Bug#855591: unblock libapache2-mod-auth-openidc/2.1.5-1

[Christoph Martin <martin@uni-mainz.de>]

Package: release.debian.org
Severity: important
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libapache2-mod-auth-openidc

New upstream releases 2.1.4 and 2.1.5 are bugfix releases which mainly
fix the two security holes CVE-2017-6059 and CVE-2017-6062.

See attached debdiff

Christoph

-- 
============================================================================
Christoph Martin, Leiter Unix-Systeme
Zentrum für Datenverarbeitung, Uni-Mainz, Germany
 Anselm Franz von Bentzel-Weg 12, 55128 Mainz
 Telefon: +49(6131)3926337
 Instant-Messaging: Jabber: martin@jabber.uni-mainz.de
  (Siehe http://www.zdv.uni-mainz.de/4010.php)

diff -Nru libapache2-mod-auth-openidc-2.1.3/AUTHORS libapache2-mod-auth-openidc-2.1.5/AUTHORS
--- libapache2-mod-auth-openidc-2.1.3/AUTHORS	2016-10-27 16:23:12.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/AUTHORS	2017-01-30 20:26:39.000000000 +0100
@@ -31,3 +31,5 @@
 	Andy Curtis <https://github.com/asc1>
 	solsson	<https://github.com/solsson>
 	drdivano <https://github.com/drdivano>
+	AliceWonderMiscreations <https://github.com/AliceWonderMiscreations>
+	Wouter Hund <https://github.com/wouterhund>
diff -Nru libapache2-mod-auth-openidc-2.1.3/ChangeLog libapache2-mod-auth-openidc-2.1.5/ChangeLog
--- libapache2-mod-auth-openidc-2.1.3/ChangeLog	2016-12-13 18:25:06.000000000 +0100
+++ libapache2-mod-auth-openidc-2.1.5/ChangeLog	2017-01-30 20:06:45.000000000 +0100
@@ -1,3 +1,33 @@
+01/30/2017
+- security fix: scrub headers when `OIDCUnAuthAction pass` is used for an unauthenticated user
+- release 2.1.5
+
+01/29/2017
+- fix error message about passing id_token with session type client-cookie; mentioned in #220
+- bump to 2.1.5rc0
+
+01/25/2017
+- release 2.1.4
+
+01/18/2017
+- don't echo the query parameters on the error page when an invalid request is made to the Redirect URI; closes #212; thanks @LukasReschke
+
+01/14/2017
+- use dynamic memory buffer for writing HTTP call responses; solves curl/mpm-event interference; see #207
+- bump to 2.1.4rc1
+
+01/10/2017
+- don't crash when data is POST-ed to the redirect URL, it has just 1 POST parameter and it is not "response_mode"
+
+01/2/2017
+- remove trailing linebreaks from input in test-cmd tool
+- bump copyright year to 2017
+
+12/14/2016
+- support Libre SSL, see #205, thanks @AliceWonderMiscreations
+- update OIDC logout support to Front-Channel Logout 1.0 draft 01: http://openid.net/specs/openid-connect-frontchannel-1_0.html
+- bump to 2.1.4rc0
+
 12/13/2016
 - release 2.1.3
 
diff -Nru libapache2-mod-auth-openidc-2.1.3/configure libapache2-mod-auth-openidc-2.1.5/configure
--- libapache2-mod-auth-openidc-2.1.3/configure	2016-12-13 18:25:23.000000000 +0100
+++ libapache2-mod-auth-openidc-2.1.5/configure	2017-01-30 20:28:17.000000000 +0100
@@ -1,8 +1,8 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for mod_auth_openidc 2.1.3.
+# Generated by GNU Autoconf 2.69 for mod_auth_openidc 2.1.5.
 #
-# Report bugs to <hzandbelt@pingidentity.com>.
+# Report bugs to <hans.zandbelt@zmartzone.eu>.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -266,7 +266,7 @@
     $as_echo "$0: be upgraded to zsh 4.3.4 or later."
   else
     $as_echo "$0: Please tell bug-autoconf@gnu.org and
-$0: hzandbelt@pingidentity.com about your system, including
+$0: hans.zandbelt@zmartzone.eu about your system, including
 $0: any error possibly output before this message. Then
 $0: install a modern shell, or manually run the script
 $0: under such a shell if you do have one."
@@ -579,9 +579,9 @@
 # Identity of this package.
 PACKAGE_NAME='mod_auth_openidc'
 PACKAGE_TARNAME='mod_auth_openidc'
-PACKAGE_VERSION='2.1.3'
-PACKAGE_STRING='mod_auth_openidc 2.1.3'
-PACKAGE_BUGREPORT='hzandbelt@pingidentity.com'
+PACKAGE_VERSION='2.1.5'
+PACKAGE_STRING='mod_auth_openidc 2.1.5'
+PACKAGE_BUGREPORT='hans.zandbelt@zmartzone.eu'
 PACKAGE_URL=''
 
