On November 24th we released LinOTP 3.2.5 to the repositories.
LinOTP 3.2.5
netgo software GmbH announces a critical vulnerability in LinOTPs Self Service API. This patch is necessary for all versions newer than LinOTP 3.0. A dedicated announcement was published to provide additional details for this vulnerability.
LinOTP 3.2.5 brings improvements and new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.
Highlights:
- Ensure that userservice login results in exactly one session cookie per response.
- Avoid a race condition in userservice request method setup which could lead to a user being erroneously authenticated as a different user.
Download
LinOTP 3.2.5 is available as a Debian package from www.linotp.org.
Users of the LinOTP Smart Virtual Appliance will receive LinOTP 3.2.5 via the integrated auto-update mechanism.
We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de
The LinOTP team
--
netgo software GmbH
https://www.linotp.de
Strong MFA solution by
netgo
Branch office Darmstadt, Pallaswiesenstr. 174a, 64293 Darmstadt
Main office, Siemensdamm 62, 13627 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 243718 B
Board of Directors: Matthias Nietz, Constantin Wehmschulte
Germany
Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de
Changelog LinOTP 3.2.5
Features:
- Use entirely random values for userservice session cookies.
Fix:
- Ensure that userservice login results in exactly one session cookie per response.
- Avoid a race condition in userservice request method setup which could lead to a user being erroneously authenticated as a different user.
Packaging:
- Debian postinst now correctly restarts the LinOTP service again to ensure running the latest version without the need for manual intervention.