Skip navigation

STANFORD UNIVERSITY

INFORMATION TECHNOLOGY SERVICES

Stanford WebAuth News

2014-07-23

WebAuth 4.6.1 has been released. This is primarily a bug-fix release, with one Stanford-specific fix for mod_webauth, a build system fix, and various minor bug fixes for the WebLogin and WebKDC components. It also adds FAST support for the WebKDC.

See the release announcement for more information.

2014-03-18

WebAuth 4.6.0 has been released. This is a bug-fix and new feature release for mod_webauth and the WebLogin and WebKDC components. The primary new features are support for path-scoped cookies, and a remctl-based password change protocol. The primary bug fixes are WebAuthOptional support for Apache 2.4, better keyring handling with the ITK MPM, and locking and preserving of permissions of keyrings across writes.

Be aware that, when upgrading to this release, you will need to change the ownership of the mod_webauth keyring to match the User and Group settings in your Apache configuration.

See the release announcement for more information.

2013-08-29

WebAuth 4.5.5 has been released. This is a bug-fix release for the WebLogin and WebKDC components.

See the release announcement for more information.

2013-08-16

WebAuth 4.5.4 has been released. This is a bug-fix release for the WebLogin and WebKDC components.

See the release announcement for more information.

2013-05-15

WebAuth 4.4.1 through 4.5.2 have a security vulnerability in the WebLogin server that can disclose single sign-on cookies for one user to another user. This flaw only affects WebLogin configured to run under FastCGI with the $REMUSER_REDIRECT option set (not the default). WebLogin servers from WebAuth 4.4.1 through 4.5.2 with that configuration should be upgraded to WebAuth 4.5.3 or patched with the patch in the security advisory. See the security advisory for more information.

2013-05-15

WebAuth 4.5.3 has been released, fixing a security vulnerability in the WebLogin server when run using FastCGI and using the $REMUSER_REDIRECT option. The vulnerability was introduced in WebAuth 4.4.1. All WebLogin servers from WebAuth 4.4.1 or later with that configuration should be upgraded or patched.

See the release announcement for more information.

2013-05-14

WebAuth 4.5.2 has been released. This is a bug-fix release for the WebLogin component.

See the release announcement for more information.

2013-05-01

WebAuth 4.5.1 has been released. This is a bug-fix release for the WebLogin component. WebLogin servers should be upgraded to 4.5.1 in preference to 4.5.0, which contained serious bugs in single sign-on functionality.

See the release announcement for more information.

2013-04-26

WebAuth 4.5.0 has been released. This is a major feature release with many improvements for multifactor handling and for interactions with the local user information service, as well as other enhancements to every component of WebAuth. Be aware when upgrading that there is a backward-incompatible change in WebLogin that will require either a template change or a configuration change.

See the release announcement for more information.

2013-03-12

WebAuth 4.4.3 has been released. This is a bug fix release for all components of WebAuth.

See the release announcement for more information.

2013-02-05

WebAuth 4.4.2 has been released. This is a bug fix release for mod_webkdc. Any users of mod_webkdc 4.4.0 or later should upgrade to this release.

See the release announcement for more information.

2013-01-31

WebAuth 4.4.1 has been released. This is a minor feature release for the WebLogin component.

See the release announcement for more information.

2012-12-19

WebAuth 4.4.0 has been released. This is a major feature release, particularly for the WebKDC and WebLogin components. The primary new features are support for authorization identities separate from authentication identities, and optional replay detection and rate limiting in WebLogin.

See the release announcement for more information.

2012-11-05

WebAuth 4.3.3 has been released. This fixes two serious memory management bugs in mod_webkdc and the WebLogin server. The latter was introduced in WebAuth 4.2.0. All users of mod_webkdc or WebLogin from WebAuth 4.2.0 or later should upgrade to this release.

See the release announcement for more information.

2012-09-27

WebAuth 4.3.2 has been released. This fixes a serious bug in mod_webauth introduced in WebAuth 4.3.0. All users of mod_webauth from 4.3.0 or 4.3.1 should upgrade to this release.

See the release announcement for more information.

