anag_factory
7e7921b0de
- Update to version 2.4.19.3
Bugfixes
* proto: add scope=openid to the authorization request when
passing a Request Object by reference (request_uri) as
defined by spec; see #1385;
* config: fix intermittent core dumps on a large number of
(first) incoming parallel requests after startup in threaded
MPM environments.
* code: fix a memory leak in
oidc_metadata_jwks_retrieve_and_cache when JSON validation
fails.
* http: skip cookies that are only whitespace after the
leading-space strip and avoid leaving a malformed segment in
the forwarded Cookie header.
* metrics: switch _oidc_metrics_thread_exit to a volatile
apr_uint32_t accessed via apr_atomic_read32/set32 and avoid
strand the post-join cleanup.
* util: guard oidc_util_rand_int with a mod==0 short-circuit -
to avoid division by zero - and rejection-sample before
reducing modulo so v % mod is uniformly distributed.
* userinfo: skip the DPoP-nonce retry path for non-DPoP token
types to avoid dereference NULL inside apr_hash_get and crash
the worker.
* config: validate format specifiers (only %% and exactly two/one
%s) in oidc_util_html_send_in_template so a stray %s in custom
templates configured with OIDCPreservePostTemplates) can't
crash or corrupt memory.
Security
* code: fix >25 cases of potential string/URL matching attacks,
XSS attacks, buffer overload etc. (forwarded request 1356608 from mnhauke)
OBS-URL: https://build.opensuse.org/request/show/1357247
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_auth_openidc?expand=0&rev=43