libapache2-mod-auth-openidc (2.4.12.3-2+deb12u3) bookworm-security; urgency=high

  * Fix CVE-2025-31492
    "protected content leakage when using OIDCProviderAuthRequestMethod POST"
    Backported applicable portions from upstream fix in
    https://github.com/OpenIDC/mod_auth_openidc/commit/b59b8ad63411857090ba1088e23fe414c690c127
    (Closes: #1102413)

 -- Moritz Schlarb <moschlar@debian.org>  Wed, 16 Apr 2025 10:56:55 +0200

libapache2-mod-auth-openidc (2.4.12.3-2+deb12u2) bookworm; urgency=medium

  * Add patch for "oidc_check_x_forwarded_hdr check segfaults"
    (Closes: #1076429)

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Tue, 23 Jul 2024 10:47:49 +0200

libapache2-mod-auth-openidc (2.4.12.3-2+deb12u1) bookworm; urgency=medium

  * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks
    cookie value made the server vulnerable to a Denial of Service (DoS)
    attack. If an attacker manipulated the value of the OpenIDC cookie to a
    very large integer like 99999999, the server struggled with the request for
    a long time and finally returned a 500 error. Making a few requests of this
    kind caused servers to become unresponsive, and so attackers could thereby
    craft requests that would make the server work very hard and/or crash with
    minimal effort. (Closes: #1064183)

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Thu, 18 Apr 2024 14:20:00 +0200

libapache2-mod-auth-openidc (2.4.12.3-2) unstable; urgency=high

  * Add patch to Fix CVE-2023-28625 (Closes: #1033916)
    segfault DoS when OIDCStripCookies is set
    https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-f5xw-rvfr-24qr

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Tue, 02 May 2023 11:48:09 +0200

libapache2-mod-auth-openidc (2.4.12.3-1) unstable; urgency=medium

  * New upstream version 2.4.12.3
  * Bump Standards-Version

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Thu, 16 Feb 2023 14:20:20 +0100

libapache2-mod-auth-openidc (2.4.12.2-1) unstable; urgency=medium

  * New upstream version 2.4.12.2
    Fixes CVE-2022-23527
  * Set Architecture: any (Closes: #1024978)

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Wed, 14 Dec 2022 14:58:17 +0100

libapache2-mod-auth-openidc (2.4.12.1-1) unstable; urgency=medium

  * New upstream version 2.4.12.1

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Thu, 24 Nov 2022 14:40:51 +0100

libapache2-mod-auth-openidc (2.4.12-1) unstable; urgency=medium

  * New upstream version 2.4.12

    Release 2.4.12 was (re-)certified for all OpenID Connect Relying Party
    conformance profiles using the OpenID Foundation's certification suite:
    https://openid.net/certification/#RPs.

    * Features

     * allow storing the id_token in a client-cookie based session so that it
       can be used as id_token_hint value in a logout request later;
     * allow setting connection pool parameters for Memcache server connections
     * add option to set a username for Redis >= 6.x ACL authentication via
       OIDCRedisCacheUsername
     * register request_object_signing_alg in dynamic client registration when
       using request_uri

    * Bugfixes

     * increase size of the output buffer when using libpcre2 for substitution
     * support OIDCSessionInactivityTimeout values greater than 30 days when
       using Memcache
     * allow for step-up discovery with an external URL using HTML refresh;
       fixes behaviour on CentOS 7/8 when combined with ProxyPass
     * apply exact length matching for at_hash and c_hash validation
     * store access token obtained from backchannel in session over the one
       returned in the frontchannel for code token and code id_token token flows
     * check ID token signed response algorithm on backchannel logout_token and
       retrieve its configuration value from the client metadata file

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Tue, 18 Oct 2022 09:50:00 +0200

libapache2-mod-auth-openidc (2.4.11.3-1) unstable; urgency=medium

  * New upstream version 2.4.11.3
  * Use libpcre2 instead of libpcre3 (Closes: #1000069)
  * Update debian/salsa-ci.yml file
  * Update lintian-overrides syntax
  * Update Standards-Version

