Release release 1.8.10.3 · OpenIDC/mod_auth_openidc

This is a security maintenance/backport release for Debian/Ubuntu/CentOS distributions that carry 1.8.10.1; in general one should use >= 2.1.6 from the releases page going forward:

Those using AuthType oauth20 together with applications that interpret headers set by mod_auth_openidc on paths that disclose sensitive information are affected and should upgrade.

Security

scrub headers for AuthType oauth20

On accessing paths protected with AuthType oauth20 no headers would be scrubbed before mod_auth_openidc sets its own headers, so malicious software/users could set OIDC_CLAIM_ and OIDCAuthNHeader headers that applications would interpret as set by mod_auth_openidc only if those headers are not set and overwritten by mod_auth_openidc itself.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

release 1.8.10.3

Choose a tag to compare

Sorry, something went wrong.

Sorry, something went wrong.

Uh oh!

No results found

Uh oh!