release 2.4.9

Note that the format of encrypted cache contents have changed and as such existing server side sessions cannot survive an update to 2.4.9. Clearing the cache contents before restarting the Apache server with the upgraded module is advised.

Security

• use redisvCommand to avoid crash with crafted key when using Redis without encryption; thanks @thomas-chauchefoin-sonarsource
• replace potentially harmful backslashes with forward slashes when validating redirection URLs; thanks @thomas-chauchefoin-sonarsource
• avoid XSS vulnerability when using OIDCPreservePost On and supplying URLs that contain single quotes; thanks @oss-aimoto
• return OK in the content handler for calls to the redirect URI and when preserving POST data; prevent (intermittent) disclosure of content hosted at a (non-vanity) redirect URI location
• use encrypted JWTs for storing encrypted cache contents and avoid using static AAD/IV; thanks @niebardzo

Bugfixes

• verify that alg is not none in logout_token explicitly
• don't clear POST params authn on token revocation; thanks @iainh
• fix a problem where the host and port are calculated incorrectly when using literal ipv6 address.

Other

• make session not found on backchannel logout produce a log warning instead of error
• handle discovery in the content handler
• strip A256GCM JWT header from encrypted JWTs used for state cookies, cache encryption and by-value session cookies resulting in smaller cookies and reduced cache content size

Dependencies

• libcjose >= 0.5.1

Commercial

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via [email protected]
• support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via [email protected]