Pubcookie Home > News 
Pubcookie Homepage Pubcookie News
Announcing Pubcookie 3.3.4
Component:  Pubcookie 3.3.4
Audience:  All
Modified:  February 1, 2010

Release notes for Pubcookie 3.3.4:

Subject: Pubcookie 3.3.4 Released

Pubcookie 3.3.4 has been posted on the project web site.

This release fixes a security vulnerability in the ISAPI filter, and 
includes several other minor changes and bug fixes:

   * Fixed stack buffer overflow vulnerability in the ISAPI filter,
     as disclosed February 1, 2010. See for details.

   * Added support for 4096-bit private keys to login cgi.

   * Modified login cgi to add user's IP address to its log file.

   * Fixed bug in cgic library affecting Session Reauth requests.

   * Fixed bug in mod_pubcookie handling of angle brackets in POST data.

   * Fixed bug in keyserver when using login_servers config option.

   * Fixed bug in filter that truncated query strings on redirections
     when enforcing https.

   * Fixed login cgi segfaults reported on RHEL5 (64-bit).
     [included in version 3.3.4a; a Unix only patch release]

For a complete list of changes included in this release, see:

Compatibility note: sites that parse the login cgi's log file data should 
be aware that the user's IP address has been added to redirect lines.

This release represents several contributions from the community, most 
notably by Chris Ries (Carnegie Mellon University), who identified, 
analyzed, and reported the security vulnerability in the ISAPI filter. 
Additional contributions were made by Bradley Schwoerer and Jon Miner 
(University of Wisconsin-Madison); Trevor Bortins and Jon Hauser 
(University of Washington); Pascal Lalonde; and Todd Ross.

Nathan Dors
Pubcookie Project
University of Washington
Phone: 206-543-0624

[Pubcookie Home Page]
Copyright © 2002-2008 University of Washington
UW Technology Services
Pubcookie Contact Info
Modified: February 1, 2010