This is a security maintenance/backport release for Debian/Ubuntu/CentOS distributions that carry 1.8.10.1; in general one should use >= 2.1.6 from the releases page going forward:
Those using AuthType oauth20
together with applications that interpret headers set by mod_auth_openidc on paths that disclose sensitive information are affected and should upgrade.
Security
- scrub headers for
AuthType oauth20
On accessing paths protected with AuthType oauth20
no headers would be scrubbed before mod_auth_openidc sets its own headers, so malicious software/users could set OIDC_CLAIM_
and OIDCAuthNHeader
headers that applications would interpret as set by mod_auth_openidc only if those headers are not set and overwritten by mod_auth_openidc itself.