File apache2-mod_auth_openidc.changes of Package apache2-mod_auth_openidc.28532
-------------------------------------------------------------------
Tue Apr 4 13:37:14 UTC 2023 - Danilo Spinella <danilo.spinella@suse.com>
- Fix CVE-2023-28625, NULL pointer dereference when OIDCStripCookies is
set and a crafted Cookie header is supplied, bsc#1210073
* fix-CVE-2023-28625.patch
-------------------------------------------------------------------
Fri Dec 23 15:45:10 UTC 2022 - Danilo Spinella <danilo.spinella@suse.com>
- Fix CVE-2022-23527, Open Redirect in oidc_validate_redirect_url() using tab character
(CVE-2022-23527, bsc#1206441)
* fix-CVE-2022-23527-0.patch
* fix-CVE-2022-23527-1.patch
* fix-CVE-2022-23527-3.patch
* fix-CVE-2022-23527-2.patch
- Harden oidc_handle_refresh_token_request function
* harden-refresh-token-request.patch
- Fixes bsc#1199868, mod_auth_openidc not loading
-------------------------------------------------------------------
Wed Apr 13 16:45:20 UTC 2022 - Danilo Spinella <danilo.spinella@suse.com>
- Fix CVE-2021-39191 open redirect issue in target_link_uri parameter
(CVE-2021-39191, bsc#1190223)
* fix-CVE-2021-39191.patch
-------------------------------------------------------------------
Wed Jul 28 13:58:09 UTC 2021 - Danilo Spinella <danilo.spinella@suse.com>
- Fix CVE-2021-32791 Hardcoded static IV and AAD with a reused key in AES GCM encryption
(CVE-2021-32791, bsc#1188849)
* fix-CVE-2021-32791.patch
- Fix CVE-2021-32792 XSS when using OIDCPreservePost On
(CVE-2021-32792, bsc#1188848)
* fix-CVE-2021-32792-1.patch
* fix-CVE-2021-32792-2.patch
-------------------------------------------------------------------
Fri Jul 23 12:37:29 UTC 2021 - Danilo Spinella <danilo.spinella@suse.com>
- Fix CVE-2021-32785 format string bug via hiredis
(CVE-2021-32785, bsc#1188638)
* fix-CVE-2021-32785.patch
- Fix CVE-2021-32786 open redirect in logout functionality
(CVE-2021-32786, bsc#1188639)
* fix-CVE-2021-32786.patch
- Refresh apache2-mod_auth_openidc-2.3.8-CVE-2019-20479.patch
-------------------------------------------------------------------
Thu Apr 1 13:09:02 UTC 2021 - pgajdos@suse.com
- require hiredis only for newer distros than SLE-15 [jsc#SLE-11726]
-------------------------------------------------------------------
Wed Mar 4 14:07:52 UTC 2020 - Kristyna Streitova <kstreitova@suse.com>
- add apache2-mod_auth_openidc-2.3.8-CVE-2019-20479.patch to fix
open redirect issue that exists in URLs with a slash and
backslash at the beginning [bsc#1164459], [CVE-2019-20479]
-------------------------------------------------------------------
Wed Oct 30 11:35:12 UTC 2019 - Kristyna Streitova <kstreitova@suse.com>
- add apache2-mod_auth_openidc-2.3.8-CVE-2019-14857.patch to fix
open redirect issue that exists in URLs with trailing slashes
[bsc#1153666], [CVE-2019-14857]
-------------------------------------------------------------------
Fri Nov 9 16:38:07 UTC 2018 - kstreitova@suse.com
- submission to SLE15SP1 because of fate#324447
- build with hiredis only for openSUSE where hiredis is available
- add a version for jansson BuildRequires
-------------------------------------------------------------------
Tue Oct 30 11:04:27 UTC 2018 - kstreitova@suse.com
- update to 2.3.8
- changes in 2.3.8
* fix return result FALSE when JWT payload parsing fails
* add LGTM code quality badges
* fix 3 LGTM alerts
* improve auto-detection of XMLHttpRequests via Accept header
* initialize test_proto_authorization_request properly
* add sanity check on provider->auth_request_method
* allow usage with LibreSSL
* don't return content with 503 since it will turn the HTTP
status code into a 200
* add option to set an upper limit to the number of concurrent
state cookies via OIDCStateMaxNumberOfCookies
* make the default maximum number of parallel state cookies
7 instead of unlimited
* fix using access token as endpoint auth method in
introspection calls
* fix reading access_token form POST parameters when combined
with `AuthType auth-openidc`
- changes in 2.3.7
* abort when string length for remote user name substitution
is larger than 255 characters
* fix Redis concurrency issue when used with multiple vhosts
* add support for authorization server metadata with
OIDCOAuthServerMetadataURL as in RFC 8414
* refactor session object creation
* clear session cookie and contents if cache corruption is detected
* use apr_pstrdup when setting r->user
* reserve 255 characters in remote username substition instead of 50
- changes in 2.3.6
* add check to detect session cache corruption for server-based
caches and cached static metadata
* avoid using pipelining for Redis
* send Basic header in OAuth www-authenticate response if that's
the only accepted method; thanks @puiterwijk
* refactor Redis cache backend to solve issues on AUTH errors:
a) memory leak and b) redisGetReply lagging behind
* adjust copyright year/org
* fix buffer overflow in shm cache key set strcpy
* turn missing session_state from warning into a debug statement
* fix missing "return" on error return from the OP
* explicitly set encryption kid so we're compatible with
cjose >= 0.6.0
- changes in 2.3.5
* fix encoding of preserved POST data
* avoid buffer overflow in shm cache key construction
* compile with with Libressl
-------------------------------------------------------------------
Fri Apr 27 13:39:45 UTC 2018 - vcizek@suse.com
- update to 2.3.4
- requested in fate#323817
-------------------------------------------------------------------
Wed Dec 13 11:19:58 UTC 2017 - christof.hanke@mpcdf.mpg.de
- initial packaging