.gitignore

@@ -1 +1 @@
-SOURCES/v2.4.9.4.tar.gz
+SOURCES/mod_auth_openidc-2.4.16.11.tar.gz

.mod_auth_openidc.metadata

@@ -1 +1 @@
-47f8b949552c3d32f019c5cf785c4672dc0f8aae SOURCES/v2.4.9.4.tar.gz
+16a962b610751320f83b8ceed220fb9ed713d299 SOURCES/mod_auth_openidc-2.4.16.11.tar.gz

SOURCES/0001-CVE-2022-23527.patch

@@ -1,77 +0,0 @@
-commit 4c494e4a59a15580e3226dcd6c02b24076b73421
-Author: Tomas Halman <thalman@redhat.com>
-Date:   Mon Feb 27 13:18:55 2023 +0100
-
-    Backport of fixes for CVE-2022-23527
-    
-    CVE-2022-23527 prevent open redirect in default setup
-    
-    This patch is based on 87119f44, f38af0e2, 1a394a86 and
-    1c808c58 updates.
-
-diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
-index b36f6c1..099c716 100644
---- a/src/mod_auth_openidc.c
-+++ b/src/mod_auth_openidc.c
-@@ -2543,6 +2543,20 @@ static apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c,
- 		oidc_error(r, "%s: %s", *err_str, *err_desc);
- 		return FALSE;
- 	}
-+	if (       (strstr(url, "/%09") != NULL) || (oidc_util_strcasestr(url, "/%2f") != NULL)
-+			|| (strstr(url, "/\t") != NULL)
-+			|| (strstr(url, "/%68") != NULL) || (oidc_util_strcasestr(url, "/http:") != NULL)
-+			|| (oidc_util_strcasestr(url, "/https:") != NULL) || (oidc_util_strcasestr(url, "/javascript:") != NULL)
-+			|| (strstr(url, "/〱") != NULL) || (strstr(url, "/〵") != NULL)
-+			|| (strstr(url, "/ゝ") != NULL) || (strstr(url, "/ー") != NULL)
-+			|| (strstr(url, "/〱") != NULL) || (strstr(url, "/ｰ") != NULL)
-+			|| (strstr(url, "/<") != NULL) || (oidc_util_strcasestr(url, "%01javascript:") != NULL)
-+			|| (strstr(url, "/%5c") != NULL) || (strstr(url, "/\\") != NULL)) {
-+		*err_str = apr_pstrdup(r->pool, "Invalid URL");
-+		*err_desc = apr_psprintf(r->pool, "URL value \"%s\" contains illegal character(s)", url);
-+		oidc_error(r, "%s: %s", *err_str, *err_desc);
-+		return FALSE;
-+	}
- 
- 	return TRUE;
- }
-diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
-index 2218d76..8757411 100644
---- a/src/mod_auth_openidc.h
-+++ b/src/mod_auth_openidc.h
-@@ -800,6 +800,7 @@ char *oidc_util_http_query_encoded_url(request_rec *r, const char *url, const ap
- char *oidc_util_get_full_path(apr_pool_t *pool, const char *abs_or_rel_filename);
- apr_byte_t oidc_enabled(request_rec *r);
- char *oidc_util_http_form_encoded_data(request_rec *r, const apr_table_t *params);
-+char* oidc_util_strcasestr(const char *s1, const char *s2);
- 
- /* HTTP header constants */
- #define OIDC_HTTP_HDR_COOKIE							"Cookie"
-diff --git a/src/util.c b/src/util.c
-index 4c46156..c6453d0 100644
---- a/src/util.c
-+++ b/src/util.c
-@@ -446,6 +446,24 @@ char* oidc_util_javascript_escape(apr_pool_t *pool, const char *s) {
-     return output;
- }
- 
-+char* oidc_util_strcasestr(const char *s1, const char *s2) {
-+	const char *s = s1;
-+	const char *p = s2;
-+	do {
-+		if (!*p)
-+			return (char*) s1;
-+		if ((*p == *s) || (tolower(*p) == tolower(*s))) {
-+			++p;
-+			++s;
-+		} else {
-+			p = s2;
-+			if (!*s)
-+				return NULL;
-+			s = ++s1;
-+		}
-+	} while (1);
-+	return *p ? NULL : (char*) s1;
-+}
- 
- /*
-  * get the URL scheme that is currently being accessed

