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+
+ # Keep original request (LLNG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+--- a/doc/sources/admin/ssoaas.rst
++++ b/doc/sources/admin/ssoaas.rst
+@@ -99,8 +99,8 @@
+ # Keep original request (LL::NG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+
+ # Set redirection parameters
+ fastcgi_param HTTPS_REDIRECT "$https";
+@@ -312,8 +312,8 @@
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+
+ # Keep original request (LL::NG server will received /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+--- a/e2e-tests/test-nginx.conf
++++ b/e2e-tests/test-nginx.conf
+@@ -16,8 +16,8 @@
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+
+ # Keep original request (LLNG server will received /llauth)
+ fastcgi_param X_ORIGINAL_URI $request_uri;
+@@ -27,7 +27,7 @@
+ #uwsgi_pass 127.0.0.1:5000;
+ #uwsgi_pass_request_body off;
+ #uwsgi_param CONTENT_LENGTH "";
+- #uwsgi_param HOST $http_host;
++ #uwsgi_param HTTP_HOST $host;
+ #uwsgi_param X_ORIGINAL_URI $request_uri;
+ }
+
--- End Message ---