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Wed, 05 Oct 2022 12:48:55 +0200

libapache2-mod-auth-openidc (2.4.11.2-1) unstable; urgency=medium

  * New upstream version 2.4.11.2

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Wed, 08 Jun 2022 12:45:43 +0200

libapache2-mod-auth-openidc (2.4.11.1-1) unstable; urgency=medium

  * New upstream version 2.4.11.1

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Thu, 31 Mar 2022 12:06:07 +0200

libapache2-mod-auth-openidc (2.4.11-1) unstable; urgency=medium

  * Set upstream metadata fields: Security-Contact.
  * New upstream version 2.4.11

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Wed, 23 Feb 2022 09:52:29 +0100

libapache2-mod-auth-openidc (2.4.10-1) unstable; urgency=medium

  * Drop patches (included upstream)
  * Update module path to built library

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Tue, 16 Nov 2021 10:13:53 +0100

libapache2-mod-auth-openidc (2.4.9.4-1) unstable; urgency=medium

  * New upstream version 2.4.9.4
  * Fix "CVE-2021-39191" (Closes: #993648)
  * 2.4.9.2 fixed a regression regarding segfault at reload/restart
    (Closes: #883616, #891224, #868949)

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Tue, 07 Sep 2021 09:37:15 +0200

libapache2-mod-auth-openidc (2.4.9-1) unstable; urgency=medium

  * New upstream version 2.4.9
  * Fix for CVE-2021-32792 (closes: #991580)
  * Fix for CVE-2021-32791 (closes: #991581)
  * Fix for CVE-2021-32786 (closes: #991582)
  * Fix for CVE-2021-32785 (closes: #991583)

 -- Christoph Martin <martin@uni-mainz.de>  Mon, 02 Aug 2021 11:45:39 +0200

libapache2-mod-auth-openidc (2.4.4.1-2) unstable; urgency=medium

  * fix CVE-2021-20718 using commit
    5ef1b0a74208fcb43a16795d0afc94c3d54cd120 from version 2.4.8 (closes:
    #989055)

 -- Christoph Martin <martin@uni-mainz.de>  Mon, 07 Jun 2021 20:54:00 +0200

libapache2-mod-auth-openidc (2.4.4.1-1) unstable; urgency=medium

  [ Debian Janitor ]
  * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository,
    Repository-Browse.

  [ Moritz Schlarb ]
  * Move upstream URLs to new name
  * New upstream version 2.4.4.1
  * Bump dh-compat
  * Fix d/copyright
  * Remove removed lintian override
    apache2-module-depends-on-real-apache2-package

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Thu, 12 Nov 2020 09:25:40 +0100

libapache2-mod-auth-openidc (2.4.3-1) unstable; urgency=medium

  * New upstream version 2.4.3

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Thu, 18 Jun 2020 12:54:41 +0200

libapache2-mod-auth-openidc (2.4.1-1) unstable; urgency=medium

  * New upstream version 2.4.1
  * Bump Standards-Version and use declarative debhelper

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Thu, 13 Feb 2020 12:07:30 +0100

libapache2-mod-auth-openidc (2.4.0.4-1) unstable; urgency=medium

  * New upstream version 2.4.0.4
  * Update Standards-Version

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Tue, 12 Nov 2019 10:45:51 +0100

libapache2-mod-auth-openidc (2.4.0.3-1) unstable; urgency=high

  * Update watch file to use Github tag archives
  * New upstream version 2.4.0.3
    (Closes: #942165)

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Wed, 16 Oct 2019 10:13:44 +0200

libapache2-mod-auth-openidc (2.4.0-1) unstable; urgency=medium

  * New upstream version 2.4.0
  * Refresh patch

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Mon, 16 Sep 2019 14:50:28 +0200

libapache2-mod-auth-openidc (2.3.10.2-1) unstable; urgency=medium

  * New upstream version 2.3.10.2

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Tue, 29 Jan 2019 21:40:30 +0100

libapache2-mod-auth-openidc (2.3.10-1) unstable; urgency=medium

  [ Frédéric Bonnard ]
  * Fix parallel build (Closes: #913631)