SOURCES/0002-CVE-2023-28625.patch

@@ -1,24 +0,0 @@
-commit 1a24e08ce506c2c19dd92a1bc9c2b9a1d9354934
-Author: Tomas Halman <thalman@redhat.com>
-Date:   Tue Apr 11 11:39:55 2023 +0200
-
-    Backport fixe of CVE-2023-28625
-    
-    CVE-2023-28625 mod_auth_openidc: NULL pointer dereference when
-    OIDCStripCookies is set and a crafted Cookie header is supplied
-    
-    This patch is based on commit c0e1edac3c4c19988ccdc7713d7aebfce6ff916a
-
-diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
-index 099c716..51eb53e 100644
---- a/src/mod_auth_openidc.c
-+++ b/src/mod_auth_openidc.c
-@@ -191,6 +191,8 @@ void oidc_strip_cookies(request_rec *r) {
- 		do {
- 			while (cookie != NULL && *cookie == OIDC_CHAR_SPACE)
- 				cookie++;
-+			if (cookie == NULL)
-+				break;
- 
- 			for (i = 0; i < strip->nelts; i++) {
- 				name = ((const char**) strip->elts)[i];

SOURCES/0003-CVE-2024-24814.patch

@@ -1,46 +0,0 @@
-diff -up mod_auth_openidc-2.4.9.4/src/util.c.orig mod_auth_openidc-2.4.9.4/src/util.c
---- mod_auth_openidc-2.4.9.4/src/util.c.orig	2024-02-29 17:54:55.939797412 +0100
-+++ mod_auth_openidc-2.4.9.4/src/util.c	2024-02-29 18:01:12.042842605 +0100
-@@ -1270,25 +1270,24 @@ static char* oidc_util_get_chunk_cookie_
-  */
- char* oidc_util_get_chunked_cookie(request_rec *r, const char *cookieName,
- 		int chunkSize) {
--	char *cookieValue = NULL;
--	char *chunkValue = NULL;
--	int i = 0;
--	if (chunkSize == 0) {
--		cookieValue = oidc_util_get_cookie(r, cookieName);
--	} else {
--		int chunkCount = oidc_util_get_chunked_count(r, cookieName);
--		if (chunkCount > 0) {
--			cookieValue = "";
--			for (i = 0; i < chunkCount; i++) {
--				chunkValue = oidc_util_get_cookie(r,
--						oidc_util_get_chunk_cookie_name(r, cookieName, i));
--				if (chunkValue != NULL)
--					cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue,
--							chunkValue);
--			}
--		} else {
--			cookieValue = oidc_util_get_cookie(r, cookieName);
-+	char *cookieValue = NULL, *chunkValue = NULL;
-+	int chunkCount = 0, i = 0;
-+	if (chunkSize == 0)
-+		return oidc_util_get_cookie(r, cookieName);
-+	chunkCount = oidc_util_get_chunked_count(r, cookieName);
-+	if (chunkCount == 0)
-+		return oidc_util_get_cookie(r, cookieName);
-+	if ((chunkCount < 0) || (chunkCount > 99)) {
-+		oidc_warn(r, "chunk count out of bounds: %d", chunkCount);
-+		return NULL;
-+	}
-+	for (i = 0; i < chunkCount; i++) {
-+		chunkValue = oidc_util_get_cookie(r, oidc_util_get_chunk_cookie_name(r, cookieName, i));
-+		if (chunkValue == NULL) {
-+			oidc_warn(r, "could not find chunk %d; aborting", i);
-+			break;
- 		}
-+		cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue ? cookieValue : "", chunkValue);
- 	}
- 	return cookieValue;
- }

