Version in base suite: 2.16.1+ds-deb12u7 Base version: lemonldap-ng_2.16.1+ds-deb12u7 Target version: lemonldap-ng_2.16.1+ds-deb12u8 Base file: /srv/ftp-master.debian.org/ftp/pool/main/l/lemonldap-ng/lemonldap-ng_2.16.1+ds-deb12u7.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/l/lemonldap-ng/lemonldap-ng_2.16.1+ds-deb12u8.dsc changelog | 7 patches/series | 1 patches/workaround-nginx-issue.patch | 323 +++++++++++++++++++++++++++++++++++ 3 files changed, 331 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpipd08d9_/lemonldap-ng_2.16.1+ds-deb12u7.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpipd08d9_/lemonldap-ng_2.16.1+ds-deb12u8.dsc: no acceptable signature found diff -Nru lemonldap-ng-2.16.1+ds/debian/changelog lemonldap-ng-2.16.1+ds/debian/changelog --- lemonldap-ng-2.16.1+ds/debian/changelog 2025-10-18 09:52:30.000000000 +0000 +++ lemonldap-ng-2.16.1+ds/debian/changelog 2026-05-01 06:43:16.000000000 +0000 @@ -1,3 +1,10 @@ +lemonldap-ng (2.16.1+ds-deb12u8) bookworm; urgency=medium + + * Update default Nginx files and documentation to avoid using Nginx insecure + $http_host + + -- Xavier Guimard Fri, 01 May 2026 08:43:16 +0200 + lemonldap-ng (2.16.1+ds-deb12u7) bookworm; urgency=medium * Fix sessions tablename when not default diff -Nru lemonldap-ng-2.16.1+ds/debian/patches/series lemonldap-ng-2.16.1+ds/debian/patches/series --- lemonldap-ng-2.16.1+ds/debian/patches/series 2025-10-18 09:52:30.000000000 +0000 +++ lemonldap-ng-2.16.1+ds/debian/patches/series 2026-05-01 06:43:16.000000000 +0000 @@ -23,3 +23,4 @@ fix-path-info.patch CVE-2025-59518.patch dont-expose-session-id-in-ajax-responses.patch +workaround-nginx-issue.patch diff -Nru lemonldap-ng-2.16.1+ds/debian/patches/workaround-nginx-issue.patch lemonldap-ng-2.16.1+ds/debian/patches/workaround-nginx-issue.patch --- lemonldap-ng-2.16.1+ds/debian/patches/workaround-nginx-issue.patch 1970-01-01 00:00:00.000000000 +0000 +++ lemonldap-ng-2.16.1+ds/debian/patches/workaround-nginx-issue.patch 2026-05-01 06:43:16.000000000 +0000 @@ -0,0 +1,323 @@ +From: Yadd +Date: mai, 01 2026 06:10:10 +0200 +Subject: [PATCH] workaround Nginx issue + This patch is a supplementary security for the Nginx issue fixed in Nginx + 1.26.3-3+deb13u4 + . + This avoids using the unsecure $http_host variable. +Origin: upstream, commit:b82e1abd +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/work_items/3556 +Forwarded: not-needed + +--- a/_example/etc/api-nginx.conf ++++ b/_example/etc/api-nginx.conf +@@ -28,6 +28,7 @@ + # FastCGI configuration + include /etc/nginx/fastcgi_params; + fastcgi_pass unix:__FASTCGISOCKDIR__/llng-fastcgi.sock; ++ fastcgi_param HTTP_HOST $host; + fastcgi_param LLTYPE psgi; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_split_path_info ^(.*\.psgi)(/.*)$; +--- a/_example/etc/manager-nginx.conf ++++ b/_example/etc/manager-nginx.conf +@@ -24,6 +24,7 @@ + # FastCGI configuration + include /etc/nginx/fastcgi_params; + fastcgi_pass unix:__FASTCGISOCKDIR__/llng-fastcgi.sock; ++ fastcgi_param HTTP_HOST $host; + fastcgi_param LLTYPE psgi; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_split_path_info ^(.*\.psgi)(/.*)$; +--- a/_example/etc/portal-nginx.conf ++++ b/_example/etc/portal-nginx.conf +@@ -38,6 +38,7 @@ + # FastCGI configuration + include /etc/nginx/fastcgi_params; + fastcgi_pass llng_portal_upstream; ++ fastcgi_param HTTP_HOST $host; + fastcgi_param LLTYPE psgi; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_split_path_info ^(.*\.psgi)(/.*)$; +--- a/_example/etc/test-nginx.conf ++++ b/_example/etc/test-nginx.conf +@@ -23,8 +23,8 @@ + # Drop post datas + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + # Keep original request (LLNG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + # Improve performances +@@ -38,8 +38,8 @@ + # Drop post datas + #uwsgi_pass_request_body off; + #uwsgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- #uwsgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ #uwsgi_param HTTP_HOST $host; + # Keep original request (LLNG server will receive /lmauth) + #uwsgi_param X_ORIGINAL_URI $original_uri; + ## Improve performances +--- a/doc/sources/admin/applications/bugzilla.rst ++++ b/doc/sources/admin/applications/bugzilla.rst +@@ -67,8 +67,8 @@ + # Drop post data + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + # Keep original request (LL::NG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + } +--- a/doc/sources/admin/applications/dokuwiki.rst ++++ b/doc/sources/admin/applications/dokuwiki.rst +@@ -72,8 +72,8 @@ + # Drop post data + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + # Keep original request (LL::NG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + } +--- a/doc/sources/admin/applications/drupal.rst ++++ b/doc/sources/admin/applications/drupal.rst +@@ -69,8 +69,8 @@ + # Drop post data + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + # Keep original request (LL::NG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + } +--- a/doc/sources/admin/applications/glpi.rst ++++ b/doc/sources/admin/applications/glpi.rst +@@ -28,8 +28,8 @@ + + .. code-block:: nginx + +- proxy_set_header Host $http_host; +- proxy_set_header X-Forwarded-Host $http_host; ++ proxy_set_header Host $host; ++ proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +--- a/doc/sources/admin/applications/liferay.rst ++++ b/doc/sources/admin/applications/liferay.rst +@@ -127,8 +127,8 @@ + # Drop post data + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + # Keep original request (LL::NG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + } +--- a/doc/sources/admin/applications/mediawiki.rst ++++ b/doc/sources/admin/applications/mediawiki.rst +@@ -156,8 +156,8 @@ + # Drop post data + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + # Keep original request (LL::NG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + } +--- a/doc/sources/admin/applications/obm.rst ++++ b/doc/sources/admin/applications/obm.rst +@@ -149,8 +149,8 @@ + # Drop post data + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + # Keep original request (LL::NG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + } +--- a/doc/sources/admin/applications/phpldapadmin.rst ++++ b/doc/sources/admin/applications/phpldapadmin.rst +@@ -71,8 +71,8 @@ + # Drop post data + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + # Keep original request (LL::NG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + } +--- a/doc/sources/admin/applications/sympa.rst ++++ b/doc/sources/admin/applications/sympa.rst +@@ -146,8 +146,8 @@ + # Drop post data + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + # Keep original request (LL::NG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + } +--- a/doc/sources/admin/configlocation.rst ++++ b/doc/sources/admin/configlocation.rst +@@ -508,7 +508,7 @@ + fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- fastcgi_param HOST $http_host; ++ fastcgi_param HTTP_HOST $host; + fastcgi_param X_ORIGINAL_URI $original_uri; + } + +--- a/doc/sources/admin/configvhost.rst ++++ b/doc/sources/admin/configvhost.rst +@@ -149,8 +149,8 @@ + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; + +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + + # Keep original request (LLNG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; +@@ -224,8 +224,8 @@ + # Drop post data + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + # Keep original request (LLNG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + } +@@ -285,8 +285,8 @@ + # Drop post data + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + # Keep original request (LLNG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + } +@@ -319,7 +319,7 @@ + + .. code-block:: nginx + +- proxy_set_header Host $http_host; ++ proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; +@@ -343,7 +343,7 @@ + uwsgi_pass 127.0.0.1:5000; + uwsgi_pass_request_body off; + uwsgi_param CONTENT_LENGTH ""; +- uwsgi_param HOST $http_host; ++ uwsgi_param HTTP_HOST $host; + uwsgi_param X_ORIGINAL_URI $original_uri; + # Improve performances + uwsgi_buffer_size 32k; +@@ -358,7 +358,7 @@ + uwsgi_pass 127.0.0.1:5000; + uwsgi_pass_request_body off; + uwsgi_param CONTENT_LENGTH ""; +- uwsgi_param HOST $http_host; ++ uwsgi_param HTTP_HOST $host; + uwsgi_param X_ORIGINAL_URI $original_uri; + uwsgi_param VHOSTTYPE AuthBasic; + # Improve performances +@@ -374,7 +374,7 @@ + uwsgi_pass 127.0.0.1:5000; + uwsgi_pass_request_body off; + uwsgi_param CONTENT_LENGTH ""; +- uwsgi_param HOST $http_host; ++ uwsgi_param HTTP_HOST $host; + uwsgi_param X_ORIGINAL_URI $original_uri; + uwsgi_param VHOSTTYPE ServiceToken; + # Improve performances +--- a/doc/sources/admin/nodehandler.rst ++++ b/doc/sources/admin/nodehandler.rst +@@ -67,8 +67,8 @@ + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; + +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + + # Keep original request (LLNG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; +--- a/doc/sources/admin/ssoaas.rst ++++ b/doc/sources/admin/ssoaas.rst +@@ -97,8 +97,8 @@ + # Keep original request (LL::NG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + + # Set redirection parameters + fastcgi_param HTTPS_REDIRECT "$https"; +@@ -304,8 +304,8 @@ + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; + +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + + # Keep original request (LL::NG server will received /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; +--- a/e2e-tests/test-nginx.conf ++++ b/e2e-tests/test-nginx.conf +@@ -16,8 +16,8 @@ + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; + +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + + # Keep original request (LLNG server will received /llauth) + fastcgi_param X_ORIGINAL_URI $request_uri; +@@ -27,7 +27,7 @@ + #uwsgi_pass 127.0.0.1:5000; + #uwsgi_pass_request_body off; + #uwsgi_param CONTENT_LENGTH ""; +- #uwsgi_param HOST $http_host; ++ #uwsgi_param HTTP_HOST $host; + #uwsgi_param X_ORIGINAL_URI $request_uri; + } +