release 2.4.15.3

The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

Security

• fix CVE-2024-24814: prevent DoS when OIDCSessionType client-cookie is set and a crafted Cookie header is supplied, see the advisory; thanks @olipo186

Bugfixes

• rewrite handling of parallel refresh token grant requests
  • temporarily cache the results of the refresh token grant for other (almost) parallel callers
  • fixes handing on the same server, and improves clustered handling through a best-effort distributed cached lock, see: https://github.com/OpenIDC/mod_auth_openidc/wiki/Known-Limitations#parallel-refresh-token-grants
  • improves handling of non-rollover refresh tokens since it avoids superfluous calls to the token endpoint
• avoid crash when Forwarded is not present but OIDCXForwardedHeaders Forwarded is configured for it; see #1171; thanks @daviddpd
• set Redis default retry interval time to 300 milliseconds (instead of 0.5ms) and make it configurable

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]