Bug#1135327: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u8
Xavier Guimard
yadd at debian.org
Fri May 1 07:49:51 BST 2026
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: lemonldap-ng at packages.debian.org, yadd at debian.org
Control: affects -1 + src:lemonldap-ng
User: release.debian.org at packages.debian.org
Usertags: pu
[ Reason ]
Documentation and default Nginx files propose to use $http_host. This
variable is unsecured before Nginx 1.29.5 (or 1.26.3-3+deb13u4, see
#1134654).
[ Impact ]
Possible privilege escalation
[ Tests ]
No change in code
[ Risks ]
No risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Replace $http_host by $host and force HTTP_HOST fastcgi/uwsgi parameter
to avoid default Nginx behavior that populates it with unsecured $http_host
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 1e1b87fa8..f41f47d61 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+lemonldap-ng (2.16.1+ds-deb12u8) bookworm; urgency=medium
+
+ * Update default Nginx files and documentation to avoid using Nginx insecure
+ $http_host
+
+ -- Xavier Guimard <yadd at debian.org> Fri, 01 May 2026 08:43:16 +0200
+
lemonldap-ng (2.16.1+ds-deb12u7) bookworm; urgency=medium
* Fix sessions tablename when not default
diff --git a/debian/patches/series b/debian/patches/series
index 804b8c884..58e555daa 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -23,3 +23,4 @@ improve-cors.patch
fix-path-info.patch
CVE-2025-59518.patch
dont-expose-session-id-in-ajax-responses.patch
+workaround-nginx-issue.patch
diff --git a/debian/patches/workaround-nginx-issue.patch b/debian/patches/workaround-nginx-issue.patch
new file mode 100644
index 000000000..f49097373
--- /dev/null
+++ b/debian/patches/workaround-nginx-issue.patch
@@ -0,0 +1,323 @@
+From: Yadd <yadd at debian.org>
+Date: mai, 01 2026 06:10:10 +0200
+Subject: [PATCH] workaround Nginx issue
+ This patch is a supplementary security for the Nginx issue fixed in Nginx
+ 1.26.3-3+deb13u4
+ .
+ This avoids using the unsecure $http_host variable.
+Origin: upstream, commit:b82e1abd
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/work_items/3556
+Forwarded: not-needed
+
+--- a/_example/etc/api-nginx.conf
++++ b/_example/etc/api-nginx.conf
+@@ -28,6 +28,7 @@
+ # FastCGI configuration
+ include /etc/nginx/fastcgi_params;
+ fastcgi_pass unix:__FASTCGISOCKDIR__/llng-fastcgi.sock;
++ fastcgi_param HTTP_HOST $host;
+ fastcgi_param LLTYPE psgi;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
+--- a/_example/etc/manager-nginx.conf
++++ b/_example/etc/manager-nginx.conf
+@@ -24,6 +24,7 @@
+ # FastCGI configuration
+ include /etc/nginx/fastcgi_params;
+ fastcgi_pass unix:__FASTCGISOCKDIR__/llng-fastcgi.sock;
++ fastcgi_param HTTP_HOST $host;
+ fastcgi_param LLTYPE psgi;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
+--- a/_example/etc/portal-nginx.conf
++++ b/_example/etc/portal-nginx.conf
+@@ -38,6 +38,7 @@
+ # FastCGI configuration
+ include /etc/nginx/fastcgi_params;
+ fastcgi_pass llng_portal_upstream;
++ fastcgi_param HTTP_HOST $host;
+ fastcgi_param LLTYPE psgi;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
+--- a/_example/etc/test-nginx.conf
++++ b/_example/etc/test-nginx.conf
+@@ -23,8 +23,8 @@
+ # Drop post datas
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+ # Keep original request (LLNG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ # Improve performances
+@@ -38,8 +38,8 @@
+ # Drop post datas
+ #uwsgi_pass_request_body off;
+ #uwsgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- #uwsgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ #uwsgi_param HTTP_HOST $host;
+ # Keep original request (LLNG server will receive /lmauth)
+ #uwsgi_param X_ORIGINAL_URI $original_uri;
+ ## Improve performances
+--- a/doc/sources/admin/applications/bugzilla.rst
++++ b/doc/sources/admin/applications/bugzilla.rst
+@@ -67,8 +67,8 @@
+ # Drop post data
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+ # Keep original request (LL::NG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ }
+--- a/doc/sources/admin/applications/dokuwiki.rst
++++ b/doc/sources/admin/applications/dokuwiki.rst
+@@ -72,8 +72,8 @@
+ # Drop post data
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+ # Keep original request (LL::NG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ }
+--- a/doc/sources/admin/applications/drupal.rst
++++ b/doc/sources/admin/applications/drupal.rst
+@@ -69,8 +69,8 @@
+ # Drop post data
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+ # Keep original request (LL::NG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ }
+--- a/doc/sources/admin/applications/glpi.rst
++++ b/doc/sources/admin/applications/glpi.rst
+@@ -28,8 +28,8 @@
+
+ .. code-block:: nginx
+
+- proxy_set_header Host $http_host;
