Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP3:Update
apache2-mod_auth_openidc.13085
apache2-mod_auth_openidc.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File apache2-mod_auth_openidc.changes of Package apache2-mod_auth_openidc.13085
------------------------------------------------------------------- Wed Oct 30 11:40:10 UTC 2019 - Kristyna Streitova <kstreitova@suse.com> - add apache2-mod_auth_openidc-2.4.0-CVE-2019-14857.patch to fix open redirect issue that exists in URLs with trailing slashes [bsc#1153666], [CVE-2019-14857] ------------------------------------------------------------------- Thu Aug 22 20:40:24 UTC 2019 - Michael Ströder <michael@stroeder.com> - Update to version 2.4.0 Important * version 2.4.0 carries quite a number of relatively small changes (see: Bugfixes and Features below) that are subtle but may impact runtime behavior nevertheless; you should verify an upgrade in a test environment before rolling out to production * this release deprecates the OAuth 2.0 Resource Server functionality which is now implemented as a separate module mod_oauth2. Bugfixes * URL-encode client_id/client_secret when using client_secret_basic according to: https://tools.ietf.org/html/rfc6749#section-2.3.1 * fix parsing and caching of OIDCOAuthServerMetadataURL; thanks Lance Fannin * fix oidc_proto_html_post auto-post-submit so it no longer results in duplicate parentheses; closes #440; thanks @gobreak * fix RSA JWK x5c parsing issue (e.g. when parsing n fails): explicitly set the kid into to JWK * fix OIDCOAuthAcceptTokenAs post so POST data is propagated and not lost; see #443 * fix JWT decryption crashing on non-null terminated input * fix not clearing claims in session when setting claims to null; closes #445; thanks @FilipVujicic Features * support refresh and access tokens revocation from an RFC 7009 endpoint upon OIDC session logout * make sure the content handler is called for every request to the configured Redirect URI so all Apache processing is executed (e.g. setting headers with mod_headers) before returning the response; thanks Don Sengpiehl (NB: this may affect browser behavior and backwards compatibility) * add ability to view session info in HTML via the session info hook via <redirect_uri)?info=html * enable per-provider signing and encryption keys in multi-provider setups (with limitations) * no longer use the fixup handler for environment variable setting but do it as part of the authn handler * add logout_on_error option to OIDCRefreshAccessTokenBeforeExpiry to kill the session when refreshing an access token fails; thanks @rickyepoderi * be smart about picking the token endpoint authentication method when not configured explicitly: don't choose the first one published by the OP but prefer client_secret_basic if that is listed as well see: panva/node-oidc-provider#514; thanks @richard-drummond and @panva Other * remove option OIDCScrubRequestHeaders that allows for skipping scrubbing request headers, thus avoiding potentially insecure setups * log the original URL for expired state cookies, useful for debugging SPA/JS issues * add debug logs in oidc_proto_generate_random_string to allow for spotting lack of entropy in the random number generator (on VM environments) more easily * add USE_URANDOM compile time option to use /dev/urandom explicitly for non-blocking random number generation: configure with APXS2_OPTS="-DUSE_URANDOM" * allow removing an access token from the cache ("remove_at_cache") when running in OAuth 2.0 RS mode only ------------------------------------------------------------------- Wed Mar 13 20:36:33 UTC 2019 - Martin Hauke <mardnh@gmx.de> - Update to version 2.3.11 Features * dynamically pass query params to the authorization request + using OIDCAuthRequestParams foo=# and/or OIDCPathAuthRequestParams foo=# * add session expiry info to session info hook response + session inactivity key is timeout now (was exp) + session expiry key is exp Other * allow compilation without memcache support on older platforms not providing apr_memcache.h ------------------------------------------------------------------ Wed Feb 20 08:16:59 UTC 2019 - Martin Hauke <mardnh@gmx.de> - Update to version 2.3.10.2 * fix XSS vulnerability CSNC-2019-001 wrt. poll parameter in OIDC Session Management RP iframe * fix bug in current URL detection where query parameters would be duplicated * fix