Skip to content

@zandbelt zandbelt released this Jan 30, 2017 · 360 commits to master since this release

This is a security release :

Those using AuthType openid-connect together with OIDCUnAuthAction pass on paths that disclose sensitive information based on the authenticated user are affected and should upgrade.

Security

On accessing paths protected with OIDCUnAuthAction pass no headers would be scrubbed when a user is not authenticated, so malicious software/users could set OIDC_CLAIM_ and OIDCAuthNHeader headers that applications would interpret as set by mod_auth_openidc even though the user has no authenticated session.

Bugfixes

  • fix error message about passing id_token with session type client-cookie; see: #220; thanks @phybros

Packaging Notes

Assets 9
You can’t perform that action at this time.