github OpenIDC/mod_auth_openidc v2.4.19.3
release 2.4.19.3
on GitHub

4 hours ago

The 2.4.19.x versions use a backwards incompatible session format so existing sessions (created by versions <=2.4.18.x) are invalid.

Bugfixes

  • proto: add scope=openid to the authorization request when passing a Request Object by reference (request_uri) as defined by spec; see #1385; thanks @gueuselambix and @hjmikkon
  • config: fix intermittent core dumps on a large number of (first) incoming parallel requests after startup in threaded MPM environments
  • code: fix a memory leak in oidc_metadata_jwks_retrieve_and_cache when JSON validation fails
  • http: skip cookies that are only whitespace after the leading-space strip and avoid leaving a malformed segment in the forwarded Cookie header
  • metrics: switch _oidc_metrics_thread_exit to a volatile apr_uint32_t accessed via apr_atomic_read32/set32 and avoid strand the post-join cleanup
  • util: guard oidc_util_rand_int with a mod==0 short-circuit - to avoid division by zero - and rejection-sample before reducing modulo so v % mod is uniformly distributed
  • userinfo: skip the DPoP-nonce retry path for non-DPoP token types to avoid dereference NULL inside apr_hash_get and crash the worker
  • config: validate format specifiers (only %% and exactly two/one %s) in oidc_util_html_send_in_template so a stray %s in custom templates configured with OIDCPreservePostTemplates) can't crash or corrupt memory

Security

  • code: fix >25 cases of potential string/URL matching attacks, XSS attacks, buffer overload etc.
  • config: fix low-risk - insider admin attack based- security vulnerabilities
  • log: do not log refresh tokens at warn/error levels

Other

  • code: cast curl timeouts in options to long to avoid compiler warnings
  • code: address the majority of SonarCloud quality gate issues with Claude Code 2.1.15x Opus 4.7+4.8
  • test: re-factor the framework and add more unit tests
  • build: conditionally add --coverage to AM_LDFLAGS in Makefile.am
  • dist: add package for Ubuntu Resolute Racoon

Commercial

  • commercial subscription based support for large enterprise businesses is available via sales@openidc.com
  • licensed binary packages for various other platforms such as Microsoft Windows, Red Hat Enterprise Linux 7, older Ubuntu and Debian distros, Oracle HTTP Server 12.x/14.x and IBM HTTP Server 9.x, are available under a commercial license and agreement via sales@openidc.com
  • support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license and agreement via sales@openidc.com

The RPM packages below are signed with the following RSA PGP key: 

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBGh53lgBCADCyoOkfnE5h5rBLlf02oFpI/z2vUXK5W4T56xnNPu0/iIOxbBk
YX9rSypZFhfjv28lhGgelWEg28Ab/Yxs6l0obCgDEuFUDQ5Dv+N+YSMy67vtLwYW
9LM5p9fMN9bXOa62PwvtzRzh+xRyRBcIfMacGJC+SqUK6QhzC0lNwCsr1OaWjzon
mkaodwrloNMxEZVvFn63PvuQDZ3wwQty+0XpYiiChMssGBn6nmPDQJ7pDtQDkhfD
Z5FKY6K7AQJ4fneiVCLGngPBwTXBGcfWa+Y0HCS2ghQwDO6jYXd5GjowVDTjfMK3
QJ3e26Ox9X3V0Fl04R1i5EthEkAWGfy1lksvABEBAAG0HU9wZW5JREMgPHN1cHBv
cnRAb3BlbmlkYy5jb20+iQFRBBMBCgA7FiEEFdjWJA1IGDkAITSxnyZY1L0OSOMF
Amh53lgCGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQnyZY1L0OSONG
Jgf+II0wG96R0g28Kp+R4AYzSdX0CEqr6OhwHHw4cFpLsHxZNhojo7I4OnLKEdfc
lFl37rE+hG3QpzD/b4S/fpPjd4hcLkguBQxtdxqZZVAIT8HWbveHRkI8MNnjOPwv
Hy6jBncMs1IT/URV2si/Q34+PLo8tvo/lXNa16svVl2DoYXO8MCszgCE1bx055EF
XPh4Teu5Y4OLHECSicMxrmN746dAD121zy4bLLx9mZ0erhLjvkj1vkFmlHFKyvwY
/pbSqXs9hW/wweW1oQ/xEIJWWS71PeoutUBjr0WC4sILnR5PBPZplgNh297Qex6g
qaW3io0tCH9KxU1tXYn/iL/hbQ==
=mlOy
-----END PGP PUBLIC KEY BLOCK-----
Check out latest releases or
releases around OpenIDC/mod_auth_openidc v2.4.19.3

Don't miss a new mod_auth_openidc release

NewReleases is sending notifications on new releases.

Get notifications