CVE-2023-28625: Release release 2.4.13.2 · OpenIDC/mod_auth_openidc

1. Releases
2. v2.4.13.2

Security

• CVE-2023-28625: prevent core dump when OIDCStripCookies is set and a crafted Cookie header is supplied
  GHSA-f5xw-rvfr-24qr
• fix code scanning alerts from 2 code scanning tools all over the place

Features

• add support for Elliptic Curve signing/encryption keys in addtiion to RSA keys,
  i.e. client keys configured in OIDCPrivateKeyFiles/OIDCPublicKeyFiles, published on OIDCClientJwksUri
  and used in private_key_jwt authentication, encrypted id_token’s, request objects/uri’s,
  but also statically configured provider keys in OIDCOAuthVerifyCertFiles and OIDCProviderVerifyCertFiles
• record authorization errors in environment variable OIDC_AUTHZ_ERROR
  so its value can be used in logs e.g. with HTTP 401 responses in the access log:
  LogFormat “%h %l %u %t %U %401{OIDC_AUTHZ_ERROR}e %>s %b” combined
  also log authorization errors with oidc_debug instead of oidc_info

Bugfixes

• fix for omitting the kid# prefix in OIDCPublicKeyFiles/OIDCPrivateKeyFiles and other certificate configuration primitives when linked against OpenSSL <= 1.0.x
• allow target_link_uri’s without a path in 3rd-party-init SSO with a multi-provider setup
• correct cookie path printout in error log when target_link_uri does not match OIDCCookiePath

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro’s, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]