File apache2-mod_auth_openidc.changes of Package apache2-mod_auth_openidc.14258

Wed Mar  4 14:03:33 UTC 2020 - Kristyna Streitova <>

- add apache2-mod_auth_openidc-2.4.0-CVE-2019-20479.patch to fix
  open redirect issue that exists in URLs with a slash and
  backslash at the beginning [bsc#1164459], [CVE-2019-20479]

Wed Oct 30 11:40:10 UTC 2019 - Kristyna Streitova <>

- add apache2-mod_auth_openidc-2.4.0-CVE-2019-14857.patch to fix
  open redirect issue that exists in URLs with trailing slashes
  [bsc#1153666], [CVE-2019-14857]

Thu Aug 22 20:40:24 UTC 2019 - Michael Ströder <>

- Update to version 2.4.0

  * version 2.4.0 carries quite a number of relatively small changes (see: 
    Bugfixes and Features below) that are subtle but may impact runtime 
    behavior nevertheless; you should verify an upgrade in a test environment 
    before rolling out to production
  * this release deprecates the OAuth 2.0 Resource Server functionality 
    which is now implemented as a separate module mod_oauth2.

  * URL-encode client_id/client_secret when using client_secret_basic according to:
  * fix parsing and caching of OIDCOAuthServerMetadataURL; thanks Lance Fannin
  * fix oidc_proto_html_post auto-post-submit so it no longer results in
    duplicate parentheses; closes #440; thanks @gobreak
  * fix RSA JWK x5c parsing issue (e.g. when parsing n fails): explicitly set the kid into to JWK
  * fix OIDCOAuthAcceptTokenAs post so POST data is propagated and not lost; see #443
  * fix JWT decryption crashing on non-null terminated input
  * fix not clearing claims in session when setting claims to null; closes #445; thanks @FilipVujicic

  * support refresh and access tokens revocation from an RFC 7009 endpoint 
    upon OIDC session logout
  * make sure the content handler is called for every request to the 
    configured Redirect URI so all Apache processing is executed (e.g. 
    setting headers with mod_headers) before returning the response; thanks 
    Don Sengpiehl (NB: this may affect browser behavior and backwards 
  * add ability to view session info in HTML via the session info hook via <redirect_uri)?info=html
  * enable per-provider signing and encryption keys in multi-provider setups (with limitations)
  * no longer use the fixup handler for environment variable setting but do it as part of the authn handler
  * add logout_on_error option to OIDCRefreshAccessTokenBeforeExpiry to 
    kill the session when refreshing an access token fails; thanks @rickyepoderi
  * be smart about picking the token endpoint authentication method when 
    not configured explicitly: don't choose the first one published by the OP 
    but prefer client_secret_basic if that is listed as well see: 
    panva/node-oidc-provider#514; thanks @richard-drummond and @panva

  * remove option OIDCScrubRequestHeaders that allows for skipping 
    scrubbing request headers, thus avoiding potentially insecure setups
  * log the original URL for expired state cookies, useful for debugging 
    SPA/JS issues
  * add debug logs in oidc_proto_generate_random_string to allow for 
    spotting lack of entropy in the random number generator (on VM 
    environments) more easily
  * add USE_URANDOM compile time option to use /dev/urandom explicitly for 
    non-blocking random number generation: configure with 
  * allow removing an access token from the cache ("remove_at_cache") when 
    running in OAuth 2.0 RS mode only

Wed Mar 13 20:36:33 UTC 2019 - Martin Hauke <>

- Update to version 2.3.11
  * dynamically pass query params to the authorization request
   + using OIDCAuthRequestParams foo=# and/or OIDCPathAuthRequestParams foo=#
  * add session expiry info to session info hook response
    + session inactivity key is timeout now (was exp)
    + session expiry key is exp
  * allow compilation without memcache support on older platforms
    not providing apr_memcache.h

