Skip to content

release 2.4.13.2

Compare
Choose a tag to compare
@zandbelt zandbelt released this 03 Apr 09:36
· 348 commits to master since this release

Security

  • CVE-2023-28625: prevent core dump when OIDCStripCookies is set and a crafted Cookie header is supplied
    GHSA-f5xw-rvfr-24qr
  • fix code scanning alerts from 2 code scanning tools all over the place

Features

  • add support for Elliptic Curve signing/encryption keys in addtiion to RSA keys,
    i.e. client keys configured in OIDCPrivateKeyFiles/OIDCPublicKeyFiles, published on OIDCClientJwksUri
    and used in private_key_jwt authentication, encrypted id_token's, request objects/uri's,
    but also statically configured provider keys in OIDCOAuthVerifyCertFiles and OIDCProviderVerifyCertFiles
  • record authorization errors in environment variable OIDC_AUTHZ_ERROR
    so its value can be used in logs e.g. with HTTP 401 responses in the access log:
    LogFormat "%h %l %u %t %U %401{OIDC_AUTHZ_ERROR}e %>s %b" combined
    also log authorization errors with oidc_debug instead of oidc_info

Bugfixes

  • fix for omitting the kid# prefix in OIDCPublicKeyFiles/OIDCPrivateKeyFiles and other certificate configuration primitives when linked against OpenSSL <= 1.0.x
  • allow target_link_uri's without a path in 3rd-party-init SSO with a multi-provider setup
  • correct cookie path printout in error log when target_link_uri does not match OIDCCookiePath

Commercial

  • binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via [email protected]
  • support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]