SOURCES/0004-race-condition.patch

@@ -1,95 +0,0 @@
-diff -up mod_auth_openidc-2.4.10/src/cache/file.c.orig mod_auth_openidc-2.4.10/src/cache/file.c
---- mod_auth_openidc-2.4.10/src/cache/file.c.orig	2024-04-16 11:12:38.942552103 +0200
-+++ mod_auth_openidc-2.4.10/src/cache/file.c	2024-04-16 11:13:09.890588209 +0200
-@@ -329,8 +329,10 @@ static apr_status_t oidc_cache_file_clea
- 			}
- 
- 			/* read the header with cache metadata info */
-+			apr_file_lock(fd, APR_FLOCK_EXCLUSIVE);
- 			rc = oidc_cache_file_read(r, path, fd, &info,
- 					sizeof(oidc_cache_file_info_t));
-+			apr_file_unlock(fd);
- 			apr_file_close(fd);
- 
- 			if (rc == APR_SUCCESS) {
-@@ -372,14 +374,15 @@ static apr_status_t oidc_cache_file_clea
- /*
-  * write a value for the specified key to the cache
-  */
--static apr_byte_t oidc_cache_file_set(request_rec *r, const char *section,
--		const char *key, const char *value, apr_time_t expiry) {
-+static apr_byte_t oidc_cache_file_set(request_rec *r, const char *section, const char *key,
-+		const char *value, apr_time_t expiry) {
- 	apr_file_t *fd = NULL;
- 	apr_status_t rc = APR_SUCCESS;
- 	char s_err[128];
- 
- 	/* get the fully qualified path to the cache file based on the key name */
--	const char *path = oidc_cache_file_path(r, section, key);
-+	const char *target = oidc_cache_file_path(r, section, key);
-+	const char *path = apr_psprintf(r->pool, "%s.tmp", target);
- 
- 	/* only on writes (not on reads) we clean the cache first (if not done recently) */
- 	oidc_cache_file_clean(r);
-@@ -387,24 +390,22 @@ static apr_byte_t oidc_cache_file_set(re
- 	/* just remove cache file if value is NULL */
- 	if (value == NULL) {
- 		if ((rc = apr_file_remove(path, r->pool)) != APR_SUCCESS) {
--			oidc_error(r, "could not delete cache file \"%s\" (%s)", path,
--					apr_strerror(rc, s_err, sizeof(s_err)));
-+			oidc_error(r, "could not delete cache file \"%s\" (%s)", path, apr_strerror(rc, s_err, sizeof(s_err)));
- 		}
- 		return TRUE;
- 	}
- 
- 	/* try to open the cache file for writing, creating it if it does not exist */
--	if ((rc = apr_file_open(&fd, path,
--			(APR_FOPEN_WRITE | APR_FOPEN_CREATE | APR_FOPEN_TRUNCATE),
--			APR_OS_DEFAULT, r->pool)) != APR_SUCCESS) {
--		oidc_error(r, "cache file \"%s\" could not be opened (%s)", path,
--				apr_strerror(rc, s_err, sizeof(s_err)));
-+	if ((rc = apr_file_open(&fd, path, (APR_FOPEN_WRITE | APR_FOPEN_CREATE),
-+							APR_OS_DEFAULT, r->pool)) != APR_SUCCESS) {
-+		oidc_error(r, "cache file \"%s\" could not be opened (%s)", path, apr_strerror(rc, s_err, sizeof(s_err)));
- 		return FALSE;
- 	}
- 
- 	/* lock the file and move the write pointer to the start of it */
- 	apr_file_lock(fd, APR_FLOCK_EXCLUSIVE);
- 	apr_off_t begin = 0;
-+	apr_file_trunc(fd, begin);
- 	apr_file_seek(fd, APR_SET, &begin);
- 
- 	/* construct the metadata for this cache entry in the header info */
-@@ -413,22 +414,24 @@ static apr_byte_t oidc_cache_file_set(re
- 	info.len = strlen(value) + 1;
- 
- 	/* write the header */
--	if ((rc = oidc_cache_file_write(r, path, fd, &info,
--			sizeof(oidc_cache_file_info_t))) != APR_SUCCESS)
-+	if ((rc = oidc_cache_file_write(r, path, fd, &info, sizeof(oidc_cache_file_info_t)))
-+			!= APR_SUCCESS)
- 		return FALSE;
- 
- 	/* next write the value */
--	rc = oidc_cache_file_write(r, path, fd, (void *) value, info.len);
-+	rc = oidc_cache_file_write(r, path, fd, (void*) value, info.len);
- 
- 	/* unlock and close the written file */
- 	apr_file_unlock(fd);
- 	apr_file_close(fd);
- 
-+	if (rename(path, target) != 0) {
-+		oidc_error(r, "cache file: %s could not be renamed to: %s", path, target);
-+		return FALSE;
-+	}
-+
- 	/* log our success/failure */
--	oidc_debug(r,
--			"%s entry for key \"%s\" in file of %" APR_SIZE_T_FMT " bytes",
--			(rc == APR_SUCCESS) ? "successfully stored" : "could not store",
--					key, info.len);
-+	oidc_debug(r, "%s entry for key \"%s\" in file of %" APR_SIZE_T_FMT " bytes", (rc == APR_SUCCESS) ? "successfully stored" : "could not store", key, info.len);
- 
- 	return (rc == APR_SUCCESS);
- }

