Pubcookie 3.3.2b Released
Nathan Dors
dors at cac.washington.edu
Mon Nov 6 10:55:16 PST 2006
Pubcookie 3.3.2b has been posted on the pubcookie.org project web site.
This version represents a minor patch release that focuses on security and
parity between the Apache module and ISAPI filter. Changes since the 3.3.2
release (3.3.2a had no release announcement) include:
* Security fix to the Apache module and ISAPI filter to prevent
the Abuse of Functionality vulnerability described in the "Empty
Authentication" security advisory posted concurrent to this release.
The modules now verify that the login server sends a non-empty userid
in the granting reply unless the "no prompt" option is enabled. See:
http://pubcookie.org/news/20061105-empty-auth-secadv.html
* URI path and query-string handling changes to the Apache module
and ISAPI filter to address possible truncations during login.
* Fixed a misplaced variable declaration in the Apache module,
which caused problems with version 3.3.2 in some compilers.
Note: No changes have been made to the login server since 3.3.2.
More thorough change information is available on the project site:
http://pubcookie.org/docs/CHANGES.txt
With this patch release, version 3.3.2b becomes the current production
release of Pubcookie, and attention will turn again toward future
enhancements.
Thanks,
Nathan Dors
Pubcookie Project
University of Washington
Phone: 206/543-0624
FAX: 206/221-6966
E-Mail: pubcookie-ext at cac.washington.edu
More information about the Pubcookie-announce
mailing list