File apache2-mod_auth_openidc.changes of Package apache2-mod_auth_openidc.32631
-------------------------------------------------------------------
Fri Feb 16 15:57:45 UTC 2024 - Danilo Spinella <danilo.spinella@suse.com>
- Fix CVE-2024-24814, DoS when `OIDCSessionType client-cookie` is set
  and a crafted Cookie header is supplied, bsc#1219911 
  * fix-CVE-2024-24814.patch
-------------------------------------------------------------------
Tue Apr  4 13:37:14 UTC 2023 - Danilo Spinella <danilo.spinella@suse.com>
- Fix CVE-2023-28625, NULL pointer dereference when OIDCStripCookies is
  set and a crafted Cookie header is supplied, bsc#1210073
  * fix-CVE-2023-28625.patch
-------------------------------------------------------------------
Fri Dec 23 15:45:10 UTC 2022 - Danilo Spinella <danilo.spinella@suse.com>
- Fix CVE-2022-23527, Open Redirect in oidc_validate_redirect_url() using tab character
  (CVE-2022-23527, bsc#1206441)
  * fix-CVE-2022-23527-0.patch
  * fix-CVE-2022-23527-1.patch
  * fix-CVE-2022-23527-3.patch
  * fix-CVE-2022-23527-2.patch
- Harden oidc_handle_refresh_token_request function
  * harden-refresh-token-request.patch
- Fixes bsc#1199868, mod_auth_openidc not loading
-------------------------------------------------------------------
Wed Apr 13 16:45:20 UTC 2022 - Danilo Spinella <danilo.spinella@suse.com>
- Fix CVE-2021-39191 open redirect issue in target_link_uri parameter
  (CVE-2021-39191, bsc#1190223)
  * fix-CVE-2021-39191.patch
-------------------------------------------------------------------
Wed Jul 28 13:58:09 UTC 2021 - Danilo Spinella <danilo.spinella@suse.com>
- Fix CVE-2021-32791 Hardcoded static IV and AAD with a reused key in AES GCM encryption
  (CVE-2021-32791, bsc#1188849)
  * fix-CVE-2021-32791.patch
- Fix CVE-2021-32792 XSS when using OIDCPreservePost On
  (CVE-2021-32792, bsc#1188848)
  * fix-CVE-2021-32792-1.patch
  * fix-CVE-2021-32792-2.patch
-------------------------------------------------------------------
Fri Jul 23 12:37:29 UTC 2021 - Danilo Spinella <danilo.spinella@suse.com>
- Fix CVE-2021-32785 format string bug via hiredis
  (CVE-2021-32785, bsc#1188638)
  * fix-CVE-2021-32785.patch
- Fix CVE-2021-32786 open redirect in logout functionality
  (CVE-2021-32786, bsc#1188639)
  * fix-CVE-2021-32786.patch
- Refresh apache2-mod_auth_openidc-2.3.8-CVE-2019-20479.patch
-------------------------------------------------------------------
Thu Apr  1 13:09:02 UTC 2021 - pgajdos@suse.com
- require hiredis only for newer distros than SLE-15 [jsc#SLE-11726]
-------------------------------------------------------------------
Wed Mar  4 14:07:52 UTC 2020 - Kristyna Streitova <kstreitova@suse.com>
- add apache2-mod_auth_openidc-2.3.8-CVE-2019-20479.patch to fix
  open redirect issue that exists in URLs with a slash and
  backslash at the beginning [bsc#1164459], [CVE-2019-20479]
-------------------------------------------------------------------
Wed Oct 30 11:35:12 UTC 2019 - Kristyna Streitova <kstreitova@suse.com>
- add apache2-mod_auth_openidc-2.3.8-CVE-2019-14857.patch to fix
  open redirect issue that exists in URLs with trailing slashes
  [bsc#1153666], [CVE-2019-14857]
-------------------------------------------------------------------
Fri Nov  9 16:38:07 UTC 2018 - kstreitova@suse.com
- submission to SLE15SP1 because of fate#324447
- build with hiredis only for openSUSE where hiredis is available
- add a version for jansson BuildRequires
-------------------------------------------------------------------
Tue Oct 30 11:04:27 UTC 2018 - kstreitova@suse.com
- update to 2.3.8
- changes in 2.3.8
  * fix return result FALSE when JWT payload parsing fails
  * add LGTM code quality badges
  * fix 3 LGTM alerts
  * improve auto-detection of XMLHttpRequests via Accept header
  * initialize test_proto_authorization_request properly
  * add sanity check on provider->auth_request_method
  * allow usage with LibreSSL
  * don't return content with 503 since it will turn the HTTP
    status code into a 200
  * add option to set an upper limit to the number of concurrent
    state cookies via OIDCStateMaxNumberOfCookies
  * make the default maximum number of parallel state cookies
    7 instead of unlimited
  * fix using access token as endpoint auth method in
    introspection calls
  * fix reading access_token form POST parameters when combined
    with `AuthType auth-openidc`
- changes in 2.3.7
  * abort when string length for remote user name substitution
    is larger than 255 characters
  * fix Redis concurrency issue when used with multiple vhosts
  * add support for authorization server metadata with
    OIDCOAuthServerMetadataURL as in RFC 8414
  * refactor session object creation
  * clear session cookie and contents if cache corruption is detected
  * use apr_pstrdup when setting r->user
  * reserve 255 characters in remote username substition instead of 50
- changes in 2.3.6
  * add check to detect session cache corruption for server-based
    caches and cached static metadata
  * avoid using pipelining for Redis
  * send Basic header in OAuth www-authenticate response if that's
    the only accepted method; thanks @puiterwijk
  * refactor Redis cache backend to solve issues on AUTH errors:
    a) memory leak and b) redisGetReply lagging behind
  * adjust copyright year/org
  * fix buffer overflow in shm cache key set strcpy
  * turn missing session_state from warning into a debug statement
  * fix missing "return" on error return from the OP
  * explicitly set encryption kid so we're compatible with
    cjose >= 0.6.0
- changes in 2.3.5
  * fix encoding of preserved POST data
  * avoid buffer overflow in shm cache key construction
  * compile with with Libressl
-------------------------------------------------------------------
Fri Apr 27 13:39:45 UTC 2018 - vcizek@suse.com
- update to 2.3.4
- requested in fate#323817
-------------------------------------------------------------------
Wed Dec 13 11:19:58 UTC 2017 - christof.hanke@mpcdf.mpg.de
- initial packaging