WebAuth 4.3.3 Announcement
The ITS WebAuth team is chagrined to announce Stanford WebAuth 4.3.3. This is a bug-fix release for the WebKDC and WebLogin services, correcting two memory management errors. One of those errors may theoretically be exploitable, so all users of mod_webkdc or the WebLogin service (or the underlying WebAuth Perl module) from WebAuth 4.2.0 or later should upgrade to this release.
For documentation and downloads of WebAuth 4.3.3, see:
New Debian packages built against Apache 2.4 have been uploaded to Debian experimental.
The user-visible changes in this release are:
Fix a memory initialization issue in the WebKDC that could cause incorrect handling of random multifactor verification, including requiring random multifactor when the WebAuth Application Server didn't request it.
Fix a memory allocation error in the WebAuth Perl module that could cause memory corruption in the WebLogin server.
