LISTSERV - PAPI Archivos - LISTSERV.REDIRIS.ES

Dear friends,

The PAPI Development Team is proud to announce the new PAPI 1.3.1. This
new version is available at the PAPI web site http://papi.rediris.es/

This release mostly includes several bug fixes (notably, the one
dealing with the security problem discovered last March), although it
also introduces new features that have been requested by user
organizations. We enclose here a list of the main changes from the
previous version (1.3.0) from the PAPI release notes:

- Correct two security flaws in the code of the AuthServer that could
  allow an attacker to impersonate a valid user under some
  circumstances. Thanks to Diego Ray ([log in para visualizar]) from the
  University of Malaga for detecting the bugs and preparing a exploit
  demonstration program.

- A new algorithm for access token rotation has been implemented. The
  Max_Nonce_Errors directive has been introduced to configure this
  algorithm.

- The built-in WAYF is able to automatically redirect a request (without
  user interaction) when just one AS is recognized by the PoA.
  Contributed by Luis Melendez ([log in para visualizar]) from the University of
  Cordoba.

- It is possible to call external procedures at the PoA to generate the
  contents of access tokens from the data received in the assertion (by
  means of the Hcook_Generator directive).

- Enhance the proxy behavior to deal with comment-protected JavaScript
  snippets and (non-standard but widely used) Refresh headers.

- Add the new configuration directive Reject_URL_Pattern, to allow a
  finer control over proxied URLs.

- The LDAPAuth module is now able to access LDAP servers (for validating
  users and retrieving attributes) via a TLS connection. Thanks to Oriol
  Rico ([log in para visualizar]) from UPC for his help in testing this.

- A new configuration variable, uidVar, has been included into the
  AuthServer, so a user identifier can be used even for those operations
  (like TEST and LOGOUT) for which fully user identification is not
  mandatory.

- Correct a bug in the IMAPAuth module that precluded users with empty
  mailboxes from successfully logging-in. Contributed by Luis Melendez
  ([log in para visualizar]) from the University of Cordoba.

Enjoy,
--
"Esta vez no fallaremos, Doctor Infierno"

Dr Diego R. Lopez

Red.es - RedIRIS
The Spanish NREN

e-mail: [log in para visualizar]
jid:    [log in para visualizar]
Tel:    +34 955 056 621
Mobile: +34 669 898 094
-----------------------------------------