2012-09-11

Red Hat Enterprise Linux binary packages and source RPMs are now available for WebAuth 4.2.2 from the download page, thanks to Darren Patterson. Public RPM repositories for Red Hat Enterprise Linux 5 and 6, which will contain the latest RPMs, are also available for use with yum.

2012-08-08

WebAuth 4.3.1 has been released. This is a bug-fix release and minor feature release that corrects a portability issue with older Kerberos libraries and two significant problems with the WebKDC and WebLogin server. Users of the WebKDC running WebAuth 4.3.0 should upgrade to this release.

See the release announcement for more information.

2012-08-06

WebAuth 4.3.0 has been released. This release sets HttpOnly on all WebAuth cookies by default, adds a new facility for the user information service to reject an authentication, and continues the major refactoring of the libwebauth and Perl WebAuth APIs.

See the release announcement for more information.

2012-07-19

WebAuth 4.2.2 has been released. This release fixes a serious bug in WebLogin and a Kerberos context cleanup bug in mod_webauth when storing delegated credentials. Both bugs were introduced in 4.2.0. Users of WebLogin or delegated credentials should upgrade.

See the release announcement for more information.

2012-07-18

WebAuth 4.2.1 has been released. This release fixes a bug on 64-bit platforms introduced in 4.2.0 and fixes compilation with Apache 2.0. All users of WebAuth 4.2.0 on 64-bit platforms should upgrade to this release.

See the release announcement for more information.

2012-07-13

WebAuth 4.2.0 has been released. This release adds support for Apache 2.4 and deprecates support for AuthType StanfordAuth, and contains some additional features and bug fixes. It also starts a major refactoring of the libwebauth and Perl WebAuth APIs.

See the release announcement for more information.

2012-05-02

Red Hat Enterprise Linux binary packages and source RPMs are now available for WebAuth 4.1.0 from the download page, thanks to Darren Patterson. Unlike the previous 4.0.2 packages, these packages no longer require the remctl RPMs also be installed.

2012-04-25

WebAuth 4.1.1 has been released. This is a bugfix release for the WebKDC and WebLogin components. There are no changes in the WebAuth module for application servers.

See the release announcement for more information.

2012-03-27

Red Hat Enterprise Linux binary packages and source RPMs are now available for WebAuth 3.7.4 and WebAuth 4.0.2 from the download page, thanks to Darren Patterson. The packages for 4.0.2 require the remctl-client RPMs be installed as well. This requirement will be relaxed in a later version.

Packages are now only provided for Red Hat Enterprise Linux 5 and 6. RHEL 4 packages are no longer built, but it should be possible to build WebAuth from source on RHEL 4.

2012-03-15

WebAuth 4.1.0 has been released. This is primarily a bug-fix and feature release for the new functionality in WebAuth 4.0 and mainly of interest for WebLogin and WebKDC administrators. The changes in the WebAuth module for application servers are minimal.

See the release announcement for more information.

2012-02-16

Západočeská univerzita has developed a Shibboleth IdP WebLogin handler that can support forced authentication, unlike the standard RemoteUser authentication handler. The handler is available directly from their web site.

2011-12-02

WebAuth 4.0.2 has been released. This is a bug-fix release for the new functionality in WebAuth 4.0 and corresponds to the code deployed in production at Stanford. With this release, we consider WebAuth 4.0 ready for production use.

See the release announcement for more information.

2011-09-23

WebAuth 4.0.1 has been released. This is a bug-fix release for the new functionality in WebAuth 4.0. It is the version that we expect to deploy in production, but that deployment has not yet happened.

See the release announcement for more information.

2011-09-02

WebAuth 4.0.0 has been released. This is a major functionality release adding support for multifactor authentication. There are also significant changes to the WebLogin implementation, including a complete change in templating languages. This should be considered a beta release, suitable for broad testing but probably not for production deployment.

See the release announcement for more information.

2011-05-11

WebAuth 3.7.4 has been released. This adds support for optional authentication, fixes WebLogin password change and Perl compatibility issues, and includes various other minor bug fixes.

See the release announcement for more information.

