Release notes for Pubcookie 3.3.4:
Subject: Pubcookie 3.3.4 Released
Pubcookie 3.3.4 has been posted on the pubcookie.org project web site.
This release fixes a security vulnerability in the ISAPI filter, and
includes several other minor changes and bug fixes:
* Fixed stack buffer overflow vulnerability in the ISAPI filter,
as disclosed February 1, 2010. See pubcookie.org for details.
* Added support for 4096-bit private keys to login cgi.
* Modified login cgi to add user's IP address to its log file.
* Fixed bug in cgic library affecting Session Reauth requests.
* Fixed bug in mod_pubcookie handling of angle brackets in POST data.
* Fixed bug in keyserver when using login_servers config option.
* Fixed bug in filter that truncated query strings on redirections
when enforcing https.
* Fixed login cgi segfaults reported on RHEL5 (64-bit).
[included in version 3.3.4a; a Unix only patch release]
For a complete list of changes included in this release, see:
Compatibility note: sites that parse the login cgi's log file data should
be aware that the user's IP address has been added to redirect lines.
This release represents several contributions from the community, most
notably by Chris Ries (Carnegie Mellon University), who identified,
analyzed, and reported the security vulnerability in the ISAPI filter.
Additional contributions were made by Bradley Schwoerer and Jon Miner
(University of Wisconsin-Madison); Trevor Bortins and Jon Hauser
(University of Washington); Pascal Lalonde; and Todd Ross.
University of Washington