The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.
Security
- fix CVE-2024-24814: prevent DoS when
OIDCSessionType client-cookieis set and a craftedCookieheader is supplied, see the advisory; thanks @olipo186
Bugfixes
- rewrite handling of parallel refresh token grant requests
- temporarily cache the results of the refresh token grant for other (almost) parallel callers
- fixes handing on the same server, and improves clustered handling through a best-effort distributed cached lock, see: https://github.com/OpenIDC/mod_auth_openidc/wiki/Known-Limitations#parallel-refresh-token-grants
- improves handling of non-rollover refresh tokens since it avoids superfluous calls to the token endpoint
- avoid crash when Forwarded is not present but
OIDCXForwardedHeaders Forwardedis configured for it; see #1171; thanks @daviddpd - set Redis default retry interval time to 300 milliseconds (instead of 0.5ms) and make it configurable
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com