Connect2id server 15.1.1, 14.11.1
If you have a Connect2id server deployment with client
applications registered to receive
front-channel
or back-channel logout
notifications
we strongly recommend that you apply this update. It fixes a thread-safety bug
that under certain timing conditions could cause clients to receive a bad or
duplicate sid
(session ID) claim in the ID token. This then breaks the
logical link between the ID token and a logout notification that the client may
receive in future.
Updates are provided for both Connect2id server 15.x and 14.x.
If you have a CVE tool it may have recently reported a CVE-2023-51074 and a CVE-2024-21634. Connect2id server deployments are not affected. The libraries that received the CVE reports are used by the server to parse its own configuration properties. They are not used to process user or API input. On the 15.x branch the affected dependencies were updated (along with a few others).
The next Connect2id server releases are going to include new features that have been in the pipeline for some time, such as support for automated cluster-wide key generation and rollover. The upcoming OpenID Federation 1.0 standard is also going to become a more prominent part of the Connect2id server. To find out more about it:
-
Check out the article on the X.509 certificate chain vs the OpenID trust chain talk at the OpenID 2024 Summit in Tokyo, Japan.
-
Meet the specification editors this week at the TIIME event in Copenhagen.
-
Find out how a future TLS 2.0 using OpenID Federation 1.0 trust chains could look like, at the Trends in Digital Identity 2024 in April in Rome, Italy.
-
Another opportunity to meet the editors and implementers is going to be the OAuth Security Workshop, also in April in Rome. Registration will open soon.
-
At Identiverse in May, in Las Vegas.
-
At the European Identity and Cloud Conference 2024 in Berlin, in June.
Download 15.1.1
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 15.1.1: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: e15885b8728fe01bce3702414d42581085216031bdfe5e7b7645d9247da77326
Connect2id server 15.1.1 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 932b64b89decdede03fa6f053f9c7915fab6d264b0b1399544c529860808c89b
Multi-tenant edition
Apache Tomcat package with Connect2id server 15.1.1: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 8510ea0b7abd233316258d54ebd09add3a4f5ccd6fa07a2d8066171c781fe3f7
Connect2id server 15.1.1 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 976ddce9725ec6a2f5d49e6b011f7976602b56c94b613b4d3cd8990833707416
Download 14.11.1
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 14.11.1: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 3ab40362e471ac812298e6ed419d4d0fc6faca4297053972cfe716500f1e5968
Connect2id server 14.11.1 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: fb8dbdfa7e1c00a97fa77d12a1fc73f7f2bab915390377dbe686b1b141a78c3d
Multi-tenant edition
Apache Tomcat package with Connect2id server 14.11.1: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 717f5718b240db701c0d630d7f9c90ef6359a0a530c6e6c7b907215b70121f4a
Connect2id server 14.11.1 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: d7986a02adaefac48fbe204d3fec1e503ba23c0028a1cecac33e73fe2f2c02f1
Questions?
For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
15.1.1 (2024-01-29)
Resolved issues
- Fixes generation of the optional “sid” (session ID) claim in ID tokens which relied on a non-thread safe use of a SHA-256 message digest. In Connect2id server deployments when two or more “sid” claims need to be generated within a short length of time (<< 1 second) this could result in the “sid” claim receiving an incorrectly computed value or cause the value to leak into the “sid” claim of another ID token. Connect2id server deployments with clients / OpenID relying parties registered to receive logout notifications with a “sid” parameter are strongly advised to update (issue server/967).
Dependency changes
-
Updates to com.nimbusds:infinispan-cachestore-dynamodb:6.0.1
-
Updates to com.nimbusds:c2id-server-property-source:2.0.1
-
Updates to com.nimbusds:software-statement-verifier:2.2.7
14.11.1 (2024-01-29)
Resolved issues
- Fixes generation of the optional “sid” (session ID) claim in ID tokens which relied on a non-thread safe use of a SHA-256 message digest. In Connect2id server deployments when two or more “sid” claims need to be generated within a short length of time (<< 1 second) this could result in the “sid” claim receiving an incorrectly computed value or cause the value to leak into the “sid” claim of another ID token. Connect2id server deployments with clients / OpenID relying parties registered to receive logout notifications with a “sid” parameter are strongly advised to update (issue server/967).