SOURCES/0005-CVE-2025-31492.patch

@@ -1,83 +0,0 @@
-diff -up mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.c.orig mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.c
---- mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.c.orig	2025-04-11 10:49:32.095915197 +0200
-+++ mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.c	2025-04-11 10:51:12.493949688 +0200
-@@ -4258,7 +4258,11 @@ int oidc_content_handler(request_rec *r)
- 
- 			rc = oidc_discovery(r, c);
- 
--		} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN) != NULL) {
-+		} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST) != NULL) {
-+
-+			rc = OK;
-+
-+		} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE) != NULL) {
- 
- 			rc = OK;
- 
-diff -up mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.h.orig mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.h
---- mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.h.orig	2025-04-11 10:49:32.081518446 +0200
-+++ mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.h	2025-04-11 10:51:12.495521138 +0200
-@@ -88,7 +88,8 @@ APLOG_USE_MODULE(auth_openidc);
- #define OIDC_REQUEST_STATE_KEY_IDTOKEN "i"
- #define OIDC_REQUEST_STATE_KEY_CLAIMS  "c"
- #define OIDC_REQUEST_STATE_KEY_DISCOVERY  "d"
--#define OIDC_REQUEST_STATE_KEY_AUTHN  "a"
-+#define OIDC_REQUEST_STATE_KEY_AUTHN_POST  "a"
-+#define OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE  "p"
- 
- /* parameter name of the callback URL in the discovery response */
- #define OIDC_DISC_CB_PARAM "oidc_callback"
-diff -up mod_auth_openidc-2.4.9.4/src/proto.c.orig mod_auth_openidc-2.4.9.4/src/proto.c
---- mod_auth_openidc-2.4.9.4/src/proto.c.orig	2021-09-03 10:41:21.000000000 +0200
-+++ mod_auth_openidc-2.4.9.4/src/proto.c	2025-04-11 10:51:12.495927318 +0200
-@@ -591,7 +591,7 @@ static int oidc_proto_add_form_post_para
- /*
-  * make the browser POST parameters through Javascript auto-submit
-  */
--static int oidc_proto_html_post(request_rec *r, const char *url,
-+static void oidc_proto_html_post(request_rec *r, const char *url,
- 		apr_table_t *params) {
- 
- 	oidc_debug(r, "enter");
-@@ -607,8 +607,7 @@ static int oidc_proto_html_post(request_
- 	html_body = apr_psprintf(r->pool, "%s%s", data.html_body, "      </p>\n"
- 			"    </form>\n");
- 
--	return oidc_util_html_send(r, "Submitting...", NULL,
--			"document.forms[0].submit", html_body, OK);
-+	oidc_util_html_send(r, "Submitting...", NULL, "document.forms[0].submit", html_body, OK);
- }
- 
- void add_auth_request_params(request_rec *r, apr_table_t *params,
-@@ -739,8 +738,12 @@ int oidc_proto_authorization_request(req
- 	if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_POST) {
- 
- 		/* construct a HTML POST auto-submit page with the authorization request parameters */
--		rv = oidc_proto_html_post(r, provider->authorization_endpoint_url,
--				params);
-+		oidc_proto_html_post(r, provider->authorization_endpoint_url, params);
-+
-+		/* signal this to the content handler */
-+		oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST, "");
-+		r->user = "";
-+		rv = OK;
- 
- 	} else if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_GET) {
- 
-@@ -748,7 +751,6 @@ int oidc_proto_authorization_request(req
- 		authorization_request = oidc_util_http_query_encoded_url(r,
- 				provider->authorization_endpoint_url, params);
- 
--		// TODO: should also enable this when using the POST binding for the auth request
- 		/* see if we need to preserve POST parameters through Javascript/HTML5 storage */
- 		if (oidc_post_preserve_javascript(r, authorization_request, NULL,
- 				NULL) == FALSE) {
-@@ -762,7 +764,7 @@ int oidc_proto_authorization_request(req
- 		} else {
- 
- 			/* signal this to the content handler */
--			oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN, "");
-+			oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE, "");
- 			r->user = "";
- 			rv = OK;
- 

