From f6dc212e8b1f745bd7f81f4b6415d9f01c01e38c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20OUDOT?= Date: Thu, 22 Jul 2021 17:49:26 +0200 Subject: [PATCH] Changelog for 2.0.12 --- changelog | 83 +++++++++++++++++++++++++++++++++++ scripts/generate-changelog.pl | 2 +- 2 files changed, 84 insertions(+), 1 deletion(-) diff --git a/changelog b/changelog index 389ae15aa..46376b978 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,86 @@ +lemonldap-ng (2.0.12) focal; urgency=medium + + * Bugs: + * #2153: logout forward url pointing to a protected application cause infinite redirection (pdata) + * #2439: Unable to configure oidcOPMetaDataJSON and oidcOPMetaDataJWKS trough lemonldap-ng-cli + * #2453: Manager API: missing doc and array handling of additional audiences + * #2455: llng-fastcgi-server exited with signal 13 + * #2459: Debian packages: missing dependency to gsfonts may break Captcha + * #2460: "Underlying object can't load conf" in v2.0.11 + * #2463: Portal plugin hooks triggered multiple times after reload + * #2469: mySessionAuthorizedRWKeys causes internal server error when removing OIDC consent + * #2474: OAuth2 endpoints should return an error when multiple client authentication methods are used + * #2475: OIDC: Invalid error code returned in badAuthRequest + * #2477: [security:low] Wildcard in virtualhost allows being redirected to untrusted domains + * #2480: Set an authLevel and disable ReAuthentication plugin leads to an endless loop + * #2481: missing _utime in OIDC Client Credential sessions + * #2482: unexpected persistent sessions appear since 2.0.10 + * #2483: Second factor removal does not work when hiding session ids from manager + * #2487: Incorrect error reporting in convertSessions + * #2489: Do not grant the openid scope during Resource Owner Password Grant + * #2493: Unable to register a new configuration attribute with CLI when option force is enabled and backend is RDBI + * #2495: [security:medium] XSS on register form + * #2498: convertSessions does not filter sessionKind correctly + * #2503: REST/SOAP exported attributes are not sent by REST server + * #2509: Local password policy: Allowing ALL special characters does not work + * #2511: expires_in in token response has the wrong JSON type in some cases + * #2513: LLNG 2.0.11 : SAML SLO from IDP to SP with POST Binding blocked by browser + * #2518: SAML: persistent NameID is empty when using "unspecified" format on SP side + * #2520: Missing translations for DBI configuration + * #2525: Gracefully handle invalid perl expression in CAS/SAML/OIDC + * #2529: [bug] OIDC userinfo as jwt not readable + * #2531: calling to_json with hash containing file handle fails + * #2534: CDA does not work with wildcard vhosts + * #2535: [security:low] Incorrect regexp construction in isTrustedUrl lets attacker steal session on CDA application + * #2539: [security:high, CVE-2021-35472] session cache corruption can lead to authorization bypass or spoofing + * #2541: Misleading TOTP options + * #2543: [security:low] 2FA bypass with sfOnlyUpgrade and totp2fDisplayExistingSecret + * #2547: Parameter oidcRPMetaDataOptionsUserInfoSignAlg is missing in Manager + * #2548: OpenID Connect ACR value can't be configured with something else than 'loa-...' + * #2549: [security:low, CVE-2021-35473] OAuth2 handler does not verify access token validity + * #2550: Token endpoint should only emit ID token when scope contains "openid" + + * New features: + * #1976: FindUser plugin + * #2451: CrowdSec plugin to query Crowdsec server + * #2458: CheckDevOps plugin + * #2510: Hook on password change + * #2532: add oidcGenerateCode hook + * #2554: Remove OIDC checksession iframe from metadata + + * Improvements: + * #2260: Missing elements in sphinx documentation (mongodb) + * #2419: Support JWT as OAuth 2.0 Bearer Access Tokens + * #2424: Feature: Scope Rules + * #2454: Append a Show/Hide password button into login form + * #2456: Prevent DevOps handler to send hidden session attributes + * #2462: Use timezone provided in input dates in extended function "checkDate" + * #2465: Force OIDC error messages to use JSON + * #2472: Loading metadata can be slow due to parsing of default certificate bundle + * #2484: Hook for populating client credential session + * #2488: Allow selection of AssertionConsumerServiceURL in IDP-Initiated SAML login + * #2496: Add new option to ignore undeclared OIDC scopes + * #2499: add key mapper for convertSession + * #2502: Resource Owner Password fails with PE_FIRSTACCESS when using Auth::Choice + * #2506: CAS: add an option to forbid host-based matching + * #2521: Avoid browsers parameter hide placeholder + * #2533: add hooks for CAS issuer + * #2536: optimize SingleSession to avoid unneeded session fetches + * #2544: Default 2FA register timeout is too low + * #2557: Avoid browsers to store new, old and confirmed password during update process + * #2562: Add --user/--group options to lmConfigEditor and lemonldap-ng-cli (user:group hardcoded to apache may not work correctly) + + * Templates: + * #1976: FindUser plugin + * #2454: Append a Show/Hide password button into login form + * #2458: CheckDevOps plugin + * #2495: [security:medium] XSS on register form + * #2521: Avoid browsers parameter hide placeholder + * #2541: Misleading TOTP options + * #2557: Avoid browsers to store new, old and confirmed password during update process + + -- Clément Thu, 22 Jul 2021 17:41:44 +0200 + lemonldap-ng (2.0.11) focal; urgency=medium * Bugs: diff --git a/scripts/generate-changelog.pl b/scripts/generate-changelog.pl index 4b6030edd..df406fdad 100755 --- a/scripts/generate-changelog.pl +++ b/scripts/generate-changelog.pl @@ -12,7 +12,7 @@ use LWP::UserAgent; use JSON; -my $milestone = '2.0.11'; +my $milestone = '2.0.12'; my @cat = ( 'Bug', 'New feature', 'Improvement', 'Template', 'WebServer Conf' ); open F, "$ENV{HOME}/.ow2-token" or die "Unable to get OW2 token ($!)";