WebAuth 3.3.0 Announcement
The ITSS WebAuth team is pleased to announce Stanford WebAuth 3.3.0. This release removes support for S/Ident due to a security flaw in the protocol, adds another option for multi-value attribute handling in LDAP lookups, and improves the LDAP module documentation.
For documentation and downloads of WebAuth 3.3.0, see:
We have not yet updated the versions of the binary packages for Solaris, but will do so soon. There will be a separate announcement when that is done.
The user-visible changes in this release are:
All WebKDC support for S/Ident removed. The S/Ident protocol is inherently vulnerable to an active man-in-the-middle attack that is particularly severe for WebAuth, since S/Ident authentication is done by a single server and WebAuth users regularly visit that server. Exploiting this protocol flaw would allow an attacker to capture a single sign-on cookie and then impersonate the user to all WebAuth sites in that domain.
Added WebAuthLdapSeparator to specify the separator for multivalued attributes. When set in the server configuration, all values of a multivalued attribute are concatenated together, separated by that separator, and put into the base WEBAUTH_LDAP_* environment variable (rather than only the first one).
Cleaned up, expanded, and improved the module documentation for mod_webauthldap.