Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apache2-mod_auth_openidc for
openSUSE:Factory checked in at 2026-06-05 15:03:05
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2-mod_auth_openidc (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.2375 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_auth_openidc"
Fri Jun 5 15:03:05 2026 rev:43 rq:1357247 version:2.4.19.3
Changes:
--------
---
/work/SRC/openSUSE:Factory/apache2-mod_auth_openidc/apache2-mod_auth_openidc.changes
2026-02-17 17:00:32.808526331 +0100
+++
/work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.2375/apache2-mod_auth_openidc.changes
2026-06-05 15:03:22.503940873 +0200
@@ -1,0 +2,48 @@
+Tue Jun 2 06:19:44 UTC 2026 - Martin Hauke <[email protected]>
+
+- Update to version 2.4.19.3
+ Bugfixes
+ * proto: add scope=openid to the authorization request when
+ passing a Request Object by reference (request_uri) as
+ defined by spec; see #1385;
+ * config: fix intermittent core dumps on a large number of
+ (first) incoming parallel requests after startup in threaded
+ MPM environments.
+ * code: fix a memory leak in
+ oidc_metadata_jwks_retrieve_and_cache when JSON validation
+ fails.
+ * http: skip cookies that are only whitespace after the
+ leading-space strip and avoid leaving a malformed segment in
+ the forwarded Cookie header.
+ * metrics: switch _oidc_metrics_thread_exit to a volatile
+ apr_uint32_t accessed via apr_atomic_read32/set32 and avoid
+ strand the post-join cleanup.
+ * util: guard oidc_util_rand_int with a mod==0 short-circuit -
+ to avoid division by zero - and rejection-sample before
+ reducing modulo so v % mod is uniformly distributed.
+ * userinfo: skip the DPoP-nonce retry path for non-DPoP token
+ types to avoid dereference NULL inside apr_hash_get and crash
+ the worker.
+ * config: validate format specifiers (only %% and exactly two/one
+ %s) in oidc_util_html_send_in_template so a stray %s in custom
+ templates configured with OIDCPreservePostTemplates) can't
+ crash or corrupt memory.
+ Security
+ * code: fix >25 cases of potential string/URL matching attacks,
+ XSS attacks, buffer overload etc.
+ * config: fix low-risk - insider admin attack based- security
+ vulnerabilities.
+ * log: do not log refresh tokens at warn/error levels.
+ Other
+ * code: cast curl timeouts in options to long to avoid compiler
+ warnings.
+ * test: re-factor the framework and add more unit tests.
+ * build: conditionally add --coverage to AM_LDFLAGS in
+ Makefile.am
+- Update to version 2.4.19.2
+ Bugfixes
+ * authz: fix claims based authorization in OAuth 2.0 RS mode
+ (AuthType oauth20 and AuthType auth-openidc);
+ regression introduced in 2.4.19
+
+-------------------------------------------------------------------
Old:
----
mod_auth_openidc-2.4.19.1.tar.gz
New:
----
mod_auth_openidc-2.4.19.3.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2-mod_auth_openidc.spec ++++++
--- /var/tmp/diff_new_pack.J2xXUn/_old 2026-06-05 15:03:23.175968695 +0200
+++ /var/tmp/diff_new_pack.J2xXUn/_new 2026-06-05 15:03:23.179968861 +0200
@@ -1,8 +1,7 @@
#
# spec file for package apache2-mod_auth_openidc
#
-# Copyright (c) 2026 SUSE LLC
-# Copyright (c) 2025 SUSE LLC and contributors
+# Copyright (c) 2026 SUSE LLC and contributors
# Copyright (c) 2025 Andreas Stieger <[email protected]>
#
# All modifications and additions to the file contributed by third parties
@@ -19,7 +18,7 @@
Name: apache2-mod_auth_openidc
-Version: 2.4.19.1
+Version: 2.4.19.3
Release: 0
Summary: Apache2.x module for an OpenID Connect enabled Identity
Provider
License: Apache-2.0
++++++ mod_auth_openidc-2.4.19.1.tar.gz -> mod_auth_openidc-2.4.19.3.tar.gz
++++++
++++ 47378 lines of diff (skipped)
