Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

WebAuth 4.3.3 released

Russ Allbery eagle at windlord.stanford.edu
Mon Nov 5 13:40:00 PST 2012


The ITS WebAuth team is chagrined to announce Stanford WebAuth 4.3.3.
This is a bug-fix release for the WebKDC and WebLogin services, correcting
two memory management errors.  One of those errors may theoretically be
exploitable, so all users of mod_webkdc or the WebLogin service (or the
underlying WebAuth Perl module) from WebAuth 4.2.0 or later should upgrade
to this release.

For documentation and downloads of WebAuth 4.3.3, see:

    <http://webauth.stanford.edu/> 

New Debian packages built against Apache 2.4 have been uploaded to Debian
experimental.

The user-visible changes in this release are:

* Fix a memory initialization issue in the WebKDC that could cause
  incorrect handling of random multifactor verification, including
  requiring random multifactor when the WebAuth Application Server didn't
  request it.

* Fix a memory allocation error in the WebAuth Perl module that could
  cause memory corruption in the WebLogin server.

-- 
Russ Allbery <eagle at windlord.stanford.edu>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University


More information about the webauth-announce mailing list