This is a security maintenance/backport release for Debian/Ubuntu/CentOS distributions that carry 1.8.10.1; in general one should use >= 2.1.5 from the releases page going forward:
Those using AuthType openid-connect together with OIDCUnAuthAction pass on paths that disclose sensitive information based on the authenticated user are affected and should upgrade.
Security
- scrub headers on
OIDCUnAuthAction pass; see #222
On accessing paths protected with OIDCUnAuthAction pass no headers would be scrubbed when a user is not authenticated, so malicious software/users could set OIDC_CLAIM_ and OIDCAuthNHeader headers that applications would interpret as set by mod_auth_openidc even though the user has no authenticated session.
Bugfixes
- use
AUTHZ_DENIEDinstead ofHTTP_UNAUTHORIZEDinoidc_authz_checker; see #135