Mon, 24 May 2004 18:00:21 +0200
The PAPI Development Team is proud to announce the new PAPI 1.3.1. This
new version is available at the PAPI web site http://papi.rediris.es/
This release mostly includes several bug fixes (notably, the one
dealing with the security problem discovered last March), although it
also introduces new features that have been requested by user
organizations. We enclose here a list of the main changes from the
previous version (1.3.0) from the PAPI release notes:
- Correct two security flaws in the code of the AuthServer that could
allow an attacker to impersonate a valid user under some
circumstances. Thanks to Diego Ray ([log in para visualizar]) from the
University of Malaga for detecting the bugs and preparing a exploit
- A new algorithm for access token rotation has been implemented. The
Max_Nonce_Errors directive has been introduced to configure this
- The built-in WAYF is able to automatically redirect a request (without
user interaction) when just one AS is recognized by the PoA.
Contributed by Luis Melendez ([log in para visualizar]) from the University of
- It is possible to call external procedures at the PoA to generate the
contents of access tokens from the data received in the assertion (by
means of the Hcook_Generator directive).
snippets and (non-standard but widely used) Refresh headers.
- Add the new configuration directive Reject_URL_Pattern, to allow a
finer control over proxied URLs.
- The LDAPAuth module is now able to access LDAP servers (for validating
users and retrieving attributes) via a TLS connection. Thanks to Oriol
Rico ([log in para visualizar]) from UPC for his help in testing this.
- A new configuration variable, uidVar, has been included into the
AuthServer, so a user identifier can be used even for those operations
(like TEST and LOGOUT) for which fully user identification is not
- Correct a bug in the IMAPAuth module that precluded users with empty
mailboxes from successfully logging-in. Contributed by Luis Melendez
([log in para visualizar]) from the University of Cordoba.
"Esta vez no fallaremos, Doctor Infierno"
Dr Diego R. Lopez
Red.es - RedIRIS
The Spanish NREN
e-mail: [log in para visualizar]
jid: [log in para visualizar]
Tel: +34 955 056 621
Mobile: +34 669 898 094