SPECS/mod_auth_openidc.spec

@@ -14,19 +14,13 @@
 %global httpd_pkg_cache_dir /var/cache/httpd/mod_auth_openidc
 
 Name:		mod_auth_openidc
-Version:	2.4.9.4
+Version:	2.4.16.11
-Release:	8%{?dist}
+Release:	1%{?dist}
 Summary:	OpenID Connect auth module for Apache HTTP Server
 
 License:	ASL 2.0
-URL:		https://github.com/zmartzone/mod_auth_openidc
+URL:		https://github.com/OpenIDC/mod_auth_openidc
-Source0:	https://github.com/zmartzone/mod_auth_openidc/archive/v%{version}.tar.gz
+Source0:	https://github.com/OpenIDC/mod_auth_openidc/releases/download/v%{version}/mod_auth_openidc-%{version}.tar.gz
-Patch1:		0001-CVE-2022-23527.patch
-Patch2:		0002-CVE-2023-28625.patch
-Patch3:		0003-CVE-2024-24814.patch
-Patch4:		0004-race-condition.patch
-Patch5:		0005-CVE-2025-31492.patch
-Patch6:		0006-string-compare.patch
 
 BuildRequires:  gcc
 BuildRequires:	httpd-devel
@@ -40,7 +34,6 @@ BuildRequires:	cjose-devel
 BuildRequires:	jq-devel
 %{?_with_hiredis:BuildRequires: hiredis-devel}
 Requires:	httpd-mmn = %{_httpd_mmn}
-Requires:	cjose >= 0.6.1
 
 %description
 This module enables an Apache 2.x web server to operate as
@@ -60,7 +53,6 @@ autoreconf
   %{?_without_hiredis} \
   --with-apxs2=%{_httpd_apxs}
 
-
 %{make_build}
 
 %check
@@ -70,7 +62,7 @@ make test
 
 %install
 mkdir -p $RPM_BUILD_ROOT%{_httpd_moddir}
-make install MODULES_DIR=$RPM_BUILD_ROOT%{_httpd_moddir}
+make DESTDIR=$RPM_BUILD_ROOT MODULES_DIR=%{_httpd_moddir} install
 
 install -m 755 -d $RPM_BUILD_ROOT%{_httpd_modconfdir}
 echo 'LoadModule auth_openidc_module modules/mod_auth_openidc.so' > \
@@ -102,83 +94,131 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache
 %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache
 
 %changelog
-* Fri Apr 25 2025 Tomas Halman <thalman@redhat.com> - 2.4.9.4-8
+* Tue Apr 8 2025 Tomas Halman <thalman@redhat.com> - 2.4.16.11-1
-- Resolves: RHEL-87759 - Empty POST causes crash with OIDCPreservePost
+  Rebase to version 2.4.16.11
+- Resolves: RHEL-86221
 
-* Fri Apr 11 2025 Tomas Halman <thalman@redhat.com> - 2.4.9.4-7
+* Mon Mar 31 2025 Tomas Halman <thalman@redhat.com> - 2.4.16.10-1
-- Resolves: RHEL-86218 - mod_auth_openidc allows OIDCProviderAuthRequestMethod
+  Rebase to version 2.4.16.10
-            POSTs to leak protected data (CVE-2025-31492)
+- Resolves: RHEL-44894
+- Resolves: RHEL-3335
 