  [ Moritz Schlarb ]
  * Update Maintainer and Standards-Version fields
  * New upstream version 2.3.10

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Wed, 02 Jan 2019 14:58:25 +0100

libapache2-mod-auth-openidc (2.3.8-1) unstable; urgency=medium

  [ Ondřej Nový ]
  * d/copyright: Use https protocol in Format field
  * d/changelog: Remove trailing whitespaces

  [ Moritz Schlarb ]
  * Update Standards-Version
  * New upstream version 2.3.8

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Fri, 09 Nov 2018 09:43:22 +0100

libapache2-mod-auth-openidc (2.3.7-1) unstable; urgency=medium

  * New upstream version 2.3.7
  * Move Vcs-* to Salsa

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Mon, 06 Aug 2018 16:05:03 +0200

libapache2-mod-auth-openidc (2.3.3-1) unstable; urgency=medium

  * New upstream version 2.3.3
  * Update debian/control

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Tue, 20 Feb 2018 12:27:15 +0100

libapache2-mod-auth-openidc (2.3.2-1) unstable; urgency=medium

  * New upstream version 2.3.2
  * link against openssl 1.1 (closes: #858993)

 -- Christoph Martin <martin@uni-mainz.de>  Tue, 14 Nov 2017 12:14:22 +0100

libapache2-mod-auth-openidc (2.3.1-2) unstable; urgency=medium

  * Fix maintainer script generation to enable/disable the module on
    installation and removal. This is safe to do because the example
    configuration does not do anything.
    This also closes: #868949 since it actually restarts Apache2 after
    enabling the module.

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Tue, 08 Aug 2017 09:31:43 +0200

libapache2-mod-auth-openidc (2.3.1-1) unstable; urgency=medium

  * New upstream version 2.3.1

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Mon, 31 Jul 2017 11:03:02 +0200

libapache2-mod-auth-openidc (2.1.6-1) unstable; urgency=high

  * New upstream version 2.1.6
    "This is a security release:
    Those using AuthType oauth20 together with applications that interpret
    headers set by mod_auth_openidc on paths that disclose sensitive
    information are affected and should upgrade."

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Thu, 23 Feb 2017 13:33:55 +0100

libapache2-mod-auth-openidc (2.1.5-1) unstable; urgency=high

  * Imported Upstream version 2.1.5
    fixes two security issues:
    https://github.com/pingidentity/mod_auth_openidc/issues/212
    https://github.com/pingidentity/mod_auth_openidc/issues/222

 -- Christoph Martin <martin@uni-mainz.de>  Mon, 06 Feb 2017 10:56:03 +0100

libapache2-mod-auth-openidc (2.1.3-1) unstable; urgency=medium

  * Fix watch file
  * New upstream version 2.1.3
  * Fix lintian warning:
    apache2-module-depends-on-real-apache2-package

 -- Moritz Schlarb <schlarbm@uni-mainz.de>  Fri, 13 Jan 2017 15:52:26 +0100

libapache2-mod-auth-openidc (2.1.2-2) unstable; urgency=medium

  * new upload excluding archs which don't build

 -- Christoph Martin <martin@uni-mainz.de>  Mon, 09 Jan 2017 11:59:21 +0100

libapache2-mod-auth-openidc (2.1.2-1) unstable; urgency=medium

  * add Vcs Tags to control
  * Imported Upstream version 2.1.2

 -- Christoph Martin <martin@uni-mainz.de>  Fri, 09 Dec 2016 09:57:49 +0100

libapache2-mod-auth-openidc (1.8.10.1-1.2) unstable; urgency=medium

  * NMU: change depends to libssl1.0 to make it build again with apache
    (closes: # 844803)

