Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

apache2-mod_auth_openidc-2.4.16.3-1.1 RPM for ppc64le

From OpenSuSE Ports Tumbleweed for ppc64le

Name: apache2-mod_auth_openidc Distribution: openSUSE Tumbleweed
Version: 2.4.16.3 Vendor: openSUSE
Release: 1.1 Build date: Tue Sep 17 10:52:12 2024
Group: Productivity/Networking/Web/Servers Build host: reproducible
Size: 986582 Source RPM: apache2-mod_auth_openidc-2.4.16.3-1.1.src.rpm
Packager: http://bugs.opensuse.org
Url: https://github.com/zmartzone/mod_auth_openidc/
Summary: Apache2.x module for an OpenID Connect enabled Identity Provider
This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.

Provides

Requires

License

Apache-2.0

Changelog

* Tue Sep 17 2024 pgajdos@suse.com
  - version update to 2.4.16.3
    09/06/2024
    - allow overriding globally set OIDCCacheType back to shm in vhosts
    - correct typo in child initialization routines when using multiple vhosts; closes #1208; thanks @studersi
      this fixes possible segmentation faults when using Redis and Metrics settings in vhosts
    09/05/2024
    - fix OIDCCacheShmMax min/max settings; see #1260; thanks @bbartke
    08/29/2024
    - fix setting OIDCPKCEMethod none; closes #1256; thanks @eoliphan
    08/28/2024
    - re-introduce OIDCSessionMaxDuration 0; see #1252
    - add some resilience when both Forwarded and X-Forwarded-* are configured
    - fix disabled OIDCStateCookiePrefix command; closes #1254; thanks @damisanet
    - remove support for OIDCHTMLErrorTemplate, deprecated since 2.4.14
    08/26/2024
    - fix parsing OIDCXForwardedHeaders; closes #1250; thanks @maltesmann
    07/03/2024
    - cfg/provider: use oidc_jwk_list_copy when merging client_keys
    06/18/2024
    - memcache: correct dead server check on APR_NOTFOUND; see #1230; thanks @rpluem-vf
    06/08/2024
    - support DPoP nonces to the userinfo endpoint
    06/06/2024
    - add OIDCDPoPMode [off|optional|required] primitive
    - store the token_type in the session
    06/05/2024
    - add "nbf" claim in the Request Object as per https://openid.net/specs/openid-financial-api-part-2-1_0-final.html#rfc.section.5.2.2
    06/04/2024
    - add (client) support for RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)
    - replace multi-provider .conf "issuer_specific_redirect_uri" boolean with "response_require_iss" boolean
    - tighten up the "aud" claim validation in ID tokens
    - add support for the FAPI 2.0 Security Profile https://openid.net/specs/fapi-2_0-security-profile-ID2.html
    05/30/2024
    - add support for RFC 9126 OAuth 2.0 Pushed Authorization Requests
    04/23/2024
    - disable support for the RSA PKCS v1.5 JWE encryption algorithm as it is deemed unsafe
      due to the Marvin attack and is removed from libcjose as well
    04/05/2024
    - add debug printout for OIDCUnAuthAction expression evaluation
    04/03/2024
    - when an expression is configured for OIDCUnAuthAction (i.e. in the 2nd argument), also apply
      it to OIDCUnAutzAction so that it can be used to enable step-up authentication for SPAs with
      non-conformant browsers (some versions of Safari) and in (potentially insecure) iframes
      see #1205; thanks @ryanwilliamnicholls
    04/02/2024
    - major rewrite of config primitive handling:
    - split out over different files, use header files consistently
    - encapsulate config record with getters/setters
    - allow overriding defined global configuration primitives to their default value on the individual vhost level
    - apply input/boundary checking on all configuration values, shared with provider metadata parsing
    - various fixes to applying default config values and allowing primitives in vhost/directory scopes
    - return HTTTP 502 when refreshing acces token or userinfo fails (default: "502_on_error")
    - use a singleton token refresh mutex
    - add support for OIDCOAuthIntrospectionEndpointKeyPassword
    - bump to 2.4.16dev
    04/01/2024
    - release 2.4.15.7
    03/29/2024
  - fix OIDCUserInfoRefreshInterval, interval seconds would be interpreted as microseconds
* Mon Mar 25 2024 pgajdos@suse.com
  - version update to 2.4.15.6
    03/14/2024
    - fix userinfo refresh interval parsing; closes #1200; thanks @HolgerHees
      avoid refreshing userinfo on each request until access token expiry
    - store interval as JSON integer in session
    - use SameSite=Lax when OIDCCookieSameSite is On (also by default) instead of
      Strict as overriding from Lax to Strict does not work reliably anymore (Chrome)
    - release 2.4.15.6
    03/13/2024
    - fix compilation without libhiredis; closes #1195 ; thanks @HolgerHees
      conditionally define oidc_set_redis_connect_timeout
    - fix `OIDCPassClaimsAs environment` bug introduced in 2.4.15.4; see #1196; thanks @HolgerHees
    - release 2.4.15.5
    03/12/2024
    - release 2.4.15.4
    - fix setting the default PCKE method to "none" in a multi-provider setup
* Fri Feb 16 2024 Danilo Spinella <danilo.spinella@suse.com>
  - Update to 2.4.15.3:
    * for the complete list of changes, please have a look at ChangeLog
  - Fix CVE-2024-24814, DoS when `OIDCSessionType client-cookie` is set
    and a crafted Cookie header is supplied, bsc#1219911
* Thu Nov 30 2023 Danilo Spinella <danilo.spinella@suse.com>
  - update to 2.4.14.4:
    * for the complete list of changes, please have a look at ChangeLog
* Tue Dec 20 2022 Michael Ströder <michael@stroeder.com>
  - update to 2.4.12.2
    * Security
    - CVE-2022-23527: prevent open redirect in default setup when
      OIDCRedirectURLsAllowed is not configured
      see: GHSA-q6f2-285m-gr53
    * Features
    - allow overriding the type of lock used at compile time with OIDC_LOCK
* Tue Nov 15 2022 Michael Ströder <michael@stroeder.com>
  - update to 2.4.12.1
    * Features
    - add option to use ISO-8859-1 encoding for propagated claim values by
      adding latin1 option to OIDCPassClaimsAs <> latin1; see #957
    - Note that the encoding - including the existing "base64url" - apply to
      both header and environment variables as well now
    * Bugfixes
    - switch to using apr_generate_random_bytes instead of apr_uuid_get to
      generate session identifiers so there's no longer a (rather implicit)
      dependency on a libapr that is compiled against libuuid on Linux
      platforms; see #431, #603 and #694
    - fix cache file backend: delete the correct file upon logout; closes #955
    - fix cleanup of semaphores on graceful restarts; see #522, closes #458
    - fix OIDCProviderMetadataRefreshInterval since it was interpreted in
      microseconds instead of the documented and intended seconds; setting in
      to seconds would effectively turn of caching and pull the configuration
      document on each request
    - define APLOG_TRACE1 if it does not exist
    - correct ap_hook_insert_filter function signature in stub.c, part 3; see #784
    - fixed printout of cache mutex errors in cache/common.c
    - prefer APR_LOCK_POSIXSEM over APR_LOCK_DEFAULT in apr_global_mutex_create
      which is apparently required for (some) ARM based builds
    - fix potential memory leak in proto.c when oidc_util_create_symmetric_key fails
    - fix potential memory leak in proto.c when oidc_proto_validate_access_token
      fails (at_hash validation)
* Mon Oct 17 2022 Michael Ströder <michael@stroeder.com>
  - update to 2.4.12
    * Features
    - allow storing the id_token in a client-cookie based session; see #812 and #888
    - allow setting connection pool parameters for Memcache server connections; see #916
    - add option to set a username for Redis authentication via OIDCRedisCacheUsername
    - register request_object_signing_alg in dynamic client registration when using request_uri
    * Bugfixes
    - increase size of the output buffer when using libpcre2 for substitution; closes #915
    - support OIDCSessionInactivityTimeout values greater than 30 days
      when using Memcache; see #936
    - allow for step-up discovery with an external URL using HTML refresh;
      fixes behaviour on CentOS 7/8 when combined with ProxyPass
    - apply exact length matching for at_hash and c_hash validation
    - store access token obtained from backchannel in session over the one
      returned in the frontchannel for code token and code id_token token flows
    - check ID token signed response algorithm on backchannel logout_token
      and retrieve its configuration value from the client metadata file
* Tue Aug 23 2022 Michael Ströder <michael@stroeder.com>
  - update to 2.4.11.3
    * Bugfixes
    - avoid memory leak when using PCRE2 regular expressions with
      array matching; closes #902
    - avoid memory leak when cjose_jws_get_plaintext fails; closes #903
    - fix handling of IPv6 based logout URLs
    * Features
    - Use optionally provided sid and iss request parameters during
      front channel logout; see #855
    - support Forwarded header in addition to X-Forwarded-*; see #853
* Mon Jul 25 2022 Michael Ströder <michael@stroeder.com>
  - removed obsolete BuildRequires autoconf and automake
  - update to 2.4.11.2
    + release 2.4.11.2
    * Features
    - add support for Apache expressions in OIDCPathAuthRequestParams and OIDCPathScope; see #594
    * Bugfixes
    - add Cache-Control headers to logout response; see #846; thanks @blackwhiser1
    * Other
    - don't strip the header from encrypted JWTs as future versions of cjose may use compact
    - encoding for JWEs; this slightly increases state cookie size, by-value session cookies
    - and encrypted cache contents again at the benefit of forward cjose compatibility
    + release 2.4.11.1
    * Bugfixes
    - fix OIDCUnAuthAction pass not passing claims for authenticated users, see #790, thanks @cm0s
    - fix race conditions in the file cache backend, see #777, thanks @dbakker and @blackwhiser1
    - fix memory leaks over graceful restarts, see #823 and #824, thanks @smanolache
    - avoid using %llu print formatter and switch to %lu for unsigned long so it works cross platform
    - add a check to make sure URLs do not contain unencoded Unicode characters, see #796, thanks @cnico
    * Features
    - warn about mismatch between incoming X-Forwarded-* headers and OIDCXForwardedHeaders configuration
    - add support for OpenSSL 3.0
    * Other
    - remove test-cmd jwk2cert command
    - correct ap_hook_insert_filter function signature in stub.c, part 2, closes #784, thanks @stroeder
    - add Valgrind Github action
    + release 2.4.11
    * Bugfixes
    - fix use of regular expressions in Require statements
    - no longer defer multi-OP Discovery to the content handler to allow RequireAll and Require not directives in multi-OP setups; closes #775; thanks @rajeevn1
    - improve handling session duration expiry when combined with OIDCUnAuthAction pass or Discovery; see #778
    - terminate on startup when the crypto passphrase generated by exec: is empty; see #767
    - allow authorization on info requests, see #746
    - avoid debug printout of payload as header when the latter is stripped
    - fix race condition in file cache backend reading truncated files under load; see #777; thanks @dbakker
    * Features
    - make interpretation of X-Forwarded-* headers configurable, defaulting to none so mod_auth_openidc running behind a reverse proxy that sets X-Forwarded-* headers needs explicit configuration of OIDCXForwardedHeaders
    - make X-Frame-Options header returned on OIDC front-channel logout requests configurable through OIDCLogoutXFrameOptions; closes #464
    - add x5t to JWT header in private_key_jwt client assertions; for interop with Azure AD; see #762; thanks @juur
    - improve detection of suspicious redirect URLs; add test list
    - add administrative session revocation capability via <redirect_uri>?revoke_session=<sessionid>
    * Packaging
    - add support for libpcre2; see #740
    - add AM_PROG_CC_C_O to configure.ac (at least for RHEL 7.7); see #765; thanks @bitmagewb
    - include <openssl/bn.h> in jose.c to compile with OpenSSL 1.0.x
    - install taking into account DESTDIR; see #674; thanks @alerque
    + release 2.4.10
    * Features
    - add check for Sec-Fetch-Dest header != "document" value and Sec-Fetch-Mode header != "navigate" to auto-detect requests that are not capable of handling an authentication round trip to the Provider; see #714; thanks @studersi
    - add redirect/text options to OIDCUnAutzAction; see #715; thanks @chrisinmtown
    - log require claims failure on info level
    - backport ap_get_exec_line, supporting the exec: option in OIDCCryptoPassphrase to Apache 2.2
    * Bugfixes
    - return HTTP 200 for OPTIONS requests in auth-openidc mixed mode
    - don't apply claims based authorization for OPTIONS requests so paths protected with Require claim directives will now also return HTTP 200 for OPTIONS requests
    - fix memory leak when parsing JWT access token fails (in RS mode)
    - fix regexp substition crash using OIDCRemoteUserClaim; thanks @nneul; closes #720
    * Packaging
    - complete usage of autoconf/automake; see #674
    - add .deb for Debian Bullseye
* Fri Sep 03 2021 Michael Ströder <michael@stroeder.com>
  - update to 2.4.9.4
    * Security
    - prevent open redirect by applying OIDCRedirectURLsAllowed setting to
      target_link_uri; closes #672
    * Bugfixes
    - don't apply authz in discovery process; fixes step up authentication
      when combined with Discovery
* Fri Aug 27 2021 Michael Ströder <michael@stroeder.com>
  - update to 2.4.9.3
    * Bugfixes
    - don't apply authz to the redirect URI; fixes ac56864
* Tue Aug 24 2021 pgajdos@suse.com
  - use declared tarball
* Mon Aug 23 2021 Michael Ströder <michael@stroeder.com>
  - update to 2.4.9.2
    * Bugfixes
    - fix graceful restart (regression); see #458
    * Features
    - preserve session cookie in the event of a cache backend failure
    - update the id_token in the session cache if one is provided while
      refreshing the access token
* Fri Aug 13 2021 Michael Ströder <michael@stroeder.com>
  - update to 2.4.9.1
    fix retried Redis commands after a reconnect; see #642
* Fri Jul 23 2021 Michael Ströder <michael@stroeder.com>
  - Update to version 2.4.9
    * Security
    - use redisvCommand to avoid crash with crafted key when using Redis
      without encryption; thanks @thomas-chauchefoin-sonarsource
    - replace potentially harmful backslashes with forward slashes when
      validating redirection URLs; thanks @thomas-chauchefoin-sonarsource
    - avoid XSS vulnerability when using OIDCPreservePost On and supplying
      URLs that contain single quotes; thanks @oss-aimoto
    - return OK in the content handler for calls to the redirect URI and when
      preserving POST data; prevent (intermittent) disclosure of content
      hosted at a (non-vanity) redirect URI location
    - use encrypted JWTs for storing encrypted cache contents and
      avoid using static AAD/IV; thanks @niebardzo
    * Bugfixes
    - verify that alg is not none in logout_token explicitly
    - don't clear POST params authn on token revocation; thanks @iainh
    - fix a problem where the host and port are calculated incorrectly when using literal ipv6 address.
    * Other
    - make session not found on backchannel logout produce a log warning instead of error
    - handle discovery in the content handler
    - strip A256GCM JWT header from encrypted JWTs used for state cookies,
      cache encryption and by-value session cookies resulting in smaller
      cookies and reduced cache content size
  - Fix CVE-2021-32785 format string bug via hiredis
    (CVE-2021-32785, bsc#1188638)
  - Fix CVE-2021-32786 open redirect in logout functionality
    (CVE-2021-32786, bsc#1188639)
* Wed Jun 02 2021 Michael Ströder <michael@stroeder.com>
  - Use autogen.sh to generate missing configure script
  - Update to version 2.4.8.4
    * Bugfixes
    - do not send state timeout HTML document when OIDCDefaultURL is set;
      this can be overridden by using e.g.:
      SetEnvIfExpr true OIDC_NO_DEFAULT_URL_ON_STATE_TIMEOUT=true
    - avoid Apache 2.4 appending 400/302(200/404) HTML document text to
      state timeout HTML info page see also f5959d7 and #484; at least Debian
      Buster was affected
    * Other
    - make error "session corrupted: no issuer found in session" a warning
