Release notes for Pubcookie 3.3.0a:
Subject: Pubcookie 3.3.0a Released
The Pubcookie team is pleased to announce the release of Pubcookie 3.3.0a.
This is an important security patch release and the first official release
of Pubcookie 3.3. Significant changes made since 3.2.1a include:
* Security fixes for XSS vulnerabilities disclosed March 23, 2006.
* Fixed encryption problem in 3.3.0 Kerberos ticket passing.
* Fixed virtual host problem in 3.3.0 Apache module.
* Modified Apache module and filter to use some HTTP 302 redirects.
* Removed pre-session cookie from POST-based login method.
* Added AES encryption support. See compatability note below.
* Added lowercase_username and uppercase_username login cgi policies.
* Better handling of stray, malicious, and other spurious cookies.
* Plus other minor improvements and bug fixes.
For a thorough list of changes included in this release, see:
Compatability issues & other known problems:
* By default, the 3.3.0a module and filter assume that all messages,
including those sent by the login server, are encrypted using AES
encryption. You must therefore configure them to use the DES
encryption mode in order to interoperate with previous versions the
login server (3.2, 3.1), which use only DES encryption.
* Apache module bug in AES encryption mode: it causes session cookies
to be unreadable when PubcookieInactiveExpire is on. Solutions: apply
fix posted to pubcookie-users list or configure DES encryption mode.
Sites are encouraged to upgrade to version 3.3.0a. It is the current
production release of Pubcookie.
We thank the many developers and members of the Pubcookie community who
contributed time and effort to this release.
University of Washington