Skip to content

release 2.4.19.4

Latest

Choose a tag to compare

@zandbelt zandbelt released this 01 Jul 10:35

Security

  • state: fix an out-of-bounds read (and one-byte out-of-bounds write) in the state-cookie parser; a state-prefixed Cookie token without a "=" scanned past the end of the token buffer; stop the scan at the string terminator
  • util: parse Apache expressions with AP_EXPR_FLAG_RESTRICTED; the flags were combined with bitwise-AND instead of OR, which left them at zero and dropped the RESTRICTED flag, so expressions in directives that are valid in .htaccess (OIDCUnAuthAction, OIDCUserInfoClaimsExpr, OIDCPathScope, OIDCPathAuthRequestParams) were parsed unrestricted

Bugfixes

  • proto: when copying authorization request parameters into a request object (copy_from_request / copy_and_remove_from_request), no longer interpret the values of parameters that the OpenID Connect/OAuth 2.0 specifications define as strings (e.g. client_id, scope, nonce, state) as JSON, so a numeric value of such a parameter can no longer change type into a JSON integer; values of other parameters (e.g. claims, max_age) are still decoded as JSON with a fallback to string
  • cache: copy the shm cache value out while holding the global lock instead of returning a pointer into the shared memory segment, so a concurrent set() in another process cannot tear the value after the lock is released
  • cache: return failure from the cache mutex lock/unlock helpers when the underlying APR mutex operation fails; they previously always returned TRUE, so the callers' lock-failure guards never triggered and the code could access the shared cache without holding the lock
  • proto: do not skip id_token signature validation for the "code" flow with algorithm "none" when an id_token signing algorithm has been pinned via OIDCIDTokenSignedResponseAlg; honor the pin and reject the unsigned token
  • cache: always hash the memcache key so it satisfies memcached's key constraints (length, no whitespace/control chars) regardless of the key contents or whether OIDCCacheEncrypt is enabled
  • cache: reject shm cache values at ">=" the available entry size so the NUL terminator always fits, removing reliance on struct alignment padding
  • cache: NUL-terminate the shm cache entry key explicitly after strncpy to avoid an in-struct over-read when a key hits the maximum length

Features

  • cfg: allow OIDCProviderUserInfoEndpoint to be set to an empty value to explicitly disable calling the UserInfo Endpoint, even when one is advertised in the Provider's metadata document; see #1390; thanks @drpuur
  • info: set Cache-Control: no-cache, no-store (and Pragma: no-cache) on the OIDCInfoHook response so the access/refresh/id token and session claims it may contain are not stored by the browser or an intermediary cache

Other

  • oauth: warn when an introspection response omits the RFC 7662 "active" member, since token validity then relies solely on the expiry claim
  • jose: enforce that the kid-selected key type matches the JWT/JWE algorithm on the kid lookup path too, not just the no-kid path (defense in depth against key/algorithm confusion; cjose already rejected the mismatch)
  • doc: correct the sample auth_openidc.conf wrt. JWE/JWS algorithms
  • config: remove the JWE/JWS algorithms from the config primitive help texts as not to get out of sync: at startup the error message will contain what is supported anyhow
  • test: use long symmetric key to work against cjose >= 0.6.2.6

Commercial

  • redis-sentinel: support separate credentials for Sentinel vs. Redis with OIDCRedisCacheSentinelUsername and OIDCRedisCacheSentinelPassword
  • commercial subscription based support for large enterprise businesses is available via sales@openidc.com
  • licensed binary packages for various other platforms such as Microsoft Windows, Red Hat Enterprise Linux 7, older Ubuntu and Debian distros, Oracle HTTP Server 12.x/14.x and IBM HTTP Server 9.x, are available under a commercial license and agreement via sales@openidc.com
  • support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license and agreement via sales@openidc.com

The RPM packages below are signed with the following RSA PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBGh53lgBCADCyoOkfnE5h5rBLlf02oFpI/z2vUXK5W4T56xnNPu0/iIOxbBk
YX9rSypZFhfjv28lhGgelWEg28Ab/Yxs6l0obCgDEuFUDQ5Dv+N+YSMy67vtLwYW
9LM5p9fMN9bXOa62PwvtzRzh+xRyRBcIfMacGJC+SqUK6QhzC0lNwCsr1OaWjzon
mkaodwrloNMxEZVvFn63PvuQDZ3wwQty+0XpYiiChMssGBn6nmPDQJ7pDtQDkhfD
Z5FKY6K7AQJ4fneiVCLGngPBwTXBGcfWa+Y0HCS2ghQwDO6jYXd5GjowVDTjfMK3
QJ3e26Ox9X3V0Fl04R1i5EthEkAWGfy1lksvABEBAAG0HU9wZW5JREMgPHN1cHBv
cnRAb3BlbmlkYy5jb20+iQFRBBMBCgA7FiEEFdjWJA1IGDkAITSxnyZY1L0OSOMF
Amh53lgCGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQnyZY1L0OSONG
Jgf+II0wG96R0g28Kp+R4AYzSdX0CEqr6OhwHHw4cFpLsHxZNhojo7I4OnLKEdfc
lFl37rE+hG3QpzD/b4S/fpPjd4hcLkguBQxtdxqZZVAIT8HWbveHRkI8MNnjOPwv
Hy6jBncMs1IT/URV2si/Q34+PLo8tvo/lXNa16svVl2DoYXO8MCszgCE1bx055EF
XPh4Teu5Y4OLHECSicMxrmN746dAD121zy4bLLx9mZ0erhLjvkj1vkFmlHFKyvwY
/pbSqXs9hW/wweW1oQ/xEIJWWS71PeoutUBjr0WC4sILnR5PBPZplgNh297Qex6g
qaW3io0tCH9KxU1tXYn/iL/hbQ==
=mlOy
-----END PGP PUBLIC KEY BLOCK-----