OpenIDC/mod_auth_openidc v2.1.6

release 2.1.6

on GitHub

This is a security release :

Those using AuthType oauth20 together with applications that interpret headers set by mod_auth_openidc on paths that disclose sensitive information are affected and should upgrade.

Security

• scrub headers for AuthType oauth20

On accessing paths protected with AuthType oauth20 no headers would be scrubbed before mod_auth_openidc sets its own headers, so malicious software/users could set OIDC_CLAIM_ and OIDCAuthNHeader headers that applications would interpret as set by mod_auth_openidc only if those headers are not set and overwritten by mod_auth_openidc itself.

Bugfixes

• handle OIDCUnAuthAction after max session duration is exceeded; see #220; thanks @phybros
• fix parse OIDCOAuthTokenExpiryClaim; closes #225; thanks Alessandro Papacci
• correctly parse kid in OIDCPublicKeyFiles and OIDCOAuthVerifyCertFiles; thanks Alessandro Papacci

Other

• improve logging wrt. session management availability; closes #223
• handle only X-Requested-With: XMLHttpRequest as non-browser request; closes #228; thanks @mguillem
• improve error message on state timeout; closes #226; thanks @security4java
• a call to the refresh hook now also resets the session inactivity timeout

Packaging Notes

• Accompanying libcjose packages can be found in the 2.1.3 release
• Ubuntu Wily packages can also be used on Xenial and Yakkety
• Centos 6 RPMs depend on libhiredis-0.12 now e.g. from https://pkgs.org/centos-6/puias-unsupported-x86_64/