This is a security release :
Those using AuthType oauth20
together with applications that interpret headers set by mod_auth_openidc on paths that disclose sensitive information are affected and should upgrade.
Security
- scrub headers for
AuthType oauth20
On accessing paths protected with AuthType oauth20
no headers would be scrubbed before mod_auth_openidc sets its own headers, so malicious software/users could set OIDC_CLAIM_
and OIDCAuthNHeader
headers that applications would interpret as set by mod_auth_openidc only if those headers are not set and overwritten by mod_auth_openidc itself.
Bugfixes
- handle
OIDCUnAuthAction
after max session duration is exceeded; see #220; thanks @phybros - fix parse
OIDCOAuthTokenExpiryClaim
; closes #225; thanks Alessandro Papacci - correctly parse
kid
inOIDCPublicKeyFiles
andOIDCOAuthVerifyCertFiles
; thanks Alessandro Papacci
Other
- improve logging wrt. session management availability; closes #223
- handle only
X-Requested-With: XMLHttpRequest
as non-browser request; closes #228; thanks @mguillem - improve error message on state timeout; closes #226; thanks @security4java
- a call to the refresh hook now also resets the session inactivity timeout
Packaging Notes
- Accompanying libcjose packages can be found in the 2.1.3 release
- Ubuntu Wily packages can also be used on Xenial and Yakkety
- Centos 6 RPMs depend on
libhiredis-0.12
now e.g. from https://pkgs.org/centos-6/puias-unsupported-x86_64/