2010-09-24

Red Hat Enterprise Linux binary packages and source RPMs are now available for WebAuth 3.7.3 from the download page, thanks to Darren Patterson. Builds on Red Hat require a small patch that's included in the source package and will be included in the next WebAuth release.

We are no longer providing Solaris binary builds, or the supporting software such as Apache and various prerequisite libraries for Solaris. Solaris users should instead build from source.

2010-09-20

WebAuth 3.7.3 has been released. This fixes problems with LDAP attribute retrieval in WebAuth 2.x compatibility mode and fixes some additional build problems on Red Hat Enterprise.

See the release announcement for more information.

2010-08-12

WebAuth 3.7.2 has been released. This fixes a serious bug in option parsing in wa_keyring that made the utility unusable. It also fixes some portability problems and improves WebLogin handling of expired or disabled accounts.

See the release announcement for more information.

2010-07-23

WebAuth 3.7.1 has been released. This changes some default behavior with WebLogin password changes and the single sign-on cookie lifetime and should fix some build problems on Red Hat systems.

See the release announcement for more information.

2010-07-08

WebAuth 3.7.0 has been released. This is a major release with improvements to mod_webauthldap, support for password expiration and changing in WebLogin, and substantial changes to the WebAuth build system and underlying libraries. If you use the WebAuthLdapAuthRule directive for mod_webauthldap, please note that its behavior has changed.

See the release announcement for more information.

2010-03-14

Oxford University Computing Services has released a new version of the Java implementation of the WebAuth protocol. This implementation is a Java Servlet 2.3 implementation that works with Tomcat 4.1 and 5.5. The new version adds support for loading configuration from a class and optional refreshing of the Kerberos configuration. It also improves the documentation.

This is a contributed implementation and not fully supported by the WebAuth team, but is provided on the WebAuth download page for those who would like to try it.

2009-09-10

WebAuth 3.5.5, 3.6.0, and 3.6.1 have a security vulnerability in the WebLogin server that can, in rare situations, expose the user's password in the URL and from there to the browser history and to WebAuth-protected web sites. All WebLogin servers should be upgraded to WebAuth 3.6.2. See the security advisory for more information.

2009-09-10

WebAuth 3.6.2 has been released, fixing a security vulnerability in the WebLogin server. All WebLogin servers should be updated. There are no changes relative to 3.6.1 except in the WebLogin server and its templates.

See the release announcement for more information.

2009-07-22

Stanford's WebLogin server will be reconfigured on August 4th, 2009, to remove the confirmation page except for WebAuth application servers that may receive delegated credentials. More information

2009-07-16

Red Hat Enterprise Linux binary packages and source RPMs are now available for WebAuth 3.6.1 from the download page, thanks to Darren Patterson.

2009-07-14

WebAuth 3.6.1 has been released. This release focuses primarily on improvements to the WebLogin server, particularly in the confirmation page and support for bypassing that page in various circumstances. It also contains significant code restructuring and build system updates that will make further improvements easier.

See the release announcement for more information.

2008-04-02

Red Hat Enterprise Linux binary packages and source RPMs are now available for WebAuth 3.6.0 from the download page, thanks to Darren Patterson.

2008-03-22

WebAuth 3.6.0 has been released. This release mostly affects the WebKDC and WebLogin server, adding multiple new features and improving handling of Kerberos cross-realm authentication. It also fixes one bug in the WebAuth module that caused problems for requests with sub-requests (such as mod_autoindex).

See the release announcement for more information.

2008-01-14

WebAuth 3.5.5 has been released. This release fixes an environment handling bug in mod_webauthldap and improves cookie and Shibboleth handling in WebLogin.

See the release announcement for more information.

2007-04-24

WebAuth 3.5.4 has been released. This release fixes mod_webauthldap configuration parsing, adds various minor feature enhancements, and improves presentation of Shibboleth IdP authentication.

See the release announcement for more information.

2006-12-04

Mats Henrikson has released a new version of the Java implementation of the WebAuth protocol. This implementation is a Java Servlet 2.3 implementation that works with Tomcat 4.1 and 5.5. The new release adds a logout filter, adds improved debugging and testing, and fixes some other bugs. Several of the improvements were contributed by Matthew Buckett.