-* Fri Apr 12 2024 Tomas Halman <thalman@redhat.com> - 2.4.9.4-6
+* Fri Apr 12 2024 Tomas Halman <thalman@redhat.com> - 2.4.10-1
-- Resolves: RHEL-36492 Race condition in mod_auth_openidc filecache
+  Rebase to 2.4.10 version improves `state cookies piling up` problem
-- Resolves: RHEL-25421 mod_auth_openidc: DoS when using
+  Resolves: RHEL-32450 Race condition in mod_auth_openidc filecache
-    `OIDCSessionType client-cookie` and manipulating cookies
+  Resolves: RHEL-25422 mod_auth_openidc: DoS when using
-    (CVE-2024-24814)
+            `OIDCSessionType client-cookie` and manipulating cookies
-
+            (CVE-2024-24814)
-* Tue Apr 25 2023 Tomas Halman <thalman@redhat.com> - 2.4.9.4-5
-  Related: rhbz#2141850 - fix cjose version dependency
 
 * Mon Apr 24 2023 Tomas Halman <thalman@redhat.com> - 2.4.9.4-4
-  Resolves: rhbz#2141850 - auth_openidc.conf mode 0640 by default
+  Resolves: rhbz#2189268 - auth_openidc.conf mode 0640 by default
 
 * Tue Apr 11 2023  Tomas Halman <thalman@redhat.com> - 2.4.9.4-3
-- Resolves: rhbz#2184144 - CVE-2023-28625 NULL pointer dereference
+- Resolves: rhbz#2184145 - CVE-2023-28625 NULL pointer dereference
-      when OIDCStripCookies is set and a crafted Cookie header is supplied
+  when OIDCStripCookies is set and a crafted Cookie header is supplied
 
 * Tue Feb 21 2023 Tomas Halman <thalman@redhat.com> - 2.4.9.4-2
-- Resolves: rhbz#2153659 - CVE-2022-23527 - Open Redirect in
+- Resolves: rhbz#2153656 - CVE-2022-23527 - Open Redirect in
-      oidc_validate_redirect_url() using tab character
+  oidc_validate_redirect_url() using tab character
 
-* Fri Apr 8 2022 Tomas Halman <thalman@redhat.com> - 2.4.9.4-1
+* Tue Nov 30 2021 Tomas Halman <thalman@redhat.com> - 2.4.9.4-1
-- Resolves: rhbz#2025368 - Rebase to new version
+- Resolves: rhbz#2001852 - CVE-2021-39191 mod_auth_openidc: open redirect
+                           by supplying a crafted URL in the target_link_uri
+                           parameter
 
-* Fri Jan 28 2022 Tomas Halman <thalman@redhat.com> - 2.3.7-11
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.8.2-3
-- Resolves: rhbz#1987222 - CVE-2021-32792 XSS when using OIDCPreservePost On
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Fri Jan 28 2022 Tomas Halman <thalman@redhat.com> - 2.3.7-10
+* Fri Jul 30 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.4.9.1-1
-- Resolves: rhbz#1987216 - CVE-2021-32791 hardcoded static IV and AAD with a
+- Resolves: rhbz#1987223 - CVE-2021-32792 mod_auth_openidc: XSS when using
-                           reused key in AES GCM encryption [rhel-8] (edit) 
+                           OIDCPreservePost On [rhel-9.0]
+- Resolves: rhbz#1987217 - CVE-2021-32791 mod_auth_openidc: hardcoded
+                           static IV and AAD with a reused key in AES GCM
+                           encryption [rhel-9.0]
+- Resolves: rhbz#1987204 - CVE-2021-32786 mod_auth_openidc: open redirect in
+                           oidc_validate_redirect_url() [rhel-9.0]
 
-* Fri Oct 29 2021 Tomas Halman <thalman@redhat.com> - 2.3.7-9
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.8.2-2
-- Resolves: rhbz#2001853 - CVE-2021-39191 open redirect by supplying a crafted URL
+- Rebuilt for RHEL 9 BETA for openssl 3.0
-                           in the target_link_uri parameter
+  Related: rhbz#1971065
 
