Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

ANNOUNCE: WebAuth 4.1.1 released

Russ Allbery eagle at
Wed Apr 25 15:12:10 PDT 2012

The ITS WebAuth team is pleased to announce Stanford WebAuth 4.1.1.  This
is a bug-fix release that only affects the WebKDC and WebLogin servers.
There are no changes to the WebAuth module for application servers.

For documentation and downloads of WebAuth 4.1.1, see:


New Debian packages have been uploaded to Debian unstable.

The user-visible changes in this release are:

    Fix a bug in webauth_user_info that misparsed timestamp attributes
    from the user information query results, causing timestamps to be
    ignored and always set to 0 in user login history information and
    causing the function to fail if any unknown attributes were returned.

    Fix the sample confirm template to use the correct attribute for login
    history timestamps and to suppress the timestamp section if that
    history entry had no associated timestamp.

    Fix the sample confirm template to properly suppress the history and
    token rights sections when there are no entries in the corresponding
    arrays.  Thanks, Sam Morris.

    Add explicit HTML filters to all interpolated variables in the
    sample WebLogin templates.  Previous versions of the sample templates
    (since the conversion to Template Toolkit in 4.0) did not uniformly
    apply the HTML filter, which could cause rendering problems or even
    cross-site scripting vulnerabilities in some corner cases.  For most
    attributes missing this filter there was no chance of HTML special
    characters, but now the filter is applied uniformly for consistency.
    Sites with custom templates should check their templates for any
    instance of a variable interpolation ([% variable %]) and ensure that
    the HTML filter is applied ([% variable FILTER html %] instead).

    Update the generated HTML version of the mod_webkdc manual to include
    the new directives introduced in WebAuth 4.1.0.

    Update to rra-c-util 4.3:

    * Update the set of flags enabled by make warnings.

    Update to C TAP Harness 1.11:

    * Only use feature-test macros when requested or built with gcc -ansi.
    * New tests/tap/macros.h header with some common definitions.
    * Drop is_double from the C TAP library to avoid requiring -lm.
    * Avoid using local in the shell library.

Russ Allbery <eagle at>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University

More information about the webauth-announce mailing list