This is a contributed implementation and not fully supported by the WebAuth team, but is provided on the WebAuth download page for those who would like to try it.

2006-10-04

Mats Henrikson has released a new version of the Java implementation of the WebAuth protocol. This implementation is a Java Servlet 2.3 implementation that works with Tomcat 4.1 and 5.5. The new release adds support for des-cbc-crc encryption types and fixes a few other minor issues.

This is a contributed implementation and not fully supported by the WebAuth team, but is provided on the WebAuth download page for those who would like to try it.

2006-09-12

WebAuth 3.5.3 has been released. This release improves and documents the logging in the WebKDC module and adds initial support for Apache 2.2.

See the release announcement for more information.

2006-07-13

WebAuth 3.5.2 has been released. This release fixes a security vulnerability in the default Weblogin templates (as noted below) and fixes several other bugs in the Weblogin code. The changes are only to Weblogin; clients have no need to upgrade from 3.5.1.

See the release announcement for more information.

2006-07-13

A cross-site scripting vulnerability has been discovered in the sample WebLogin templates distributed with WebAuth, and therefore probably affecting any WebLogin templates based on them. Anyone running a WebLogin server needs to replace any instance of:

    <TMPL_VAR NAME=variable>

with:

    <TMPL_VAR ESCAPE=HTML NAME=variable>

in their templates. Successful exploit of this vulnerability could be used to steal users' passwords. A new release of WebAuth containing this fix to the sample templates will be forthcoming shortly.

2006-06-23

RPMs of WebAuth 3.5.1 (only the WebAuth server modules, not the WebKDC components) for Red Hat Enterprise Linux 4 are now available from the download page. Source RPMs are also available and can be used to rebuild WebAuth on other Red Hat-derived distributions. These RPMs are not yet widely tested. Please report any problems.

2006-06-21

WebAuth 3.5.1 has been released. This release contains some additional modifications to the weblogin code to make deployment of HTTP Negotiate (SPNEGO) authentication easier, to aid translation of templates, and to tell users when they're required by a WebAuth-protected site to re-enter their username and password. There is also a fix for reading keyrings on 64-bit platforms and for finding apxs during compilation.

The pre-built Solaris packages, prerequisite stow packages, and Apache binaries have also been updated to more recent versions.

See the release announcement for more information.

2006-05-04

Thanks to Oxford University Computing Services and Mats Henrikson, an experimental implementation of the WebAuth protocol in Java is available. This implementation is a Java Servlet 2.3 implementation that works with Tomcat 4.1 and 5.5. This is a contributed implementation and not fully supported by the WebAuth team, but is provided on the WebAuth download page for those who would like to try it.

2006-03-20

WebAuth 3.5.0 has been released. This is a significant update of the weblogin code to support optionally using an Apache authentication mechanism such as SPENGO (the previous support was all or nothing). As part of this update, the weblogin page flow and configuration options have been thoroughly documented and the template variables updated, regularized, and expanded. For the regular WebAuth module, WebAuthExtraRedirect is now the default.

See the release announcement for more information.

2006-03-16

The WebAuth web pages have been expanded and improved, most notably adding a new overview of WebAuth features and comparison to other systems. The mailing lists have been moved to Mailman and are now archived.

2006-02-17

WebAuth 3.4.2 has been released. This is primarily a portability release that fixes some problems on Red Hat systems and with Heimdal builds.

See the release announcement for more information.

2006-02-06

WebAuth 3.4.1 has been released. This release reverts the change to keep WebAuth data in the URL for unprotected URLs, since it interacted poorly with .htaccess files. As a partial replacement, the option WebAuthStripURL is now documented and supported.

As of this release, WebAuth supports the Heimdal implementation of Kerberos in addition to the MIT implementation, and no longer uses deprecated OpenLDAP interfaces. It should also correctly find the com_err header on newer versions of Red Hat.

See the release announcement for more information.