 -- Christoph Martin <martin@uni-mainz.de>  Tue, 22 Nov 2016 09:46:30 +0100

libapache2-mod-auth-openidc (1.8.10.1-1.1) unstable; urgency=medium

  * NMU: fix watch file
  * fix openssl 1.1 FTBS (closes: #828380)
    patch from https://github.com/pingidentity/mod_auth_openidc/commit/82ee7cf68811662e93f9aea9b9a10beb095ee3df

 -- Christoph Martin <martin@uni-mainz.de>  Thu, 10 Nov 2016 13:33:27 +0100

libapache2-mod-auth-openidc (1.8.10.1-1) unstable; urgency=medium

  * fix Elliptic Curve signature verification

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Mon, 11 Jul 2016 15:12:50 +0200

libapache2-mod-auth-openidc (1.8.10-1) unstable; urgency=medium

  * build with OpenSSL 1.1.0

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Mon, 27 Jun 2016 08:49:31 +0200

libapache2-mod-auth-openidc (1.8.9-1) unstable; urgency=medium

  * improve X-Forwarded-Host handling over Host

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Tue, 07 Jun 2016 17:01:45 +0200

libapache2-mod-auth-openidc (1.8.8-1) unstable; urgency=medium

  * pass bearer token in alternative ways

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Thu, 10 Mar 2016 12:22:38 +0100

libapache2-mod-auth-openidc (1.8.7-1) unstable; urgency=medium

  * tighten up protocol checks

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Fri, 08 Jan 2016 21:50:25 +0100

libapache2-mod-auth-openidc (1.8.6-1) unstable; urgency=medium

  * add cookie-domain check

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Mon, 26 Oct 2015 08:43:15 +0100

libapache2-mod-auth-openidc (1.8.5-1) unstable; urgency=medium

  * HTTP-based logout

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Mon, 21 Sep 2015 08:59:17 +0200

libapache2-mod-auth-openidc (1.8.4-1) unstable; urgency=medium

  * allow for compilation on MS Windows

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Fri, 03 Jul 2015 19:39:11 +0200

libapache2-mod-auth-openidc (1.8.3-1) unstable; urgency=medium

  * remove accounts.google.com exceptions

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Fri, 19 Jun 2015 19:15:02 +0200

libapache2-mod-auth-openidc (1.8.2-1) unstable; urgency=medium

  * Elliptic Curve fixes

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Mon, 18 May 2015 09:40:08 +0200

libapache2-mod-auth-openidc (1.8.1-1) unstable; urgency=medium

  * avoid timing attacks; build with OpenSSL < 1.0

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Tue, 05 May 2015 11:40:13 +0200

libapache2-mod-auth-openidc (1.8.0-1) unstable; urgency=medium

  * enable local JWT validation

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Thu, 26 Feb 2015 16:21:02 +0100

libapache2-mod-auth-openidc (1.7.3-1) unstable; urgency=medium

  * fix symmetric key decryption of JWTs

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Thu, 05 Feb 2015 18:28:15 +0100

libapache2-mod-auth-openidc (1.7.2-1) unstable; urgency=medium

  * add support for OIDCOAuthIntrospectionTokenParamName

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Wed, 21 Jan 2015 08:57:59 +0100

libapache2-mod-auth-openidc (1.7.1-1) unstable; urgency=medium

  * Redis reconnect, OIDCCacheShmEntrySizeMax, OIDCReturn401, OIDCPassCookies

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Fri, 12 Dec 2014 13:19:43 +0100

libapache2-mod-auth-openidc (1.7.0-1) unstable; urgency=medium

  * Redis caching, refresh flow, token introspection

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Wed, 05 Nov 2014 12:09:52 +0100

libapache2-mod-auth-openidc (1.6.0-1) unstable; urgency=medium

  * new upstream release; add libssl-dev dependency

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Mon, 13 Oct 2014 12:23:35 +0200

