This is a security release :
Those using AuthType openid-connect
together with OIDCUnAuthAction pass
on paths that disclose sensitive information based on the authenticated user are affected and should upgrade.
Security
- scrub headers on
OIDCUnAuthAction pass
; closes #222; thanks @wouterhund
On accessing paths protected with OIDCUnAuthAction pass
no headers would be scrubbed when a user is not authenticated, so malicious software/users could set OIDC_CLAIM_
and OIDCAuthNHeader
headers that applications would interpret as set by mod_auth_openidc even though the user has no authenticated session.
Bugfixes
- fix error message about passing id_token with session type client-cookie; see: #220; thanks @phybros
Packaging Notes
- Accompanying libcjose packages can be found in the 2.1.3 release
- Ubuntu Wily packages can also be used on Xenial and Yakkety
- Centos 6 RPMs depend on
libhiredis-0.12
now e.g. from https://pkgs.org/centos-6/puias-unsupported-x86_64/