2006-01-24

WebAuth 3.4.0 has been released. This release adds SPNEGO support to the Weblogin server, which allows clients with Kerberos tickets and browsers that support the SPNEGO authentication protocol with Kerberos V5 GSSAPI to never have to enter their credentials into any web page. As a side effect, any other Apache authentication mechanism is now supported on the Weblogin server, so client-side certificates (for example) can now also be used.

In addition, the WebAuth module no longer removes WebAuth data from URLs for unprotected content, so it can sit alongside another implementation of WebAuth. The protocol specification has been rewritten and improved, the Kerberos library probes when building from source have been significantly improved, and there are other minor improvements (particularly in the documentation).

See the release announcement for more information.

2005-10-04

WebAuth 3.3.0 has been released. This release removes support for S/Ident due to a security flaw in the protocol, adds another option for multi-value attribute handling in LDAP lookups, and improves the LDAP module documentation.

See the release announcement for more information.

2005-06-04

WebAuth 3.2.8 has been released. This is a minor bug fix release fixing handling of empty keyring files and improving the WebKDC module documentation. The Solaris binary packages, stow packages, and Apache build have been updated to more recent versions as part of this release and Debian packages are available.

See the release announcement for more information.

2005-04-23

WebAuth 3.2.7 has been released. This is a minor bug fix release that also updates libtool for better portability to some platforms. Most users will have no reason to upgrade.

See the release announcement for more information.

2005-04-19

WebAuth 3.2.6 has been released. The only change in this release is the renaming of the Perl bindings from WebAuth3 to WebAuth to match the name of the shared library. Most users will have no reason to upgrade.

See the release announcement for more information.

2005-04-14

WebAuth 3.2.5 has been released. This is mostly a packaging release but does fix the priority of messages from mod_webauthldap. Most users will have no reason to upgrade.

See the release announcement for more information.

2004-09-17

WebAuth 3.2.4 has been released. This is a bug fix release for the WebKDC only, and specifically in the S/Ident support. Most users will have no reason to upgrade.

See the release announcement for more information.

2004-06-29

WebAuth 3.2.3 has been released. This release fixes long delays after redirects from the WebAuth module on some browsers and changes the WebKDC templates to something more generic. Also new in this release are experimental Debian packages.

See the release announcement for more information.

2004-03-19

The OpenSSL stow packages have been updated to version 0.9.7d because of denial of service vulnerabilities in OpenSSL 0.9.7c. No other WebAuth packages should have to be updated, as the new version of OpenSSL is backward-compatible with the previous version. The new version is available from the stow packages page.

2004-03-02

WebAuth 3.2.2 has been released. This release adds WebAuthSSLReturn to allow WebAuth to be used with an SSL accelerator. Also in this release are various bug fixes, particularly with Sun cc and non-GNU make.

See the release announcement for more information.

2003-09-10

WebAuth 3.2.1 has been released. This release fixes problems with backward compatibility support, adds a new directive to allow applications to deal with tokens expiring during POST, and fixes problems with re-establishing connections to an LDAP server after a timeout.

See the release announcement for more information.

2003-08-06

WebAuth 3.2.0 has been released. This release adds S/Ident support in the weblogin server and the WebKDC and a preliminary port to Apache for Windows. There are also bug fixes to both the WebAuth and LDAP modules and some fixes to the way that redirects are handled which may prevent looping problems with some browsers.

See the release announcement for more information.

2003-05-29

WebAuth 3.1.2 has been released. This is a bug fix release, mostly affecting the LDAP module.

See the release announcement for more information.

2003-05-01

WebAuth 3.1.0 has been released. The primary additions are LDAP support equal to WebAuth v2 and additional backward compatibility support for current WebAuth v2 users. WebAuth 3.1.0 also features various bug fixes, some additional configuration directives for not caching files and using keytabs that contain multiple principals, and support for additional configuration directives in .htaccess files.

See the release announcement for more information.

2003-02-18

Initial public release of WebAuth v3. This is a complete rewrite of the WebAuth system, sharing no common code with the previous release. It is now based on Apache 2.0, Kerberos v5, and a new infrastructure for managing authentication tokens.

See the release announcement for more information.

Last modified Wednesday, 23-Jul-2014 04:32:34 PM

Stanford University Home Page