libapache2-mod-auth-openidc (1.5.5-1) unstable; urgency=medium

  * use HttpOnly on cookies; set OIDCCookiePath to /

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Tue, 26 Aug 2014 09:23:43 +0200

libapache2-mod-auth-openidc (1.5.4-3) unstable; urgency=medium

  * changelog line was too long; correct/simplify watch file

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Thu, 14 Aug 2014 15:51:02 +0200

libapache2-mod-auth-openidc (1.5.4-2) unstable; urgency=medium

  * correct debian directory for wheezy/jessie; watch file check .orig.tar.gz

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Thu, 14 Aug 2014 15:03:52 +0200

libapache2-mod-auth-openidc (1.5.4-1) unstable; urgency=medium

  * fix big endian issue

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Thu, 14 Aug 2014 12:59:11 +0200

libapache2-mod-auth-openidc (1.5.3-2) unstable; urgency=medium

  * build/test on big endian arch

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Sun, 3 Aug 2014 22:27:07 +0200

libapache2-mod-auth-openidc (1.5.3-1) unstable; urgency=medium

  * fix initialization leak

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Fri, 1 Aug 2014 12:37:53 +0200

libapache2-mod-auth-openidc (1.5.2-1) unstable; urgency=medium

  * fix OAuth 2.0 authorization and passes JSON claims in HTTP headers

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Tue, 1 Jul 2014 15:22:38 +0200

libapache2-mod-auth-openidc (1.5.1-1) unstable; urgency=medium

  * add pkg-config to Build-Depends

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Thu, 12 Jun 2014 14:33:10 +0200

libapache2-mod-auth-openidc (1.5-6) unstable; urgency=medium

  * drop lintian-overrides

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Tue, 10 Jun 2014 13:36:02 +0200

libapache2-mod-auth-openidc (1.5-5) unstable; urgency=medium

  * support both Apache 2.2 and 2.4 config layouts

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Fri, 06 Jun 2014 19:05:59 +0200

libapache2-mod-auth-openidc (1.5-4) unstable; urgency=medium

  * include .postinst script for setting permissions

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Fri, 06 Jun 2014 18:07:12 +0200

libapache2-mod-auth-openidc (1.5-3) unstable; urgency=medium

  * more Debian packaging fixes

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Fri, 06 Jun 2014 13:46:56 +0200

libapache2-mod-auth-openidc (1.5-2) unstable; urgency=medium

  * include original source

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Thu, 05 Jun 2014 21:05:12 +0200

libapache2-mod-auth-openidc (1.5-1) unstable; urgency=medium

  * use Debian non-native packaging

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Thu, 05 Jun 2014 20:32:44 +0200

libapache2-mod-auth-openidc (1.5) unstable; urgency=medium

  * switch to JSON parser jansson

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Thu, 05 Jun 2014 11:11:25 +0200

libapache2-mod-auth-openidc (1.4) unstable; urgency=medium

  * OpenSSL fixes

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Mon, 02 Jun 2014 13:43:50 +0200

libapache2-mod-auth-openidc (1.3) unstable; urgency=medium

  * fix running on non-standard port

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Tue, 20 May 2014 10:51:29 +0200

libapache2-mod-auth-openidc (1.2) unstable; urgency=medium

  * session timeout handling, use shared memory as cache by default

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Tue, 22 Apr 2014 13:54:07 +0200

libapache2-mod-auth-openidc (1.1) unstable; urgency=low

  * add issuer to REMOTE_USER; included INSTALL

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Thu, 03 Apr 2014 19:28:31 +0200

libapache2-mod-auth-openidc (1.0.1) unstable; urgency=low

  * fix Require keyword issue for Apache 2.4

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Fri, 28 Mar 2014 22:33:07 +0100

libapache2-mod-auth-openidc (1.0) unstable; urgency=low

  * Initial release under new name and flag.

 -- Hans Zandbelt <hzandbelt@pingidentity.com>  Thu, 27 Mar 2014 20:47:00 +0100