Wed Feb 20 08:16:59 UTC 2019 - Martin Hauke <>

- Update to version
  * fix XSS vulnerability CSNC-2019-001 wrt. poll parameter in
    OIDC Session Management RP iframe
  * fix bug in current URL detection where query parameters would
    be duplicated
  * fix warning printout in oidc_delete_oldest_state_cookies
  * fix encryption buffer tag length mismatch
  * retain the unparsed URL path in current/original URL determination,
    and thereby preserve and support URL-encoded characters in paths
    when redirecting back to the original URL
  * add state to code exchange token requests only in multi-provider
  * optionally delete the oldest state cookie(s)
  * add support for refreshing an access token associated with an
    OIDC session using OIDCRefreshAccessTokenBeforeExpiry
  * fix parsing of cookie name in OIDCOAuthAcceptTokenAs when the cookie
    option is not listed last
  * fix OAuth 2.0 RS config check when OIDCOAuthServerMetadataURL is set
  * add support for draft
    OAuth 2.0 Mutual TLS Client Certificate Bound Access Tokens when
    running as an OAuth 2.0 RS, validating cnf["x5t#S256"] claims.
  * ignore/trim spaces in X-Forwarded-* headers
  * deal with forwarding proxy setups
  * improve OIDC backchannel logout based on config/Discover
  * add OIDCProviderBackChannelLogoutSupported config primitive
  * parse/interpret `backchannel_logout_supported` in Discovery document
  * add `id_token_token_binding_cnf`: `tbh` to dynamic client registration
  * support backchannel logout according to:
  * add test-cmd command to generate hashes base64urlencoded inputs
    (cnf/tbh claims)
  * support Token Binding for Access Tokens according to:
  * support nested arrays in Require claim authorization evaluation

Fri Nov  9 16:38:07 UTC 2018 -

- submission to SLE15SP1 because of fate#324447
- build with hiredis only for openSUSE where hiredis is available
- add a version for jansson BuildRequires

Tue Oct 30 11:04:27 UTC 2018 -

- update to 2.3.8
- changes in 2.3.8
  * fix return result FALSE when JWT payload parsing fails
  * add LGTM code quality badges
  * fix 3 LGTM alerts
  * improve auto-detection of XMLHttpRequests via Accept header
  * initialize test_proto_authorization_request properly
  * add sanity check on provider->auth_request_method
  * allow usage with LibreSSL
  * don't return content with 503 since it will turn the HTTP
    status code into a 200
  * add option to set an upper limit to the number of concurrent
    state cookies via OIDCStateMaxNumberOfCookies
  * make the default maximum number of parallel state cookies
    7 instead of unlimited
  * fix using access token as endpoint auth method in
    introspection calls
  * fix reading access_token form POST parameters when combined
    with `AuthType auth-openidc`
- changes in 2.3.7
  * abort when string length for remote user name substitution
    is larger than 255 characters
  * fix Redis concurrency issue when used with multiple vhosts
  * add support for authorization server metadata with
    OIDCOAuthServerMetadataURL as in RFC 8414
  * refactor session object creation
  * clear session cookie and contents if cache corruption is detected
  * use apr_pstrdup when setting r->user
  * reserve 255 characters in remote username substition instead of 50
- changes in 2.3.6
  * add check to detect session cache corruption for server-based
    caches and cached static metadata
  * avoid using pipelining for Redis
  * send Basic header in OAuth www-authenticate response if that's
    the only accepted method; thanks @puiterwijk
  * refactor Redis cache backend to solve issues on AUTH errors:
    a) memory leak and b) redisGetReply lagging behind
  * adjust copyright year/org
  * fix buffer overflow in shm cache key set strcpy
  * turn missing session_state from warning into a debug statement
  * fix missing "return" on error return from the OP
  * explicitly set encryption kid so we're compatible with
    cjose >= 0.6.0
- changes in 2.3.5
  * fix encoding of preserved POST data
  * avoid buffer overflow in shm cache key construction
  * compile with with Libressl

Fri Apr 27 13:39:45 UTC 2018 -

- update to 2.3.4
- requested in fate#323817

Wed Dec 13 11:19:58 UTC 2017 -

- initial packaging