Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:latest:upgrade [2019/09/24 10:58]
coudot [2.0.5]
documentation:latest:upgrade [2020/05/09 13:34] (current)
maxbes [2.0.8]
Line 4: Line 4:
  
 <note warning>​If you have [[installrpm|installed LemonLDAP::​NG from official RPMs]], you may run into bug [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​1757|#​1757]] and lose your Apache configuration files while updating from LemonLDAP::​NG 2.0.0 or 2.0.1 to later versions. Please backup your ''/​etc/​httpd/​conf.d/​z-lemonldap-ng-*.conf''​ files before the update.</​note>​ <note warning>​If you have [[installrpm|installed LemonLDAP::​NG from official RPMs]], you may run into bug [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​1757|#​1757]] and lose your Apache configuration files while updating from LemonLDAP::​NG 2.0.0 or 2.0.1 to later versions. Please backup your ''/​etc/​httpd/​conf.d/​z-lemonldap-ng-*.conf''​ files before the update.</​note>​
 +
 +===== 2.0.8 =====
 +
 +  * New dependency: Perl module Time::Fake is now required to run unit test and build packages, but should not be mandatory to run the software.
 +  * Nginx configuration:​ some changes are required to allow IPv6, see [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​2152|#​2152]]
 +  * Option ''​singleSessionUserByIP''​ was removed, see [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​2159|#​2159]]
 +  * A memory leak was found in perl-fcgi with Perl < 5.18, a workaround is possible with Apache and llng-fastcgi-server,​ see [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​1314|#​1314]]
 +    * With Apache: set ''​FcgidMaxRequestsPerProcess 500''​ in portal virtual host
 +    * With llng-fastcgi-server:​ set ''​PM_MAX_REQUESTS=500''​ in llng-fastcgi-server service configuration
 +  * Cookie ''​SameSite''​ value: to avoid problems with recent browsers, SAML POST binding, LLNG cookies are now tagged as "​**SameSite=None**"​. You can change this value using manager, "​**SameSite=Lax**"​ is best for installations without federations. **Important note**: if you're using an unsecured connection //<​nowiki>​(http://​ instead of https://​)</​nowiki>//,​ "​SameSite=None"​ will be ignored by browsers and users that already have a valid session might be prompted to login again.
 +  * OAuth2.0 Handler: a VHost protected by the OAuth2.0 handler will now return a 401 when called without an Access Token, instead of redirecting to the portal, as specified by [[https://​tools.ietf.org/​html/​rfc6750|RFC6750]]
 +
 +  * If you encounter the following issue:
 +<​code>​
 +AH01630: client denied by server configuration:​ /​usr/​share/​lemonldap-ng/​manager/​api/​api.fcgi
 +</​code>​
 +when trying to access the portal. It probably comes from incorrect Apache configuration. Remove the (optional and disabled by default) manager API config: ​
 +<​code>​
 +rm /​etc/​httpd/​conf.d/​z-lemonldap-ng-api.conf && systemctl reload httpd
 +</​code>​
 +===== 2.0.7 =====
 +
 +  * Security:
 +    * [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​2040|#​2040]]:​ Configuration of a redirection URI for an OpenID Connect Relying Party is now mandatory, as defined in the specifications. If you save your configuration,​ you will have an error if some of your RP don't have a redirect URI configured.
 +    * [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​1943|#​1943]] / [[https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-19791|CVE-2019-19791]]:​ along with the patch provided in 2.0.7 in ''​Lemonldap/​NG/​Common/​PSGI/​Request.pm'',​ Apache rewrite rule must be updated to avoid an unprotected access to REST services:
 +<​code>​portal-apache2.conf</​code>​
 +<file apache>
 +    RewriteCond "​%{REQUEST_URI}"​ "​!^/​(?:​(?:​static|javascript|favicon).*|.*\.fcgi(?:/​.*)?​)$"​
 +    RewriteRule "​^/​(.+)$"​ "/​index.fcgi/​$1"​ [PT]
 +</​file>​
 +<​code>​manager-apache2.conf</​code>​
 +<file apache>
 +    RewriteCond "​%{REQUEST_URI}"​ "​!^/​(?:​static|doc|lib|javascript|favicon).*"​
 +    RewriteRule "​^/​(.+)$"​ "/​manager.fcgi/​$1"​ [PT]
 +</​file>​
 +
 +  * Other:
 +    * Option ''​checkTime''​ was enabled by default in ''​lemonldap-ng.ini'',​ this let the portal check the configuration immediately instead of waiting for configuration cache expiration. You can keep this option enabled unless you need strong [[performances|performances]].
 +  * Removed parameters:
 +    * ''​samlIdPResolveCookie''​
  
 ===== 2.0.6 ===== ===== 2.0.6 =====
Line 10: Line 50:
   * If you use the default _whatToTrace macro and a case insensitive authentication backend, then a user can generate several persistent sessions for the same login (see [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​1869|issue 1869]]). This can lead to a security bug if you enabled 2FA, which rely on data stored in the persistent session. To fix this, either choose a unique attribute for _whatToTrace,​ either force lower case in your macro:   * If you use the default _whatToTrace macro and a case insensitive authentication backend, then a user can generate several persistent sessions for the same login (see [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​1869|issue 1869]]). This can lead to a security bug if you enabled 2FA, which rely on data stored in the persistent session. To fix this, either choose a unique attribute for _whatToTrace,​ either force lower case in your macro:
 <code perl> <code perl>
-$_auth eq '​SAML'​ ? lc($_user.'​@'​.$_idpConfKey) : $_auth eq '​OpenIDConnect'​ ? lc($_user.'​@'​.$_oidcConnectedRP) : lc($_user)+$_auth eq '​SAML'​ ? lc($_user.'​@'​.$_idpConfKey) : $_auth eq '​OpenIDConnect'​ ? lc($_user.'​@'​.$_oidc_OP) : lc($_user) 
 +</​code>​ 
 +  * On CentOS 7 / RHEL 7, a system upgrade breaks ImageMagick,​ which is used to display captchas (see [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​1951|#​1951]]). To fix this, you can run the following commands: 
 +<​code>​ 
 +yum install -y urw-base35-fonts-legacy 
 +sed '​s,/​usr/​share/​fonts/​default/​Type1/,/​usr/​share/​X11/​fonts/​urw-fonts/,​g'​ -i /​etc/​ImageMagick/​type-ghostscript.xml
 </​code>​ </​code>​
  
Line 109: Line 154:
   * some variable names have changed. See [[variables]] document   * some variable names have changed. See [[variables]] document
  
 +===== Opening conditions =====
 +
 +  * Rule and message fields have been swaped. You have to modifiy and validate again your access rules.
 ===== Supported servers ===== ===== Supported servers =====