Headline
CVE-2017-6413: Release release 2.1.6 · OpenIDC/mod_auth_openidc
The “OpenID Connect Relying Party and OAuth 2.0 Resource Server” (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an “AuthType oauth20” configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.
This is a security release :
Those using AuthType oauth20 together with applications that interpret headers set by mod_auth_openidc on paths that disclose sensitive information are affected and should upgrade.
Security
- scrub headers for AuthType oauth20
On accessing paths protected with AuthType oauth20 no headers would be scrubbed before mod_auth_openidc sets its own headers, so malicious software/users could set OIDC_CLAIM_ and OIDCAuthNHeader headers that applications would interpret as set by mod_auth_openidc only if those headers are not set and overwritten by mod_auth_openidc itself.
Bugfixes
- handle OIDCUnAuthAction after max session duration is exceeded; see #220; thanks @phybros
- fix parse OIDCOAuthTokenExpiryClaim; closes #225; thanks Alessandro Papacci
- correctly parse kid in OIDCPublicKeyFiles and OIDCOAuthVerifyCertFiles; thanks Alessandro Papacci
Other
- improve logging wrt. session management availability; closes #223
- handle only X-Requested-With: XMLHttpRequest as non-browser request; closes #228; thanks @mguillem
- improve error message on state timeout; closes #226; thanks @security4java
- a call to the refresh hook now also resets the session inactivity timeout
Packaging Notes
- Accompanying libcjose packages can be found in the 2.1.3 release
- Ubuntu Wily packages can also be used on Xenial and Yakkety
- Centos 6 RPMs depend on libhiredis-0.12 now e.g. from https://pkgs.org/centos-6/puias-unsupported-x86_64/