release 2.4.13.2
Security
- CVE-2023-28625: prevent core dump when
OIDCStripCookies
is set and a craftedCookie
header is supplied
GHSA-f5xw-rvfr-24qr - fix code scanning alerts from 2 code scanning tools all over the place
Features
- add support for Elliptic Curve signing/encryption keys in addtiion to RSA keys,
i.e. client keys configured inOIDCPrivateKeyFiles
/OIDCPublicKeyFiles
, published onOIDCClientJwksUri
and used inprivate_key_jwt
authentication, encryptedid_token
's, request objects/uri's,
but also statically configured provider keys inOIDCOAuthVerifyCertFiles
andOIDCProviderVerifyCertFiles
- record authorization errors in environment variable
OIDC_AUTHZ_ERROR
so its value can be used in logs e.g. with HTTP 401 responses in the access log:
LogFormat "%h %l %u %t %U %401{OIDC_AUTHZ_ERROR}e %>s %b" combined
also log authorization errors withoidc_debug
instead ofoidc_info
Bugfixes
- fix for omitting the
kid#
prefix inOIDCPublicKeyFiles
/OIDCPrivateKeyFiles
and other certificate configuration primitives when linked against OpenSSL <= 1.0.x - allow
target_link_uri
's without a path in 3rd-party-init SSO with a multi-provider setup - correct cookie path printout in error log when
target_link_uri
does not matchOIDCCookiePath
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via [email protected]
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]