release 2.1.6
This is a security release :
Those using AuthType oauth20 together with applications that interpret headers set by mod_auth_openidc on paths that disclose sensitive information are affected and should upgrade.
Security
- scrub headers for
AuthType oauth20
On accessing paths protected with AuthType oauth20 no headers would be scrubbed before mod_auth_openidc sets its own headers, so malicious software/users could set OIDC_CLAIM_ and OIDCAuthNHeader headers that applications would interpret as set by mod_auth_openidc only if those headers are not set and overwritten by mod_auth_openidc itself.
Bugfixes
- handle
OIDCUnAuthActionafter max session duration is exceeded; see #220; thanks @phybros - fix parse
OIDCOAuthTokenExpiryClaim; closes #225; thanks Alessandro Papacci - correctly parse
kidinOIDCPublicKeyFilesandOIDCOAuthVerifyCertFiles; thanks Alessandro Papacci
Other
- improve logging wrt. session management availability; closes #223
- handle only
X-Requested-With: XMLHttpRequestas non-browser request; closes #228; thanks @mguillem - improve error message on state timeout; closes #226; thanks @security4java
- a call to the refresh hook now also resets the session inactivity timeout
Packaging Notes
- Accompanying libcjose packages can be found in the 2.1.3 release
- Ubuntu Wily packages can also be used on Xenial and Yakkety
- Centos 6 RPMs depend on
libhiredis-0.12now e.g. from https://pkgs.org/centos-6/puias-unsupported-x86_64/