SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for apache2-mod_auth_openidc-2.3.8-3.15.1.x86_64.rpm :

* Wed Jul 28 2021 danilo.spinellaAATTsuse.com- Fix CVE-2021-32791 Hardcoded static IV and AAD with a reused key in AES GCM encryption (CVE-2021-32791, bsc#1188849)
* fix-CVE-2021-32791.patch- Fix CVE-2021-32792 XSS when using OIDCPreservePost On (CVE-2021-32792, bsc#1188848)
* fix-CVE-2021-32792-1.patch
* fix-CVE-2021-32792-2.patch
* Fri Jul 23 2021 danilo.spinellaAATTsuse.com- Fix CVE-2021-32785 format string bug via hiredis (CVE-2021-32785, bsc#1188638)
* fix-CVE-2021-32785.patch- Fix CVE-2021-32786 open redirect in logout functionality (CVE-2021-32786, bsc#1188639)
* fix-CVE-2021-32786.patch- Refresh apache2-mod_auth_openidc-2.3.8-CVE-2019-20479.patch
* Thu Apr 01 2021 pgajdosAATTsuse.com- require hiredis only for newer distros than SLE-15 [jsc#SLE-11726]
* Wed Mar 04 2020 kstreitovaAATTsuse.com- add apache2-mod_auth_openidc-2.3.8-CVE-2019-20479.patch to fix open redirect issue that exists in URLs with a slash and backslash at the beginning [bsc#1164459], [CVE-2019-20479]
* Wed Oct 30 2019 kstreitovaAATTsuse.com- add apache2-mod_auth_openidc-2.3.8-CVE-2019-14857.patch to fix open redirect issue that exists in URLs with trailing slashes [bsc#1153666], [CVE-2019-14857]
* Fri Nov 09 2018 kstreitovaAATTsuse.com- submission to SLE15SP1 because of fate#324447- build with hiredis only for openSUSE where hiredis is available- add a version for jansson BuildRequires
* Tue Oct 30 2018 kstreitovaAATTsuse.com- update to 2.3.8- changes in 2.3.8
* fix return result FALSE when JWT payload parsing fails
* add LGTM code quality badges
* fix 3 LGTM alerts
* improve auto-detection of XMLHttpRequests via Accept header
* initialize test_proto_authorization_request properly
* add sanity check on provider->auth_request_method
* allow usage with LibreSSL
* don\'t return content with 503 since it will turn the HTTP status code into a 200
* add option to set an upper limit to the number of concurrent state cookies via OIDCStateMaxNumberOfCookies
* make the default maximum number of parallel state cookies 7 instead of unlimited
* fix using access token as endpoint auth method in introspection calls
* fix reading access_token form POST parameters when combined with `AuthType auth-openidc`- changes in 2.3.7
* abort when string length for remote user name substitution is larger than 255 characters
* fix Redis concurrency issue when used with multiple vhosts
* add support for authorization server metadata with OIDCOAuthServerMetadataURL as in RFC 8414
* refactor session object creation
* clear session cookie and contents if cache corruption is detected
* use apr_pstrdup when setting r->user
* reserve 255 characters in remote username substition instead of 50- changes in 2.3.6
* add check to detect session cache corruption for server-based caches and cached static metadata
* avoid using pipelining for Redis
* send Basic header in OAuth www-authenticate response if that\'s the only accepted method; thanks AATTpuiterwijk
* refactor Redis cache backend to solve issues on AUTH errors: a) memory leak and b) redisGetReply lagging behind
* adjust copyright year/org
* fix buffer overflow in shm cache key set strcpy
* turn missing session_state from warning into a debug statement
* fix missing \"return\" on error return from the OP
* explicitly set encryption kid so we\'re compatible with cjose >= 0.6.0- changes in 2.3.5
* fix encoding of preserved POST data
* avoid buffer overflow in shm cache key construction
* compile with with Libressl
* Fri Apr 27 2018 vcizekAATTsuse.com- update to 2.3.4- requested in fate#323817
* Wed Dec 13 2017 christof.hankeAATTmpcdf.mpg.de- initial packaging
  
ICM