Headline
CVE-2017-6062: Release release 2.1.5 · OpenIDC/mod_auth_openidc
The “OpenID Connect Relying Party and OAuth 2.0 Resource Server” (aka mod_auth_openidc) module before 2.1.5 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an “OIDCUnAuthAction pass” configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.
This is a security release :
Those using AuthType openid-connect together with OIDCUnAuthAction pass on paths that disclose sensitive information based on the authenticated user are affected and should upgrade.
Security
- scrub headers on OIDCUnAuthAction pass; closes #222; thanks @wouterhund
On accessing paths protected with OIDCUnAuthAction pass no headers would be scrubbed when a user is not authenticated, so malicious software/users could set OIDC_CLAIM_ and OIDCAuthNHeader headers that applications would interpret as set by mod_auth_openidc even though the user has no authenticated session.
Bugfixes
- fix error message about passing id_token with session type client-cookie; see: #220; thanks @phybros
Packaging Notes
- Accompanying libcjose packages can be found in the 2.1.3 release
- Ubuntu Wily packages can also be used on Xenial and Yakkety
- Centos 6 RPMs depend on libhiredis-0.12 now e.g. from https://pkgs.org/centos-6/puias-unsupported-x86_64/