Version in base suite: 2.21.2+ds-1+deb13u1 Base version: lemonldap-ng_2.21.2+ds-1+deb13u1 Target version: lemonldap-ng_2.21.2+ds-1+deb13u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/l/lemonldap-ng/lemonldap-ng_2.21.2+ds-1+deb13u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/l/lemonldap-ng/lemonldap-ng_2.21.2+ds-1+deb13u2.dsc changelog | 11 patches/3478-fix-oidc-alg.patch | 18 patches/fix-oidc-frontchannel.patch | 18 patches/really-hide-password-in-session-explorer.patch | 238 ++++++++++++ patches/series | 4 patches/workaround-nginx-issue.patch | 336 +++++++++++++++++ 6 files changed, 625 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp13d_nx64/lemonldap-ng_2.21.2+ds-1+deb13u1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp13d_nx64/lemonldap-ng_2.21.2+ds-1+deb13u2.dsc: no acceptable signature found diff -Nru lemonldap-ng-2.21.2+ds/debian/changelog lemonldap-ng-2.21.2+ds/debian/changelog --- lemonldap-ng-2.21.2+ds/debian/changelog 2025-11-02 15:24:21.000000000 +0000 +++ lemonldap-ng-2.21.2+ds/debian/changelog 2026-05-01 06:23:09.000000000 +0000 @@ -1,3 +1,14 @@ +lemonldap-ng (2.21.2+ds-1+deb13u2) trixie; urgency=medium + + * Import main 2.21.4 changes: + - OIDC ignored non default signature algorithm + - OIDC dynamic registration didn't register Front-Channel-Logout URL when + set + - Really hide passwords in session-explorer when stored in session + - Update documentation to avoid using unsecured Nginx variable + + -- Xavier Guimard Fri, 01 May 2026 08:23:09 +0200 + lemonldap-ng (2.21.2+ds-1+deb13u1) trixie; urgency=medium * Fix shell injection from admin interface (Closes: CVE-2025-59518) diff -Nru lemonldap-ng-2.21.2+ds/debian/patches/3478-fix-oidc-alg.patch lemonldap-ng-2.21.2+ds/debian/patches/3478-fix-oidc-alg.patch --- lemonldap-ng-2.21.2+ds/debian/patches/3478-fix-oidc-alg.patch 1970-01-01 00:00:00.000000000 +0000 +++ lemonldap-ng-2.21.2+ds/debian/patches/3478-fix-oidc-alg.patch 2026-05-01 06:23:09.000000000 +0000 @@ -0,0 +1,18 @@ +From: Yadd +Date: mai, 01 2026 05:49:52 +0200 +Subject: [PATCH] fix typo that breaks alg + Sadly the test OP was named "op" +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/work_items/3478 +Forwarded: not-needed + +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm +@@ -490,7 +490,7 @@ + iat => time, + %$authorize_request_params, + }, +- $self->opOptions->{op} ++ $self->opOptions->{$op} + ->{oidcOPMetaDataOptionsAuthnEndpointAuthSigAlg} || 'RS256', + $op + ); diff -Nru lemonldap-ng-2.21.2+ds/debian/patches/fix-oidc-frontchannel.patch lemonldap-ng-2.21.2+ds/debian/patches/fix-oidc-frontchannel.patch --- lemonldap-ng-2.21.2+ds/debian/patches/fix-oidc-frontchannel.patch 1970-01-01 00:00:00.000000000 +0000 +++ lemonldap-ng-2.21.2+ds/debian/patches/fix-oidc-frontchannel.patch 2026-05-01 06:23:09.000000000 +0000 @@ -0,0 +1,18 @@ +From: Yadd +Date: mai, 01 2026 06:07:59 +0200 +Subject: [PATCH] fix typo that broke OIDC front-channel-logout +Origin: upstream, commit:c4dde51 +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/work_items/3592 +Forwarded: not-needed + +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm +@@ -2431,7 +2431,7 @@ + my $backchannel_logout_uri = $client_metadata->{backchannel_logout_uri}; + my $backchannel_logout_session_required = + $client_metadata->{backchannel_logout_session_required}; +- my $frontchannel_logout_uri = $client_metadata->{backchannel_logout_uri}; ++ my $frontchannel_logout_uri = $client_metadata->{frontchannel_logout_uri}; + my $frontchannel_logout_session_required = + $client_metadata->{frontchannel_logout_session_required}; + my $jwksUri = $client_metadata->{jwks_uri}; diff -Nru lemonldap-ng-2.21.2+ds/debian/patches/really-hide-password-in-session-explorer.patch lemonldap-ng-2.21.2+ds/debian/patches/really-hide-password-in-session-explorer.patch --- lemonldap-ng-2.21.2+ds/debian/patches/really-hide-password-in-session-explorer.patch 1970-01-01 00:00:00.000000000 +0000 +++ lemonldap-ng-2.21.2+ds/debian/patches/really-hide-password-in-session-explorer.patch 2026-05-01 06:23:09.000000000 +0000 @@ -0,0 +1,238 @@ +From: Yadd +Date: mai, 01 2026 06:03:56 +0200 +Subject: [PATCH] really hide passwords from session explorer +Origin: upstream, commit:d9ba579 +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/work_items/3568 +Forwarded: not-needed + +--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Session/REST.pm ++++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Session/REST.pm +@@ -14,6 +14,11 @@ + # Boolean value to tell if storage ID is hashed or not + has hashedSessionStore => ( is => 'rw' ); + ++sub hiddenAttributes { ++ my ($self) = @_; ++ return $self->{hiddenAttributes} || $self->conf->{hiddenAttributes}; ++} ++ + sub setTypes { + my ( $self, $conf ) = @_; + foreach my $type (@sessionTypes) { +@@ -467,7 +472,8 @@ + my %session = %{ $apacheSession->data }; + unless ($raw) { + foreach ( keys %session ) { +- $session{$_} = '******' if isHiddenAttr( $self->conf, $_ ); ++ $session{$_} = '******' ++ if isHiddenAttr( $self->hiddenAttributes, $_ ); + } + } + +--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Util.pm ++++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Util.pm +@@ -37,7 +37,7 @@ + } + + sub isHiddenAttr { +- my ( $conf, $attr, @extra_hidden_attributes ) = @_; ++ my ( $hiddenAttributes, $attr, @extra_hidden_attributes ) = @_; + my ( @regexps, $match ); + + my %hiddenAttributes = map { $_ => 1 } grep { +@@ -48,8 +48,7 @@ + else { + 1; + } +- } ( split( /[,\s]+/, $conf->{hiddenAttributes} ), +- @extra_hidden_attributes ); ++ } ( split( /[,\s]+/, $hiddenAttributes ), @extra_hidden_attributes ); + + my $regex = + keys %hiddenAttributes +@@ -112,7 +111,7 @@ + + This method formats device name for logging purpose + +-=head3 isHiddenAttr( $conf, $attr, @extra_hidden_attributes ) ++=head3 isHiddenAttr( $conf_value, $attr, @extra_hidden_attributes ) + + This method tests if the attribute is hidden. + @extra_hidden_attributes is an array of additional attributes to hide. +--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/DevOps.pm ++++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/DevOps.pm +@@ -99,7 +99,8 @@ + foreach ( keys %{ $json->{headers} } ) { + my $header = $json->{headers}->{$_}; + $header =~ s/^\$//; +- if ( isHiddenAttr( $class->localConfig, $header ) ) { ++ if ( isHiddenAttr( $class->localConfig->{hiddenAttributes}, $header ) ) ++ { + delete $json->{headers}->{$_}; + $class->auditLog( + $req, +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm +@@ -6,8 +6,8 @@ + + use strict; + use MIME::Base64; +-use POSIX qw(strftime); +-use Lemonldap::NG::Common::Util qw(isHiddenAttr); ++use POSIX qw(strftime); ++use Lemonldap::NG::Common::Util qw(isHiddenAttr); + use Lemonldap::NG::Portal::Main::Constants qw(portalConsts); + use URI; + +@@ -617,7 +617,8 @@ + foreach my $k ( sort keys %{ $req->{sessionInfo} } ) { + next unless defined $req->{sessionInfo}->{$k}; + my $displayValue = $req->{sessionInfo}->{$k}; +- $displayValue = '****' if isHiddenAttr( $self->conf, $k ); ++ $displayValue = '****' ++ if isHiddenAttr( $self->conf->{hiddenAttributes}, $k ); + $self->logger->debug("Store $displayValue in session key $k"); + $self->_dump($displayValue) if ref($displayValue); + $infos->{$k} = $req->{sessionInfo}->{$k}; +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckDevOps.