Skip to content

release 2.1.6

Compare
Choose a tag to compare
@zandbelt zandbelt released this 20 Feb 16:49
· 1159 commits to master since this release

This is a security release :

Those using AuthType oauth20 together with applications that interpret headers set by mod_auth_openidc on paths that disclose sensitive information are affected and should upgrade.

Security

  • scrub headers for AuthType oauth20

On accessing paths protected with AuthType oauth20 no headers would be scrubbed before mod_auth_openidc sets its own headers, so malicious software/users could set OIDC_CLAIM_ and OIDCAuthNHeader headers that applications would interpret as set by mod_auth_openidc only if those headers are not set and overwritten by mod_auth_openidc itself.

Bugfixes

  • handle OIDCUnAuthAction after max session duration is exceeded; see #220; thanks @phybros
  • fix parse OIDCOAuthTokenExpiryClaim; closes #225; thanks Alessandro Papacci
  • correctly parse kid in OIDCPublicKeyFiles and OIDCOAuthVerifyCertFiles; thanks Alessandro Papacci

Other

  • improve logging wrt. session management availability; closes #223
  • handle only X-Requested-With: XMLHttpRequest as non-browser request; closes #228; thanks @mguillem
  • improve error message on state timeout; closes #226; thanks @security4java
  • a call to the refresh hook now also resets the session inactivity timeout

Packaging Notes