Security release 0.8.1.

2014-11-03 11:49:19 +01:00 · 2014-11-03 11:49:19 +01:00 · 36e9738fde
parent 013faf8d08
commit 36e9738fde
2 changed files with 17 additions and 1 deletions
--- a/16
+++ b/16
@ -1,3 +1,19 @@
+Version 0.8.1
+---------------------------------------------------------------------------
+
+This is a security release with fixes backported from version 0.9.1.
+
+It turned out that session overflow bugs fixes in version 0.9.0 and
+0.9.1 can lead to information disclosure, where data from one session
+is leaked to another session. Depending on how this data is used by the
+web application, this may lead to data from one session being disclosed
+to an user in a different session. (CVE-2014-8566)
+
+In addition to the information disclosure, this release contains some
+fixes for logout processing, where logout requests would crash the
+Apache web server. (CVE-2014-8567)
+
+
 Version 0.8.0
 ---------------------------------------------------------------------------

--- a/configure.ac
+++ b/configure.ac
@ -1,4 +1,4 @@
-AC_INIT([mod_auth_mellon],[0.8.0],[olav.morken@uninett.no])
+AC_INIT([mod_auth_mellon],[0.8.1],[olav.morken@uninett.no])

 # We require support for C99.
 AC_PROG_CC_C99