Posts for May 2013

2013-05-01: WebAuth 4.5.1

Unfortunately, as always seems to happen with large releases, one of the features that we added in WebAuth 4.5.0 wasn't adequately tested and had some lingering issues.

In this case, it was a last minute change: from a UI perspective, we decided it was better to present the user with a checkbox (checked by default) saying "remember my login on this computer" instead of a checkbox (off by default) saying "this is a public computer; don't remember me." People are much more familiar with the former than the latter. Unfortunately, due to how HTML checkboxes work, this required changing the default in the code, and that turned out to break single sign-on completely. We were assuming we should not maintain single sign-on credentials by default, so all the WebLogin interactions that never passed through the forms so that the form could establish a default would delete the cookies.

This should be all sorted out in this release, along with a few other edge cases that became apparent when I thought harder about this. The documentation also makes clearer the required template changes when upgrading from versions prior to 4.5.0. We also snuck in one new feature: the user information service can pass a message to the user through to the confirmation page.

You can get the latest release from the official WebAuth distribution site or from my WebAuth distribution pages.

2013-05-14: backport 1.30

Debian wheezy has been released (yay!), so I've updated my backport script to backport to wheezy by default and shuffled the meanings of stable and oldstable. The whole script badly needs a rewrite and needs to become more configuration-driven, but I sadly don't have the time at the moment, so will have to make do with this.

If anyone else is using it, you can get the latest copy from my scripts page.

Also done: suite names changed for local Stanford repositories. jessie added to our local Debian mirroring. reprepro pull rules changed accordingly. All local build chroots updated, with new ones created for wheezy and wheezy-backports.

Still to do: update suite names and pull rules for the Debian repository (which isn't used much any more). Delete the old per-service lenny-based distributions, since we've gotten everything off of lenny that cared about them. Add a new jessie build chroot to our local build servers. Update our FAI installation to build wheezy by default and to use a wheezy NFS root.

reprepro makes this whole process so massively easier than it was with debarchiver.

2013-05-14: WebAuth 4.5.2

Last weekend, I spent several hours carefully going over some of the WebLogin code to try to track down a weird bug that we ran into in our UAT environment. The bad part is that I didn't find it, although restarting Apache made it disappear. The good part is that I found a bunch of other bugs that would have been troublesome later.

This release is just a WebLogin bug fix release, cleaning up those issues plus a few other things we've found in testing for our upcoming production upgrade. Specifically, there's now a way to preserve remember_login across a failed login attempt, clearing of failed login attempts after a successful one works properly, cookies are set correctly on the error page, and WebLogin no longer erroneously clears cookies when redirecting to check for cookie support.

You can get the latest release from the official WebAuth distribution site or from my WebAuth distribution pages.

2013-05-15: WebAuth 4.5.3

Good news: we finally tracked down the intermittant redirect looping bug so that I could fix it! Bad news: it was also a security vulnerability. Thankfully, it was fairly specific: you had to be using FastCGI for the login page and you also had to be using the $REMUSER_REDIRECT option. But in those situations, WebAuth versions from 4.4.1 through 4.5.2 could potentially leak authentication state from one user to another.

The full scenario is somewhat tedious to explain, but the short version is that, in 4.4.1, I switched over to using a single persistent CGI::Application object instead of re-creating it for each request. This takes better advantage of FastCGI. However, CGI::Application doesn't reset header properties between requests, and while we mostly did that internally, there was one specific case around REMOTE_USER redirects where we didn't.

For more details, including a patch for those who don't want to upgrade, see the security advisory.

WebAuth 4.5.3 has been released with only this fix relative to 4.5.2. You can get the latest release from the official WebAuth distribution site or from my WebAuth distribution pages.

2013-05-27: Collected haul

I've been slow lately in writing these up (and, for that matter, in doing most other things related to reading; things have been rather busy lately). This is a bunch of here-and-there purchases over the last few months, including Powell's Indiespensible shipments.

Sandra Barret — Face of the Enemy (sff)
Anne Bishop — Written in Red (sff)
Lois McMaster Bujold — Captain Vorpatril's Alliance (sff)
Cary Caffrey — The Girls from Alcyone (sff)
Jenni Fagan — The Panopticon (mainstream)
Niels Ferguson, et al. — Cryptography Engineering (non-fiction)
Jen Kirchner — The Fourth Channel (sff)
Anothony Marra — A Constellation of Vital Phenomena (mainstream)
Steve McConnell — Code Complete (non-fiction)
Seanan McGuire — Velveteen vs. The Junior Super-Patriots (sff)
Patrick Nielsen Hayden, et al. (ed.) — Some of the Best from 2012 (sff anthology)
Lisa O'Donnell — The Death of Bees (mainstream)
Susan Palwich — Flying in Place (sff)
Kim Stanley Robinson — 2312 (sff)
John Scalzi — Redshirts (sff)
Ian Tregillis — Bitter Seeds (sff)
Leon Trotsky — The History of the Russian Revolution (non-fiction)
Simon Van Booy — The Illusion of Separateness (mainstream)
Chris Anne Wolfe — Shadows of Aggar (sff)
Barbara Ann Wright — The Pyramid Waltz (sff)

That's a lot of stuff. It includes a couple of non-fiction O'Reilly books from sales, a few months of Powell's Indiespensible subscriptions, a variety of books I picked up after a discussion of good lesbian fiction on (romance without the obnoxious gender tropes, or at least as many of them), and the rest of the Hugo nominees for the year.

I got a ton of reading done earlier this month. I wish I could say the same thing about reviews, but I only wrote a few. That's something that I want to try to catch up on soon, so there will probably be a flurry of those posted soon. I've already read Blackout and Redshirts of this year's nominees (a review of the latter is coming), so at least I'm not too far behind on the reading. Throne of the Crescent Moon is in progress now.

Last modified and spun 2017-02-20