 ac_subst_vars='LTLIBOBJS
@@ -626,7 +626,6 @@
 docdir
 oldincludedir
 includedir
-runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@@ -711,7 +710,6 @@
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
-runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -964,15 +962,6 @@
   | -silent | --silent | --silen | --sile | --sil)
     silent=yes ;;
 
-  -runstatedir | --runstatedir | --runstatedi | --runstated \
-  | --runstate | --runstat | --runsta | --runst | --runs \
-  | --run | --ru | --r)
-    ac_prev=runstatedir ;;
-  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
-  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
-  | --run=* | --ru=* | --r=*)
-    runstatedir=$ac_optarg ;;
-
   -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
     ac_prev=sbindir ;;
   -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1110,7 +1099,7 @@
 for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
 		datadir sysconfdir sharedstatedir localstatedir includedir \
 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-		libdir localedir mandir runstatedir
+		libdir localedir mandir
 do
   eval ac_val=\$$ac_var
   # Remove trailing slashes.
@@ -1223,7 +1212,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures mod_auth_openidc 2.1.3 to adapt to many kinds of systems.
+\`configure' configures mod_auth_openidc 2.1.5 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1263,7 +1252,6 @@
   --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
   --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
   --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
-  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
   --libdir=DIR            object code libraries [EPREFIX/lib]
   --includedir=DIR        C header files [PREFIX/include]
   --oldincludedir=DIR     C header files for non-gcc [/usr/include]
@@ -1286,7 +1274,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of mod_auth_openidc 2.1.3:";;
+     short | recursive ) echo "Configuration of mod_auth_openidc 2.1.5:";;
    esac
   cat <<\_ACEOF
 
@@ -1328,7 +1316,7 @@
 Use these variables to override the choices made by `configure' or to help
 it to find libraries and programs with nonstandard names/locations.
 
-Report bugs to <hzandbelt@pingidentity.com>.
+Report bugs to <hans.zandbelt@zmartzone.eu>.
 _ACEOF
 ac_status=$?
 fi
@@ -1391,7 +1379,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-mod_auth_openidc configure 2.1.3
+mod_auth_openidc configure 2.1.5
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1408,7 +1396,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by mod_auth_openidc $as_me 2.1.3, which was
+It was created by mod_auth_openidc $as_me 2.1.5, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -1757,7 +1745,7 @@
 
 
 
-NAMEVER=mod_auth_openidc-2.1.3
+NAMEVER=mod_auth_openidc-2.1.5
 
 
 # This section defines the --with-apxs2 option.
@@ -3276,7 +3264,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by mod_auth_openidc $as_me 2.1.3, which was
+This file was extended by mod_auth_openidc $as_me 2.1.5, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -3323,13 +3311,13 @@
 Configuration files:
 $config_files
 
-Report bugs to <hzandbelt@pingidentity.com>."
+Report bugs to <hans.zandbelt@zmartzone.eu>."
 
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-mod_auth_openidc config.status 2.1.3
+mod_auth_openidc config.status 2.1.5
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -Nru libapache2-mod-auth-openidc-2.1.3/configure.ac libapache2-mod-auth-openidc-2.1.5/configure.ac
--- libapache2-mod-auth-openidc-2.1.3/configure.ac	2016-12-13 18:25:06.000000000 +0100
+++ libapache2-mod-auth-openidc-2.1.5/configure.ac	2017-01-30 20:05:16.000000000 +0100
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.1.3],[hzandbelt@pingidentity.com])
+AC_INIT([mod_auth_openidc],[2.1.5],[hans.zandbelt@zmartzone.eu])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 
diff -Nru libapache2-mod-auth-openidc-2.1.3/debian/changelog libapache2-mod-auth-openidc-2.1.5/debian/changelog
--- libapache2-mod-auth-openidc-2.1.3/debian/changelog	2017-01-13 15:52:26.000000000 +0100
+++ libapache2-mod-auth-openidc-2.1.5/debian/changelog	2017-02-06 10:56:03.000000000 +0100
@@ -1,3 +1,12 @@
+libapache2-mod-auth-openidc (2.1.5-1) unstable; urgency=high
+
+  * Imported Upstream version 2.1.5
+    fixes two security issues:
+    https://github.com/pingidentity/mod_auth_openidc/issues/212
+    https://github.com/pingidentity/mod_auth_openidc/issues/222
+
+ -- Christoph Martin <martin@uni-mainz.de>  Mon, 06 Feb 2017 10:56:03 +0100
+
 libapache2-mod-auth-openidc (2.1.3-1) unstable; urgency=medium
 
