Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

apache2-mod_auth_openidc-2.3.8-lp156.6.9 RPM for x86_64

From OpenSuSE Leap 15.6 for x86_64

Name: apache2-mod_auth_openidc Distribution: openSUSE Leap 15.6
Version: 2.3.8 Vendor: openSUSE
Release: lp156.6.9 Build date: Tue May 28 09:05:04 2024
Group: Productivity/Networking/Web/Servers Build host: h02-ch1d
Size: 392536 Source RPM: apache2-mod_auth_openidc-2.3.8-lp156.6.9.src.rpm
Packager: https://bugs.opensuse.org
Url: https://github.com/zmartzone/mod_auth_openidc/
Summary: Apache2.x module for an OpenID Connect enabled Identity Provider
This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.

Provides

Requires

License

Apache-2.0

Changelog

* Tue Apr 04 2023 Danilo Spinella <danilo.spinella@suse.com>
  - Fix CVE-2023-28625, NULL pointer dereference when OIDCStripCookies is
    set and a crafted Cookie header is supplied, bsc#1210073
    * fix-CVE-2023-28625.patch
* Fri Dec 23 2022 Danilo Spinella <danilo.spinella@suse.com>
  - Fix CVE-2022-23527, Open Redirect in oidc_validate_redirect_url() using tab character
    (CVE-2022-23527, bsc#1206441)
    * fix-CVE-2022-23527-0.patch
    * fix-CVE-2022-23527-1.patch
    * fix-CVE-2022-23527-3.patch
    * fix-CVE-2022-23527-2.patch
  - Harden oidc_handle_refresh_token_request function
    * harden-refresh-token-request.patch
  - Fixes bsc#1199868, mod_auth_openidc not loading
* Wed Apr 13 2022 Danilo Spinella <danilo.spinella@suse.com>
  - Fix CVE-2021-39191 open redirect issue in target_link_uri parameter
    (CVE-2021-39191, bsc#1190223)
    * fix-CVE-2021-39191.patch
* Wed Jul 28 2021 Danilo Spinella <danilo.spinella@suse.com>
  - Fix CVE-2021-32791 Hardcoded static IV and AAD with a reused key in AES GCM encryption
    (CVE-2021-32791, bsc#1188849)
    * fix-CVE-2021-32791.patch
  - Fix CVE-2021-32792 XSS when using OIDCPreservePost On
    (CVE-2021-32792, bsc#1188848)
    * fix-CVE-2021-32792-1.patch
    * fix-CVE-2021-32792-2.patch
* Fri Jul 23 2021 Danilo Spinella <danilo.spinella@suse.com>
  - Fix CVE-2021-32785 format string bug via hiredis
    (CVE-2021-32785, bsc#1188638)
    * fix-CVE-2021-32785.patch
  - Fix CVE-2021-32786 open redirect in logout functionality
    (CVE-2021-32786, bsc#1188639)
    * fix-CVE-2021-32786.patch
  - Refresh apache2-mod_auth_openidc-2.3.8-CVE-2019-20479.patch
* Thu Apr 01 2021 pgajdos@suse.com
  - require hiredis only for newer distros than SLE-15 [jsc#SLE-11726]
* Wed Mar 04 2020 Kristyna Streitova <kstreitova@suse.com>
  - add apache2-mod_auth_openidc-2.3.8-CVE-2019-20479.patch to fix
    open redirect issue that exists in URLs with a slash and
    backslash at the beginning [bsc#1164459], [CVE-2019-20479]
* Wed Oct 30 2019 Kristyna Streitova <kstreitova@suse.com>
  - add apache2-mod_auth_openidc-2.3.8-CVE-2019-14857.patch to fix
    open redirect issue that exists in URLs with trailing slashes
    [bsc#1153666], [CVE-2019-14857]
* Fri Nov 09 2018 kstreitova@suse.com
  - submission to SLE15SP1 because of fate#324447
  - build with hiredis only for openSUSE where hiredis is available
  - add a version for jansson BuildRequires
* Tue Oct 30 2018 kstreitova@suse.com
  - update to 2.3.8
  - changes in 2.3.8
    * fix return result FALSE when JWT payload parsing fails
    * add LGTM code quality badges
    * fix 3 LGTM alerts
    * improve auto-detection of XMLHttpRequests via Accept header
    * initialize test_proto_authorization_request properly
    * add sanity check on provider->auth_request_method
    * allow usage with LibreSSL
    * don't return content with 503 since it will turn the HTTP
      status code into a 200
    * add option to set an upper limit to the number of concurrent
      state cookies via OIDCStateMaxNumberOfCookies
    * make the default maximum number of parallel state cookies
      7 instead of unlimited
    * fix using access token as endpoint auth method in
      introspection calls
    * fix reading access_token form POST parameters when combined
      with `AuthType auth-openidc`
  - changes in 2.3.7
    * abort when string length for remote user name substitution
      is larger than 255 characters
    * fix Redis concurrency issue when used with multiple vhosts
    * add support for authorization server metadata with
      OIDCOAuthServerMetadataURL as in RFC 8414
    * refactor session object creation
    * clear session cookie and contents if cache corruption is detected
    * use apr_pstrdup when setting r->user
    * reserve 255 characters in remote username substition instead of 50
  - changes in 2.3.6
    * add check to detect session cache corruption for server-based
      caches and cached static metadata
    * avoid using pipelining for Redis
    * send Basic header in OAuth www-authenticate response if that's
      the only accepted method; thanks @puiterwijk
    * refactor Redis cache backend to solve issues on AUTH errors:
      a) memory leak and b) redisGetReply lagging behind
    * adjust copyright year/org
    * fix buffer overflow in shm cache key set strcpy
    * turn missing session_state from warning into a debug statement
    * fix missing "return" on error return from the OP
    * explicitly set encryption kid so we're compatible with
      cjose >= 0.6.0
  - changes in 2.3.5
    * fix encoding of preserved POST data
    * avoid buffer overflow in shm cache key construction
    * compile with with Libressl
* Fri Apr 27 2018 vcizek@suse.com
  - update to 2.3.4
  - requested in fate#323817
* Wed Dec 13 2017 christof.hanke@mpcdf.mpg.de
  - initial packaging

Files

/mod_auth_openidc.so


Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Jul 9 20:06:21 2024