warning printout in oidc_delete_oldest_state_cookies * fix encryption buffer tag length mismatch * retain the unparsed URL path in current/original URL determination, and thereby preserve and support URL-encoded characters in paths when redirecting back to the original URL * add state to code exchange token requests only in multi-provider setups * optionally delete the oldest state cookie(s) * add support for refreshing an access token associated with an OIDC session using OIDCRefreshAccessTokenBeforeExpiry * fix parsing of cookie name in OIDCOAuthAcceptTokenAs when the cookie option is not listed last * fix OAuth 2.0 RS config check when OIDCOAuthServerMetadataURL is set * add support for draft https://www.ietf.org/id/draft-ietf-oauth-mtls-12.txt OAuth 2.0 Mutual TLS Client Certificate Bound Access Tokens when running as an OAuth 2.0 RS, validating cnf["x5t#S256"] claims. * ignore/trim spaces in X-Forwarded-* headers * deal with forwarding proxy setups * improve OIDC backchannel logout based on config/Discover * add OIDCProviderBackChannelLogoutSupported config primitive * parse/interpret `backchannel_logout_supported` in Discovery document * add `id_token_token_binding_cnf`: `tbh` to dynamic client registration metadata * support backchannel logout according to: https://openid.net/specs/openid-connect-backchannel-1_0.html * add test-cmd command to generate hashes base64urlencoded inputs (cnf/tbh claims) * support Token Binding for Access Tokens according to: https://tools.ietf.org/html/draft-ietf-oauth-token-binding * support nested arrays in Require claim authorization evaluation ------------------------------------------------------------------- Fri Nov 9 16:38:07 UTC 2018 - kstreitova@suse.com - submission to SLE15SP1 because of fate#324447 - build with hiredis only for openSUSE where hiredis is available - add a version for jansson BuildRequires ------------------------------------------------------------------- Tue Oct 30 11:04:27 UTC 2018 - kstreitova@suse.com - update to 2.3.8 - changes in 2.3.8 * fix return result FALSE when JWT payload parsing fails * add LGTM code quality badges * fix 3 LGTM alerts * improve auto-detection of XMLHttpRequests via Accept header * initialize test_proto_authorization_request properly * add sanity check on provider->auth_request_method * allow usage with LibreSSL * don't return content with 503 since it will turn the HTTP status code into a 200 * add option to set an upper limit to the number of concurrent state cookies via OIDCStateMaxNumberOfCookies * make the default maximum number of parallel state cookies 7 instead of unlimited * fix using access token as endpoint auth method in introspection calls * fix reading access_token form POST parameters when combined with `AuthType auth-openidc` - changes in 2.3.7 * abort when string length for remote user name substitution is larger than 255 characters * fix Redis concurrency issue when used with multiple vhosts * add support for authorization server metadata with OIDCOAuthServerMetadataURL as in RFC 8414 * refactor session object creation * clear session cookie and contents if cache corruption is detected * use apr_pstrdup when setting r->user * reserve 255 characters in remote username substition instead of 50 - changes in 2.3.6 * add check to detect session cache corruption for server-based caches and cached static metadata * avoid using pipelining for Redis * send Basic header in OAuth www-authenticate response if that's the only accepted method; thanks @puiterwijk * refactor Redis cache backend to solve issues on AUTH errors: a) memory leak and b) redisGetReply lagging behind * adjust copyright year/org * fix buffer overflow in shm cache key set strcpy * turn missing session_state from warning into a debug statement * fix missing "return" on error return from the OP * explicitly set encryption kid so we're compatible with cjose >= 0.6.0 - changes in 2.3.5 * fix encoding of preserved POST data * avoid buffer overflow in shm cache key construction * compile with with Libressl ------------------------------------------------------------------- Fri Apr 27 13:39:45 UTC 2018 - vcizek@suse.com - update to 2.3.4 - requested in fate#323817 ------------------------------------------------------------------- Wed Dec 13 11:19:58 UTC 2017 - christof.hanke@mpcdf.mpg.de - initial packaging
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor