Revisions of apache2-mod_auth_openidc
- Update to 2.4.15.3: * for the complete list of changes, please have a look at ChangeLog - Fix CVE-2024-24814, DoS when `OIDCSessionType client-cookie` is set and a crafted Cookie header is supplied, bsc#1219911 (forwarded request 1147162 from dspinella)
(forwarded request 914952 from dspinella)
- use declared tarball - update to 2.4.9.2 * Bugfixes - fix graceful restart (regression); see #458 * Features - preserve session cookie in the event of a cache backend failure - update the id_token in the session cache if one is provided while refreshing the access token
- update to 2.4.9.1 fix retried Redis commands after a reconnect; see #642 (forwarded request 912043 from stroeder)
- test package - fix installation path on Factory (boo#1184572) - switch to bootstrapped tarball - package the license, docs and sample config
Update to version 2.4.7 (forwarded request 883107 from stroeder)
- re-download tarball - Update to version 2.4.6 * Bugfixes - don't set SameSite=None on cookies when on plain http - fix semaphore cleanup on graceful restarts; see #522 - fix inconsistent public/private keys loading order; closes #515 - return HTTP 400 Bad Request instead of 500 Internal Server Error when state cookie matching fails - optimize Redis AUTH execution once per connection - avoid segmentation fault when hitting an endpoint configured with AuthType openid-connect in an OAuth 2.0 only setup; see #529 - make sure the module compiles with Apache 2.2 for passphrase exec: * Features - add Redis database selection option with OIDCRedisCacheDatabase; closes #423 - add base64url option to OIDCPassClaimsAs primitive; closes #417 - add environment variable to control libcURL CURLOPT_SSL_OPTIONS behaviors e.g.: - SetEnvIfExpr true CURLOPT_SSL_OPTIONS=CURLSSLOPT_NO_REVOKE - removed support for https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state * Security - avoid displaying the client_secret in debug logs * Dependencies - libcjose >= 0.5.1
- Update to version 2.4.4.1 * Bugfixes - add SameSite=None attribute on cookie clearance / logout and make sure it works in OP iframes * Packaging - the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section in release 2.4.0 (forwarded request 833319 from stroeder)
Displaying revisions 1 - 20 of 31