Release release 2.1.5 · OpenIDC/mod_auth_openidc

This is a security release :

Those using AuthType openid-connect together with OIDCUnAuthAction pass on paths that disclose sensitive information based on the authenticated user are affected and should upgrade.

Security

scrub headers on OIDCUnAuthAction pass; closes #222; thanks @wouterhund

On accessing paths protected with OIDCUnAuthAction pass no headers would be scrubbed when a user is not authenticated, so malicious software/users could set OIDC_CLAIM_ and OIDCAuthNHeader headers that applications would interpret as set by mod_auth_openidc even though the user has no authenticated session.

Bugfixes

fix error message about passing id_token with session type client-cookie; see: #220; thanks @phybros

Packaging Notes

Accompanying libcjose packages can be found in the 2.1.3 release
Ubuntu Wily packages can also be used on Xenial and Yakkety
Centos 6 RPMs depend on libhiredis-0.12 now e.g. from https://pkgs.org/centos-6/puias-unsupported-x86_64/

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

release 2.1.5

Choose a tag to compare

Sorry, something went wrong.

Sorry, something went wrong.

Uh oh!

No results found

Uh oh!