2013-05-01: WebAuth 4.5.1
Unfortunately, as always seems to happen with large releases, one of the
features that we added in WebAuth 4.5.0 wasn't adequately tested and had
some lingering issues.
In this case, it was a last minute change: from a UI perspective, we
decided it was better to present the user with a checkbox (checked by
default) saying "remember my login on this computer" instead of a checkbox
(off by default) saying "this is a public computer; don't remember me."
People are much more familiar with the former than the latter.
Unfortunately, due to how HTML checkboxes work, this required changing the
default in the code, and that turned out to break single sign-on
completely. We were assuming we should not maintain single sign-on
credentials by default, so all the WebLogin interactions that never passed
through the forms so that the form could establish a default would delete
the cookies.
This should be all sorted out in this release, along with a few other edge
cases that became apparent when I thought harder about this. The
documentation also makes clearer the required template changes when
upgrading from versions prior to 4.5.0. We also snuck in one new feature:
the user information service can pass a message to the user through to the
confirmation page.
You can get the latest release from the official WebAuth distribution site
or from my WebAuth distribution pages.
2013-05-14: backport 1.30
Debian wheezy has been released (yay!), so I've updated my backport script
to backport to wheezy by default and shuffled the meanings of stable and
oldstable. The whole script badly needs a rewrite and needs to become
more configuration-driven, but I sadly don't have the time at the moment,
so will have to make do with this.
If anyone else is using it, you can get the latest copy from my
scripts page.
Also done: suite names changed for local Stanford repositories. jessie
added to our local Debian mirroring. reprepro pull rules changed
accordingly. All local build chroots updated, with new ones created for
wheezy and wheezy-backports.
Still to do: update suite names and pull rules for the eyrie.org Debian
repository (which isn't used much any more). Delete the old per-service
lenny-based distributions, since we've gotten everything off of lenny that
cared about them. Add a new jessie build chroot to our local build
servers. Update our FAI installation to build wheezy by default and to
use a wheezy NFS root.
reprepro makes this whole process so massively easier than it was with
debarchiver.
2013-05-14: WebAuth 4.5.2
Last weekend, I spent several hours carefully going over some of the
WebLogin code to try to track down a weird bug that we ran into in our UAT
environment. The bad part is that I didn't find it, although restarting
Apache made it disappear. The good part is that I found a bunch of other
bugs that would have been troublesome later.
This release is just a WebLogin bug fix release, cleaning up those issues
plus a few other things we've found in testing for our upcoming production
upgrade. Specifically, there's now a way to preserve
remember_login across a failed login attempt, clearing of failed
login attempts after a successful one works properly, cookies are set
correctly on the error page, and WebLogin no longer erroneously clears
cookies when redirecting to check for cookie support.
You can get the latest release from the official WebAuth distribution site
or from my WebAuth distribution pages.
2013-05-15: WebAuth 4.5.3
Good news: we finally tracked down the intermittant redirect looping bug
so that I could fix it! Bad news: it was also a security vulnerability.
Thankfully, it was fairly specific: you had to be using FastCGI for the
login page and you also had to be using the $REMUSER_REDIRECT
option. But in those situations, WebAuth versions from 4.4.1 through
4.5.2 could potentially leak authentication state from one user to
another.
The full scenario is somewhat tedious to explain, but the short version is
that, in 4.4.1, I switched over to using a single persistent
CGI::Application object instead of re-creating it for each request. This
takes better advantage of FastCGI. However, CGI::Application doesn't
reset header properties between requests, and while we mostly did that
internally, there was one specific case around REMOTE_USER redirects where
we didn't.
For more details, including a patch for those who don't want to upgrade,
see the security
advisory.
WebAuth 4.5.3 has been released with only this fix relative to 4.5.2. You
can get the latest release from the official WebAuth distribution site or
from my WebAuth distribution pages.
2013-05-27: Collected haul
I've been slow lately in writing these up (and, for that matter, in doing
most other things related to reading; things have been rather busy
lately). This is a bunch of here-and-there purchases over the last few
months, including Powell's Indiespensible shipments.
Sandra Barret — Face of the Enemy (sff)
Anne Bishop — Written in Red (sff)
Lois McMaster Bujold — Captain Vorpatril's Alliance (sff)
Cary Caffrey — The Girls from Alcyone (sff)
Jenni Fagan — The Panopticon (mainstream)
Niels Ferguson, et al. — Cryptography Engineering (non-fiction)
Jen Kirchner — The Fourth Channel (sff)
Anothony Marra — A Constellation of Vital Phenomena (mainstream)
Steve McConnell — Code Complete (non-fiction)
Seanan McGuire — Velveteen vs. The Junior Super-Patriots (sff)
Patrick Nielsen Hayden, et al. (ed.) — Some of the Best from Tor.com:
2012 (sff anthology)
Lisa O'Donnell — The Death of Bees (mainstream)
Susan Palwich — Flying in Place (sff)
Kim Stanley Robinson — 2312 (sff)
John Scalzi — Redshirts (sff)
Ian Tregillis — Bitter Seeds (sff)
Leon Trotsky — The History of the Russian Revolution (non-fiction)
Simon Van Booy — The Illusion of Separateness (mainstream)
Chris Anne Wolfe — Shadows of Aggar (sff)
Barbara Ann Wright — The Pyramid Waltz (sff)
That's a lot of stuff. It includes a couple of non-fiction O'Reilly books
from sales, a few months of Powell's Indiespensible subscriptions, a
variety of books I picked up after a discussion of good lesbian fiction on
Tor.com (romance without the obnoxious gender tropes, or at least as many
of them), and the rest of the Hugo nominees for the year.
I got a ton of reading done earlier this month. I wish I could say the
same thing about reviews, but I only wrote a few. That's something that I
want to try to catch up on soon, so there will probably be a flurry of
those posted soon. I've already read Blackout and Redshirts
of this year's nominees (a review of the latter is coming), so at least
I'm not too far behind on the reading. Throne of the Crescent Moon
is in progress now.
All posts