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckDevOps.pm +@@ -193,7 +193,7 @@ + foreach ( keys %{ $json->{headers} } ) { + my $header = $json->{headers}->{$_}; + $header =~ s/^\$//; +- if ( isHiddenAttr( $self->conf, $header ) ) { ++ if ( isHiddenAttr( $self->conf->{hiddenAttributes}, $header ) ) { + my $user = $req->userData->{ $self->conf->{whatToTrace} }; + $self->userLogger->warn( + "CheckDevOps: $user tried to retrieve a hidden attribute -> $header" +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm +@@ -606,7 +606,7 @@ + push @$array_attrs, + { key => $_, value => $attrs->{$_} } + unless ( ( +- isHiddenAttr( $self->conf, $_, @hidden ) ++ isHiddenAttr( $self->conf->{hiddenAttributes}, $_, @hidden ) + && !$self->displayHiddenAttributesRule->( $req, $userData ) + ) + || ( !$attrs->{$_} +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm +@@ -2,7 +2,7 @@ + + use strict; + use Mouse; +-use Lemonldap::NG::Common::Util qw(isHiddenAttr); ++use Lemonldap::NG::Common::Util qw(isHiddenAttr); + use Lemonldap::NG::Portal::Main::Constants qw( + PE_MALFORMEDUSER + PE_OK PE_BADCREDENTIALS +@@ -137,7 +137,7 @@ + next unless defined $req->{sessionInfo}->{$k}; + } + my $spk = $self->prefix . $k; +- unless ( isHiddenAttr( $self->conf, $k, @hidden ) ++ unless ( isHiddenAttr( $self->conf->{hiddenAttributes}, $k, @hidden ) + || $k =~ /^(?:_imp|token|_type)\w*\b/ ) + { + $realSession->{$spk} = $req->{sessionInfo}->{$k}; +--- /dev/null ++++ b/lemonldap-ng-manager/t/40-sessions-hideId.t +@@ -0,0 +1,75 @@ ++# Test sessions explorer API ++ ++use warnings; ++use Test::More; ++use JSON; ++use strict; ++use Lemonldap::NG::Common::Session; ++ ++eval { mkdir 't/sessions' }; ++`rm -rf t/sessions/*`; ++require 't/test-lib.pm'; ++ ++sub newSession { ++ my ( $uid, $ip ) = splice @_; ++ my $tmp; ++ ok( ++ $tmp = Lemonldap::NG::Common::Session->new( { ++ storageModule => 'Apache::Session::File', ++ storageModuleOptions => { ++ Directory => 't/sessions', ++ LockDirectory => 't/sessions', ++ generateModule => ++'Lemonldap::NG::Common::Apache::Session::Generate::SHA256', ++ }, ++ } ++ ), ++ 'Sessions module' ++ ); ++ count(1); ++ $tmp->update( { ++ ipAddr => $ip, ++ _whatToTrace => $uid, ++ uid => $uid, ++ _utime => time, ++ _session_kind => 'SSO', ++ } ++ ); ++ return $tmp->{id}; ++} ++ ++my $client = LLNG::Manager::Test->new( ++ ini => { ++ displaySessionId => 0, ++ } ++); ++ ++my @realids; ++$realids[0] = newSession( 'dwho', '127.10.0.1' ); ++$realids[1] = newSession( 'dwho2', '127.2.0.2' ); ++@realids = sort @realids; ++ ++# "All" query ++my $res = $client->jsonResponse("/sessions/global/"); ++ok( $res->{result} == 1, 'Result code = 1' ); ++ok( $res->{count} == 2, 'Found 2 sessions' ); ++ok( @{ $res->{values} } == 2, 'List 2 sessions' ); ++my @obfuscatedids = sort map { $_->{session} } @{ $res->{values} }; ++isnt( $realids[0], $obfuscatedids[0], "Obfuscated ID differs from real one" ); ++count(4); ++ ++# Single session access ++$res = $client->jsonResponse("/sessions/global/$obfuscatedids[0]"); ++if ( $res->{uid} eq 'dwho' ) { ++ is( $res->{ipAddr}, '127.10.0.1', 'IP found' ); ++} ++else { ++ is( $res->{ipAddr}, '127.2.0.2', 'IP found' ); ++} ++is( $res->{_session_id}, '******', "Session ID is obfuscated" ); ++count(2); ++ ++done_testing( count() ); ++ ++# Remove sessions directory ++`rm -rf t/sessions`; +--- a/lemonldap-ng-manager/t/40-sessions.t ++++ b/lemonldap-ng-manager/t/40-sessions.t +@@ -32,7 +32,8 @@ + _whatToTrace => $uid, + uid => $uid, + _utime => time, +- _session_kind => 'SSO' ++ _session_kind => 'SSO', ++ _password => 'dwho', + } + ); + return $tmp->{id}; +@@ -46,7 +47,8 @@ + ok( ( $res->{uid} and $res->{uid} eq 'dwho' ), 'Uid found' ) + or print STDERR Dumper($res); + ok( ( $res->{ipAddr} and $res->{ipAddr} eq '127.10.0.1' ), 'IP found' ); +-count(2); ++isnt( $res->{_password}, 'dwho', 'Password attribute is hidden' ); ++count(3); + + # "All" query + $res = &client->jsonResponse("/sessions/global/"); diff -Nru lemonldap-ng-2.21.2+ds/debian/patches/series lemonldap-ng-2.21.2+ds/debian/patches/series --- lemonldap-ng-2.21.2+ds/debian/patches/series 2025-11-02 15:23:35.000000000 +0000 +++ lemonldap-ng-2.21.2+ds/debian/patches/series 2026-05-01 06:23:09.000000000 +0000 @@ -5,3 +5,7 @@ CVE-2025-59518.patch dont-expose-session-id-in-ajax-responses.patch fix-google-auth.patch +3478-fix-oidc-alg.patch +really-hide-password-in-session-explorer.patch +fix-oidc-frontchannel.patch +workaround-nginx-issue.patch diff -Nru lemonldap-ng-2.21.2+ds/debian/patches/workaround-nginx-issue.patch lemonldap-ng-2.21.2+ds/debian/patches/workaround-nginx-issue.patch --- lemonldap-ng-2.21.2+ds/debian/patches/workaround-nginx-issue.patch 1970-01-01 00:00:00.000000000 +0000 +++ lemonldap-ng-2.21.2+ds/debian/patches/workaround-nginx-issue.patch 2026-05-01 06:23:09.000000000 +0000 @@ -0,0 +1,336 @@ +From: Yadd +Date: mai, 01 2026 06:10:10 +0200 +Subject: [PATCH] workaround Nginx issue + This patch is a supplementary security for the Nginx issue fixed in Nginx + 1.26.3-3+deb13u4 + . + This avoids using the unsecure $http_host variable. +Origin: upstream, commit:b82e1abd +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/work_items/3556 +Forwarded: not-needed + +--- a/_example/etc/api-nginx.conf ++++ b/_example/etc/api-nginx.conf +@@ -28,6 +28,7 @@ + # FastCGI configuration + include /etc/nginx/fastcgi_params; + fastcgi_pass unix:__FASTCGISOCKDIR__/llng-fastcgi.sock; ++ fastcgi_param HTTP_HOST $host; + fastcgi_param LLTYPE psgi; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_split_path_info ^(.*\.psgi)(/.*)$; +--- a/_example/etc/manager-nginx.conf ++++ b/_example/etc/manager-nginx.conf +@@ -24,6 +24,7 @@ + # FastCGI configuration + include /etc/nginx/fastcgi_params; + fastcgi_pass unix:__FASTCGISOCKDIR__/llng-fastcgi.sock; ++ fastcgi_param HTTP_HOST $host; + fastcgi_param LLTYPE psgi; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_split_path_info ^(.*\.psgi)(/.*)$; +--- a/_example/etc/portal-nginx.conf ++++ b/_example/etc/portal-nginx.conf +@@ -38,6 +38,7 @@ + # FastCGI configuration + include /etc/nginx/fastcgi_params; + fastcgi_pass llng_portal_upstream; ++ fastcgi_param HTTP_HOST $host; + fastcgi_param LLTYPE psgi; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_split_path_info ^(.*\.psgi)(/.