WebAuth 4.5.3 Announcement
The ITS WebAuth team is pleased to announce Stanford WebAuth 4.5.3. This is a security fix for the WebLogin component of WebAuth that corrects a security vulnerability introduced in WebAuth 4.4.1.
All WebLogin deployments using FastCGI that set
in their configuration should upgrade to this release or apply the patch
in the advisory. See the full security
advisory for more information. Only WebLogin installations that use both
$REMUSER_REDIRECT are affected.
For documentation and downloads of WebAuth 4.5.3, see:
New Debian packages built against Apache 2.4 have been uploaded to Debian experimental.
The user-visible changes in this release are:
SECURITY: Reset all header contents between WebLogin requests, fixing problems introduced in WebAuth 4.4.1 when WebLogin began using a persistent CGI::Application object with FastCGI. WebLogin installations that used FastCGI and the $REMUSER_REDIRECT setting in webkdc.conf could fail with infinite redirect loops or leak security information, such as single sign-on cookies, from one authenticated user to another.