Skip navigation

STANFORD UNIVERSITY

INFORMATION TECHNOLOGY SERVICES

WebAuth 4.5.3 Announcement

The ITS WebAuth team is pleased to announce Stanford WebAuth 4.5.3. This is a security fix for the WebLogin component of WebAuth that corrects a security vulnerability introduced in WebAuth 4.4.1.

All WebLogin deployments using FastCGI that set $REMUSER_REDIRECT in their configuration should upgrade to this release or apply the patch in the advisory. See the full security advisory for more information. Only WebLogin installations that use both FastCGI and $REMUSER_REDIRECT are affected.

For documentation and downloads of WebAuth 4.5.3, see:

<http://webauth.stanford.edu/>

New Debian packages built against Apache 2.4 have been uploaded to Debian experimental.

The user-visible changes in this release are:

  • SECURITY: Reset all header contents between WebLogin requests, fixing problems introduced in WebAuth 4.4.1 when WebLogin began using a persistent CGI::Application object with FastCGI. WebLogin installations that used FastCGI and the $REMUSER_REDIRECT setting in webkdc.conf could fail with infinite redirect loops or leak security information, such as single sign-on cookies, from one authenticated user to another.

Last modified Wednesday, 15-May-2013 04:41:03 PM

Stanford University Home Page