This is a security release :
AuthType openid-connect together with
OIDCUnAuthAction pass on paths that disclose sensitive information based on the authenticated user are affected and should upgrade.
On accessing paths protected with
OIDCUnAuthAction pass no headers would be scrubbed when a user is not authenticated, so malicious software/users could set
OIDCAuthNHeader headers that applications would interpret as set by mod_auth_openidc even though the user has no authenticated session.
- fix error message about passing id_token with session type client-cookie; see: #220; thanks @phybros
- Accompanying libcjose packages can be found in the 2.1.3 release
- Ubuntu Wily packages can also be used on Xenial and Yakkety
- Centos 6 RPMs depend on
libhiredis-0.12now e.g. from https://pkgs.org/centos-6/puias-unsupported-x86_64/