   * Fix watch file
diff -Nru libapache2-mod-auth-openidc-2.1.3/DISCLAIMER libapache2-mod-auth-openidc-2.1.5/DISCLAIMER
--- libapache2-mod-auth-openidc-2.1.3/DISCLAIMER	2016-01-08 21:50:18.000000000 +0100
+++ libapache2-mod-auth-openidc-2.1.5/DISCLAIMER	2017-01-28 14:28:49.000000000 +0100
@@ -1,5 +1,5 @@
 /***************************************************************************
- * Copyright (C) 2014-2016 Ping Identity Corporation
+ * Copyright (C) 2014-2017 Ping Identity Corporation
  * All rights reserved.
  *
  *      Ping Identity Corporation
diff -Nru libapache2-mod-auth-openidc-2.1.3/README.md libapache2-mod-auth-openidc-2.1.5/README.md
--- libapache2-mod-auth-openidc-2.1.3/README.md	2016-11-19 13:46:48.000000000 +0100
+++ libapache2-mod-auth-openidc-2.1.5/README.md	2017-01-28 14:28:49.000000000 +0100
@@ -271,13 +271,16 @@
 There is a Google Group/mailing list at:  
   [mod_auth_openidc@googlegroups.com](mailto:mod_auth_openidc@googlegroups.com)  
 The corresponding forum/archive is at:  
-  https://groups.google.com/forum/#!forum/mod_auth_openidc
+  https://groups.google.com/forum/#!forum/mod_auth_openidc  
+For commercial support and consultancy you can contact:  
+  [info@zmartzone.eu](mailto:info@zmartzone.eu)  
+
+Any questions/issues should go to the mailing list, the Github issues tracker or the
+primary author [hans.zandbelt@zmartzone.eu](mailto:hans.zandbelt@zmartzone.eu)
 
 Disclaimer
 ----------
 
 *This software is open sourced by Ping Identity but not supported commercially
-as such. Any questions/issues should go to the mailing list, the Github issues
-tracker or the author [hzandbelt@pingidentity.com](mailto:hzandbelt@pingidentity.com)
-directly See also the DISCLAIMER file in this directory.*
-    
+by Ping Identity, see also the DISCLAIMER file in this directory. For commercial support
+you can contact [ZmartZone IAM](https://www.zmartzone.eu) as described above.*
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/authz.c libapache2-mod-auth-openidc-2.1.5/src/authz.c
--- libapache2-mod-auth-openidc-2.1.3/src/authz.c	2016-09-05 22:16:39.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/authz.c	2017-01-28 14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
  */
 
 /***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
  * All rights reserved.
  *
  * For further information please contact:
@@ -47,7 +47,7 @@
  *
  * mostly copied from mod_auth_cas
  *
- * @Author: Hans Zandbelt - hzandbelt@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
  */
 
 #include <http_core.h>
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/cache/cache.h libapache2-mod-auth-openidc-2.1.5/src/cache/cache.h
--- libapache2-mod-auth-openidc-2.1.3/src/cache/cache.h	2016-09-09 16:18:11.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/cache/cache.h	2017-01-28 14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
  */
 
 /***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
  * All rights reserved.
  *
  * For further information please contact:
@@ -47,7 +47,7 @@
  *
  * mem_cache-like interface and semantics (string keys/values) using a storage backend
  *
- * @Author: Hans Zandbelt - hzandbelt@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
  */
 
 #ifndef _MOD_AUTH_OPENIDC_CACHE_H_
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/cache/file.c libapache2-mod-auth-openidc-2.1.5/src/cache/file.c
--- libapache2-mod-auth-openidc-2.1.3/src/cache/file.c	2016-10-27 16:23:12.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/cache/file.c	2017-01-28 14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
  */
 
 /***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
  * All rights reserved.
  *
  * For further information please contact:
@@ -47,7 +47,7 @@
  *
  * caching using a file storage backend
  *
- * @Author: Hans Zandbelt - hzandbelt@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
  */
 
 #include <apr_hash.h>
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/cache/lock.c libapache2-mod-auth-openidc-2.1.5/src/cache/lock.c
--- libapache2-mod-auth-openidc-2.1.3/src/cache/lock.c	2016-01-08 21:50:18.000000000 +0100
+++ libapache2-mod-auth-openidc-2.1.5/src/cache/lock.c	2017-01-28 14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
  */
 
 /***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
  * All rights reserved.
  *
  * For further information please contact:
@@ -47,7 +47,7 @@
  *
  * global lock implementation
  *
- * @Author: Hans Zandbelt - hzandbelt@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
  */
 
 #ifndef WIN32
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/cache/memcache.c libapache2-mod-auth-openidc-2.1.5/src/cache/memcache.c
--- libapache2-mod-auth-openidc-2.1.3/src/cache/memcache.c	2016-11-09 19:14:02.000000000 +0100
+++ libapache2-mod-auth-openidc-2.1.5/src/cache/memcache.c	2017-01-28 14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
  */
 
 /***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
  * All rights reserved.
  *
  * For further information please contact:
@@ -47,7 +47,7 @@
  *
  * caching using a memcache backend
  *
- * @Author: Hans Zandbelt - hzandbelt@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
  */
 
 #include "apr_general.h"
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/cache/redis.c libapache2-mod-auth-openidc-2.1.5/src/cache/redis.c
--- libapache2-mod-auth-openidc-2.1.3/src/cache/redis.c	2016-09-09 16:18:11.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/cache/redis.c	2017-01-28 14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
  */
 
 /***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
  * All rights reserved.
  *
  * For further information please contact:
@@ -47,7 +47,7 @@
  *
  * caching using a Redis backend
  *
- * @Author: Hans Zandbelt - hzandbelt@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
  */
 
 #include "apr_general.h"
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/cache/shm.c libapache2-mod-auth-openidc-2.1.5/src/cache/shm.c
--- libapache2-mod-auth-openidc-2.1.3/src/cache/shm.c	2016-09-09 16:18:11.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/cache/shm.c	2017-01-28 14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
  */
 
 /***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
  * All rights reserved.
  *
  * For further information please contact:
@@ -48,7 +48,7 @@
  * caching using a shared memory backend, FIFO-style
  * based on mod_auth_mellon code
  *
- * @Author: Hans Zandbelt - hzandbelt@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
  */
 
 #include <httpd.h>
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/config.c libapache2-mod-auth-openidc-2.1.5/src/config.c
--- libapache2-mod-auth-openidc-2.1.3/src/config.c	2016-10-27 16:23:12.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/config.c	2017-01-28 14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
  */
 
 /***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
  * All rights reserved.
  *
  * For further information please contact:
@@ -45,7 +45,7 @@
  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * @Author: Hans Zandbelt - hzandbelt@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
  */
 
 #include <apr.h>
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/jose.c libapache2-mod-auth-openidc-2.1.5/src/jose.c
--- libapache2-mod-auth-openidc-2.1.3/src/jose.c	2016-10-27 16:23:12.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/jose.c	2017-01-28 14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
  */
 
 /***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
  * All rights reserved.
  *
  * For further information please contact:
@@ -47,7 +47,7 @@
  *
  * JSON Web Token handling
  *
- * @Author: Hans Zandbelt - hzandbelt@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
  */
 
 #include <apr_base64.h>
@@ -1061,7 +1061,7 @@
 	}
 
 	const BIGNUM *rsa_n, *rsa_e, *rsa_d;
-#if OPENSSL_VERSION_NUMBER >= 0x10100005L
+#if OPENSSL_VERSION_NUMBER >= 0x10100005L && !defined (LIBRESSL_VERSION_NUMBER)
 	RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d);
 #else
 	rsa_n = rsa->n;
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/jose.h libapache2-mod-auth-openidc-2.1.5/src/jose.h
--- libapache2-mod-auth-openidc-2.1.3/src/jose.h	2016-10-27 16:23:12.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/jose.h	2017-01-28 14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
  */
 