      only so a logout call for a non-existing session no longer produces
      error messages
* Tue May 18 2021 Michael Ströder <michael@stroeder.com>
  - Update to version 2.4.8.2
    * store timestamps in session in seconds to avoid string conversion
      problems on some (libapr-1) platform build/run combinations, causing
      "maximum session duration exceeded" errors
* Fri May 07 2021 Michael Ströder <michael@stroeder.com>
  - Update to version 2.4.8.1
    * Bugfixes
    - fix potential crash when the Content-Type header is not set in POST requests
    - avoid jwt/proto_state json_object memory leaks on cache failures
    - when an OAuth 2.0 RS token scope/claim authorization (401 ) error
      occurs, add a OIDC_OAUTH_BEARER_SCOPE_ERROR environment variable for
      usage with mod_headers, instead of adding a header ourselves; see #572
    * Features
    - add options to configure Redis connectivity timeouts with
      OIDCRedisCacheConnectTimeout and OIDCRedisCacheTimeout
    - add OIDCClientTokenEndpointKeyPassword option to set a private key
      password for the client's private key to be used against the token
      endpoint; see #576
* Mon Apr 12 2021 pgajdos@suse.com
  - test package
* Sun Apr 11 2021 Andreas Stieger <andreas.stieger@gmx.de>
  - fix installation path on Factory (boo#1184572)
  - switch to bootstrapped tarball
  - package the license, docs and sample config
* Mon Apr 05 2021 Michael Ströder <michael@stroeder.com>
  - Update to version 2.4.7
    * Bugfixes
    - avoid logged-out sessions remaining (valid) in the session cache:
      remove session from cache before clearing it; see #542
    * Features
    - add maximum session lifetime (exp), inactivity timeout (timeout)
      and remote_user to OIDCInfoHook; closes #541
    * Security
    - add opt-out on sub check in userinfo endpoint response using the
      (undocumented) OIDC_NO_USERINFO_SUB environment variable,
      for backwards (but insecure) compatibility, see #544
    * Dependencies
    - libcjose >= 0.5.1
    - if your distribution does not provide libcjose in its package repository,
      recent packages for a number of platforms are available from the "Assets"
      section in release 2.4.0
* Thu Apr 01 2021 pgajdos@suse.com
  - require hiredis only for newer distros than SLE-15 [jsc#SLE-11726]
* Thu Feb 18 2021 pgajdos@suse.com
  - re-download tarball
* Wed Feb 17 2021 Michael Ströder <michael@stroeder.com>
  - Update to version 2.4.6
    * Bugfixes
    - don't set SameSite=None on cookies when on plain http
    - fix semaphore cleanup on graceful restarts; see #522
    - fix inconsistent public/private keys loading order; closes #515
    - return HTTP 400 Bad Request instead of 500 Internal Server Error when state cookie matching fails
    - optimize Redis AUTH execution once per connection
    - avoid segmentation fault when hitting an endpoint configured with
      AuthType openid-connect in an OAuth 2.0 only setup; see #529
    - make sure the module compiles with Apache 2.2 for passphrase exec:
    * Features
    - add Redis database selection option with OIDCRedisCacheDatabase; closes #423
    - add base64url option to OIDCPassClaimsAs primitive; closes #417
    - add environment variable to control libcURL CURLOPT_SSL_OPTIONS behaviors e.g.:
    - SetEnvIfExpr true CURLOPT_SSL_OPTIONS=CURLSSLOPT_NO_REVOKE
    - removed support for https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state
    * Security
    - avoid displaying the client_secret in debug logs
    * Dependencies
    - libcjose >= 0.5.1

Files

/usr/lib64/apache2/mod_auth_openidc.so
/usr/share/doc/packages/apache2-mod_auth_openidc
/usr/share/doc/packages/apache2-mod_auth_openidc/AUTHORS
/usr/share/doc/packages/apache2-mod_auth_openidc/ChangeLog
/usr/share/doc/packages/apache2-mod_auth_openidc/README.md
/usr/share/doc/packages/apache2-mod_auth_openidc/auth_openidc.conf
/usr/share/licenses/apache2-mod_auth_openidc
/usr/share/licenses/apache2-mod_auth_openidc/LICENSE.txt


Generated by rpm2html 1.8.1

Fabrice Bellet, Fri Oct 18 00:12:25 2024