+- proxy_set_header X-Forwarded-Host $http_host;
++ proxy_set_header Host $host;
++ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+--- a/doc/sources/admin/applications/liferay.rst
++++ b/doc/sources/admin/applications/liferay.rst
+@@ -127,8 +127,8 @@
+ # Drop post data
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+ # Keep original request (LL::NG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ }
+--- a/doc/sources/admin/applications/mediawiki.rst
++++ b/doc/sources/admin/applications/mediawiki.rst
+@@ -156,8 +156,8 @@
+ # Drop post data
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+ # Keep original request (LL::NG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ }
+--- a/doc/sources/admin/applications/obm.rst
++++ b/doc/sources/admin/applications/obm.rst
+@@ -149,8 +149,8 @@
+ # Drop post data
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+ # Keep original request (LL::NG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ }
+--- a/doc/sources/admin/applications/phpldapadmin.rst
++++ b/doc/sources/admin/applications/phpldapadmin.rst
+@@ -71,8 +71,8 @@
+ # Drop post data
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+ # Keep original request (LL::NG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ }
+--- a/doc/sources/admin/applications/sympa.rst
++++ b/doc/sources/admin/applications/sympa.rst
+@@ -146,8 +146,8 @@
+ # Drop post data
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+ # Keep original request (LL::NG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ }
+--- a/doc/sources/admin/configlocation.rst
++++ b/doc/sources/admin/configlocation.rst
+@@ -508,7 +508,7 @@
+ fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- fastcgi_param HOST $http_host;
++ fastcgi_param HTTP_HOST $host;
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ }
+
+--- a/doc/sources/admin/configvhost.rst
++++ b/doc/sources/admin/configvhost.rst
+@@ -149,8 +149,8 @@
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+
+ # Keep original request (LLNG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+@@ -224,8 +224,8 @@
+ # Drop post data
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+ # Keep original request (LLNG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ }
+@@ -285,8 +285,8 @@
+ # Drop post data
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+ # Keep original request (LLNG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+ }
+@@ -319,7 +319,7 @@
+
+ .. code-block:: nginx
+
+- proxy_set_header Host $http_host;
++ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+@@ -343,7 +343,7 @@
+ uwsgi_pass 127.0.0.1:5000;
+ uwsgi_pass_request_body off;
+ uwsgi_param CONTENT_LENGTH "";
+- uwsgi_param HOST $http_host;
++ uwsgi_param HTTP_HOST $host;
+ uwsgi_param X_ORIGINAL_URI $original_uri;
+ # Improve performances
+ uwsgi_buffer_size 32k;
+@@ -358,7 +358,7 @@
+ uwsgi_pass 127.0.0.1:5000;
+ uwsgi_pass_request_body off;
+ uwsgi_param CONTENT_LENGTH "";
+- uwsgi_param HOST $http_host;
++ uwsgi_param HTTP_HOST $host;
+ uwsgi_param X_ORIGINAL_URI $original_uri;
+ uwsgi_param VHOSTTYPE AuthBasic;
+ # Improve performances
+@@ -374,7 +374,7 @@
+ uwsgi_pass 127.0.0.1:5000;
+ uwsgi_pass_request_body off;
+ uwsgi_param CONTENT_LENGTH "";
+- uwsgi_param HOST $http_host;
++ uwsgi_param HTTP_HOST $host;
+ uwsgi_param X_ORIGINAL_URI $original_uri;
+ uwsgi_param VHOSTTYPE ServiceToken;
+ # Improve performances
+--- a/doc/sources/admin/nodehandler.rst
++++ b/doc/sources/admin/nodehandler.rst
+@@ -67,8 +67,8 @@
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+
+ # Keep original request (LLNG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+--- a/doc/sources/admin/ssoaas.rst
++++ b/doc/sources/admin/ssoaas.rst
+@@ -97,8 +97,8 @@
+ # Keep original request (LL::NG server will receive /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+
+ # Set redirection parameters
+ fastcgi_param HTTPS_REDIRECT "$https";
+@@ -304,8 +304,8 @@
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+
+ # Keep original request (LL::NG server will received /lmauth)
+ fastcgi_param X_ORIGINAL_URI $original_uri;
+--- a/e2e-tests/test-nginx.conf
++++ b/e2e-tests/test-nginx.conf
+@@ -16,8 +16,8 @@
+ fastcgi_pass_request_body off;
+ fastcgi_param CONTENT_LENGTH "";
+
+- # Keep original hostname
+- fastcgi_param HOST $http_host;
++ # Prevent attacks on older Nginx versions (<1.29.5)
++ fastcgi_param HTTP_HOST $host;
+
+ # Keep original request (LLNG server will received /llauth)
+ fastcgi_param X_ORIGINAL_URI $request_uri;
+@@ -27,7 +27,7 @@
+ #uwsgi_pass 127.0.0.1:5000;
+ #uwsgi_pass_request_body off;
+ #uwsgi_param CONTENT_LENGTH "";
+- #uwsgi_param HOST $http_host;
++ #uwsgi_param HTTP_HOST $host;
+ #uwsgi_param X_ORIGINAL_URI $request_uri;
+ }
+
More information about the pkg-perl-maintainers
mailing list