-* Tue Nov 17 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.3.7-8
+* Mon May 10 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.4.8.2-1
-- Resolves: rhbz#1823756 - Backport SameSite=None cookie from
+- New upstream release
-                           mod_auth_openidc upstream to support latest browsers
+- Resolves: rhbz#1958466 - mod_auth_openidc-2.4.8.2 is available
 
-* Tue Nov 17 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.3.7-7
+* Thu May  6 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.4.7.2-1
-- Resolves: rhbz#1897992 - OIDCStateInputHeaders &
+- New upstream release
-                           OIDCStateMaxNumberOfCookies in existing
+- Resolves: rhbz#1900913 - mod_auth_openidc-2.4.7.2 is available
-                           mod_auth_openidc version
-- Backport the OIDCStateMaxNumberOfCookies option
-- Configure which header value is used to calculate the fingerprint of
-  the auth state
 
-* Sun May 10 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.3.7-6
+* Fri Apr 30 2021 Tomas Halman <thalman@redhat.com> - 2.4.4.1-3
-- Fix the previous backport
+- Resolves: rhbz#1951277 - Remove unnecessary LTO patch 
-- Related: rhbz#1805749 - CVE-2019-14857 mod_auth_openidc:2.3/mod_auth_openidc:
-                          Open redirect in logout url when using URLs with
-                          leading slashes
-- Related: rhbz#1805068 - CVE-2019-20479 mod_auth_openidc:2.3/mod_auth_openidc:
-                          open redirect issue exists in URLs with slash and
-                          backslash
 
-* Sun May 10 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.3.7-5
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.4.1-2
-- Resolves: rhbz#1805749 - CVE-2019-14857 mod_auth_openidc:2.3/mod_auth_openidc:
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-                           Open redirect in logout url when using URLs with
+
-                           leading slashes
+* Fri Sep  4 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.4.4.1-1
-- Resolves: rhbz#1805068 - CVE-2019-20479 mod_auth_openidc:2.3/mod_auth_openidc:
+- New upstream version 2.4.4.1
-                           open redirect issue exists in URLs with slash and
+
-                           backslash
+* Tue Sep  1 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.4.4-1
+- New upstream version 2.4.4
+
+* Thu Aug 27 2020 Joe Orton <jorton@redhat.com> - 2.4.3-5
+- update to use correct apxs via _httpd_apxs macro
+
+* Thu Aug 27 2020 Joe Orton <jorton@redhat.com> - 2.4.3-4
+- work around LTO build failure
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-3
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 14 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.4.3
+- New upstream version 2.4.3
+
+* Sun May 10 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.4.2.1-1
+- New upstream version 2.4.2.1
+- Resolves: rhbz#1805104 - CVE-2019-20479 mod_auth_openidc: open redirect
+                           issue exists in URLs with slash and backslash
+                           [fedora-all]
+- Resolves: rhbz#1816883 - mod_auth_openidc-2.4.2.1 is available
+
+* Thu Feb 13 2020 Tom Stellard <tstellar@redhat.com> - 2.4.1-2
+- Use make_build macro instead of just make
+- https://docs.fedoraproject.org/en-US/packaging-guidelines/#_parallel_make
+
+* Mon Feb  3 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.4.1-1
+- New upstream version 2.4.1
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.0.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Nov 21 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.4.0.4-1
+- New upstream version 2.4.0.4
+
+* Fri Oct  4 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.4.0.3-1
+- New upstream version 2.4.0.3
+
+* Fri Aug 23 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.4.0
+- New upstream version 2.4.0
+- Resolves: rhbz#1374884 - mod_auth_openidc-2.4.0 is available
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.7-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.7-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 
 * Thu Aug 16 2018  <jdennis@redhat.com> - 2.3.7-3
+- update test-segfault.patch to match upstream
+
+* Tue Aug 14 2018  <jdennis@redhat.com> - 2.3.7-2
 - Resolves: rhbz# 1614977 - fix unit test segfault,
   the problem was not limited exclusively to s390x, but s390x provoked it.
 
-* Fri Aug 10 2018  <jdennis@redhat.com> - 2.3.7-2
-- disable running check on s390x
-
 * Wed Aug  1 2018  <jdennis@redhat.com> - 2.3.7-1
 - upgrade to upstream 2.3.7