Skip to content

release 1.8.10.2
Compare
Choose a tag to compare
@zandbelt zandbelt released this 03 Feb 16:59
· 1 commit to v1.8.x since this release
v1.8.10.2
25438da

This is a security maintenance/backport release for Debian/Ubuntu/CentOS distributions that carry 1.8.10.1; in general one should use >= 2.1.5 from the releases page going forward:

Those using AuthType openid-connect together with OIDCUnAuthAction pass on paths that disclose sensitive information based on the authenticated user are affected and should upgrade.

Security

  • scrub headers on OIDCUnAuthAction pass; see #222

On accessing paths protected with OIDCUnAuthAction pass no headers would be scrubbed when a user is not authenticated, so malicious software/users could set OIDC_CLAIM_ and OIDCAuthNHeader headers that applications would interpret as set by mod_auth_openidc even though the user has no authenticated session.

Bugfixes

  • use AUTHZ_DENIED instead of HTTP_UNAUTHORIZED in oidc_authz_checker; see #135
Assets 2