*)$; +--- a/_example/etc/test-nginx.conf ++++ b/_example/etc/test-nginx.conf +@@ -27,8 +27,8 @@ + # Drop post datas + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + # Keep original request (LLNG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + fastcgi_param UNIQUE_ID $request_id; +@@ -43,8 +43,8 @@ + # Drop post datas + #uwsgi_pass_request_body off; + #uwsgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- #uwsgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ #uwsgi_param HTTP_HOST $host; + # Keep original request (LLNG server will receive /lmauth) + #uwsgi_param X_ORIGINAL_URI $original_uri; + #uwsgi_param UNIQUE_ID $request_id; +--- a/doc/sources/admin/applications/bugzilla.rst ++++ b/doc/sources/admin/applications/bugzilla.rst +@@ -67,8 +67,8 @@ + # Drop post data + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + # Keep original request (LL::NG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + } +--- a/doc/sources/admin/applications/dokuwiki.rst ++++ b/doc/sources/admin/applications/dokuwiki.rst +@@ -72,8 +72,8 @@ + # Drop post data + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + # Keep original request (LL::NG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + } +--- a/doc/sources/admin/applications/drupal.rst ++++ b/doc/sources/admin/applications/drupal.rst +@@ -69,8 +69,8 @@ + # Drop post data + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + # Keep original request (LL::NG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + } +--- a/doc/sources/admin/applications/glpi.rst ++++ b/doc/sources/admin/applications/glpi.rst +@@ -28,8 +28,8 @@ + + .. code-block:: nginx + +- proxy_set_header Host $http_host; +- proxy_set_header X-Forwarded-Host $http_host; ++ proxy_set_header Host $host; ++ proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +--- a/doc/sources/admin/applications/liferay.rst ++++ b/doc/sources/admin/applications/liferay.rst +@@ -127,8 +127,8 @@ + # Drop post data + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + # Keep original request (LL::NG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + } +--- a/doc/sources/admin/applications/mediawiki.rst ++++ b/doc/sources/admin/applications/mediawiki.rst +@@ -156,8 +156,8 @@ + # Drop post data + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + # Keep original request (LL::NG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + } +--- a/doc/sources/admin/applications/obm.rst ++++ b/doc/sources/admin/applications/obm.rst +@@ -149,8 +149,8 @@ + # Drop post data + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + # Keep original request (LL::NG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + } +--- a/doc/sources/admin/applications/phpldapadmin.rst ++++ b/doc/sources/admin/applications/phpldapadmin.rst +@@ -71,8 +71,8 @@ + # Drop post data + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + # Keep original request (LL::NG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + } +--- a/doc/sources/admin/applications/sympa.rst ++++ b/doc/sources/admin/applications/sympa.rst +@@ -146,8 +146,8 @@ + # Drop post data + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + # Keep original request (LL::NG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + } +--- a/doc/sources/admin/configlocation.rst ++++ b/doc/sources/admin/configlocation.rst +@@ -524,7 +524,7 @@ + fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- fastcgi_param HOST $http_host; ++ fastcgi_param HTTP_HOST $host; + fastcgi_param X_ORIGINAL_URI $original_uri; + } + +--- a/doc/sources/admin/configvhost.rst ++++ b/doc/sources/admin/configvhost.rst +@@ -151,8 +151,8 @@ + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; + +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + + # Keep original request (LLNG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; +@@ -226,8 +226,8 @@ + # Drop post data + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + # Keep original request (LLNG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + } +@@ -287,8 +287,8 @@ + # Drop post data + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + # Keep original request (LLNG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + } +@@ -321,7 +321,7 @@ + + .. code-block:: nginx + +- proxy_set_header Host $http_host; ++ proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; +@@ -345,7 +345,7 @@ + uwsgi_pass 127.0.0.1:5000; + uwsgi_pass_request_body off; + uwsgi_param CONTENT_LENGTH ""; +- uwsgi_param HOST $http_host; ++ uwsgi_param HTTP_HOST $host; + uwsgi_param X_ORIGINAL_URI $original_uri; + # Improve performances + uwsgi_buffer_size 32k; +@@ -360,7 +360,7 @@ + uwsgi_pass 127.0.0.1:5000; + uwsgi_pass_request_body off; + uwsgi_param CONTENT_LENGTH ""; +- uwsgi_param HOST $http_host; ++ uwsgi_param HTTP_HOST $host; + uwsgi_param X_ORIGINAL_URI $original_uri; + uwsgi_param VHOSTTYPE AuthBasic; + # Improve performances +@@ -376,7 +376,7 @@ + uwsgi_pass 127.0.0.1:5000; + uwsgi_pass_request_body off; + uwsgi_param CONTENT_LENGTH ""; +- uwsgi_param HOST $http_host; ++ uwsgi_param HTTP_HOST $host; + uwsgi_param X_ORIGINAL_URI $original_uri; + uwsgi_param VHOSTTYPE ServiceToken; + # Improve performances +--- a/doc/sources/admin/docker.rst ++++ b/doc/sources/admin/docker.rst +@@ -286,8 +286,8 @@ + # Drop post data + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + # Keep original request (LLNG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + } +--- a/doc/sources/admin/nodehandler.rst ++++ b/doc/sources/admin/nodehandler.rst +@@ -67,8 +67,8 @@ + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; + +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + + # Keep original request (LLNG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; +--- a/doc/sources/admin/ssoaas.rst ++++ b/doc/sources/admin/ssoaas.rst +@@ -99,8 +99,8 @@ + # Keep original request (LL::NG server will receive /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; + +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + + # Set redirection parameters + fastcgi_param HTTPS_REDIRECT "$https"; +@@ -312,8 +312,8 @@ + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; + +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + + # Keep original request (LL::NG server will received /lmauth) + fastcgi_param X_ORIGINAL_URI $original_uri; +--- a/e2e-tests/test-nginx.conf ++++ b/e2e-tests/test-nginx.conf +@@ -16,8 +16,8 @@ + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; + +- # Keep original hostname +- fastcgi_param HOST $http_host; ++ # Prevent attacks on older Nginx versions (<1.29.5) ++ fastcgi_param HTTP_HOST $host; + + # Keep original request (LLNG server will received /llauth) + fastcgi_param X_ORIGINAL_URI $request_uri; +@@ -27,7 +27,7 @@ + #uwsgi_pass 127.0.0.1:5000; + #uwsgi_pass_request_body off; + #uwsgi_param CONTENT_LENGTH ""; +- #uwsgi_param HOST $http_host; ++ #uwsgi_param HTTP_HOST $host; + #uwsgi_param X_ORIGINAL_URI $request_uri; + } +