 /***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
  * All rights reserved.
  *
  * For further information please contact:
@@ -47,7 +47,7 @@
  *
  * JSON Object Signing and Encryption
  *
- * @Author: Hans Zandbelt - hzandbelt@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
  */
 
 #ifndef MOD_AUTH_OPENIDC_JOSE_H_
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/metadata.c libapache2-mod-auth-openidc-2.1.5/src/metadata.c
--- libapache2-mod-auth-openidc-2.1.3/src/metadata.c	2016-10-27 16:23:12.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/metadata.c	2017-01-28 14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
  */
 
 /***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
  * All rights reserved.
  *
  * For further information please contact:
@@ -47,7 +47,7 @@
  *
  * OpenID Connect metadata handling routines, for both OP discovery and client registration
  *
- * @Author: Hans Zandbelt - hzandbelt@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
  */
 
 #include <apr_hash.h>
@@ -535,7 +535,7 @@
 	json_object_set_new(data, "initiate_login_uri",
 			json_string(cfg->redirect_uri));
 
-	json_object_set_new(data, "logout_uri",
+	json_object_set_new(data, "frontchannel_logout_uri",
 			json_string(apr_psprintf(r->pool, "%s?logout=%s", cfg->redirect_uri,
 					OIDC_GET_STYLE_LOGOUT_PARAM_VALUE)));
 
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/mod_auth_openidc.c libapache2-mod-auth-openidc-2.1.5/src/mod_auth_openidc.c
--- libapache2-mod-auth-openidc-2.1.3/src/mod_auth_openidc.c	2016-11-09 19:14:02.000000000 +0100
+++ libapache2-mod-auth-openidc-2.1.5/src/mod_auth_openidc.c	2017-01-30 20:01:47.000000000 +0100
@@ -18,7 +18,7 @@
  */
 
 /***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
  * All rights reserved.
  *
  * For further information please contact:
@@ -51,7 +51,7 @@
  * Other code copied/borrowed/adapted:
  * shared memory caching: mod_auth_mellon
  *
- * @Author: Hans Zandbelt - hzandbelt@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
  *
  **************************************************************************/
 
@@ -130,6 +130,30 @@
 }
 
 /*
+ * scrub all mod_auth_openidc related headers
+ */
+static void oidc_scrub_headers(request_rec *r) {
+	oidc_cfg *cfg = ap_get_module_config(r->server->module_config,
+			&auth_openidc_module);
+
+	if (cfg->scrub_request_headers != 0) {
+
+		/* scrub all headers starting with OIDC_ first */
+		oidc_scrub_request_headers(r, OIDC_DEFAULT_HEADER_PREFIX,
+				oidc_cfg_dir_authn_header(r));
+
+		/*
+		 * then see if the claim headers need to be removed on top of that
+		 * (i.e. the prefix does not start with the default OIDC_)
+		 */
+		if ((strstr(cfg->claim_prefix, OIDC_DEFAULT_HEADER_PREFIX)
+				!= cfg->claim_prefix)) {
+			oidc_scrub_request_headers(r, cfg->claim_prefix, NULL);
+		}
+	}
+}
+
+/*
  * strip the session cookie from the headers sent to the application/backend
  */
 static void oidc_strip_cookies(request_rec *r) {
@@ -1260,21 +1284,7 @@
 	 * we're going to pass the information that we have to the application,
 	 * but first we need to scrub the headers that we're going to use for security reasons
 	 */
-	if (cfg->scrub_request_headers != 0) {
-
-		/* scrub all headers starting with OIDC_ first */
-		oidc_scrub_request_headers(r, OIDC_DEFAULT_HEADER_PREFIX,
-				oidc_cfg_dir_authn_header(r));
-
-		/*
-		 * then see if the claim headers need to be removed on top of that
-		 * (i.e. the prefix does not start with the default OIDC_)
-		 */
-		if ((strstr(cfg->claim_prefix, OIDC_DEFAULT_HEADER_PREFIX)
-				!= cfg->claim_prefix)) {
-			oidc_scrub_request_headers(r, cfg->claim_prefix, NULL);
-		}
-	}
+	oidc_scrub_headers(r);
 
 	/* set the user authentication HTTP header if set and required */
 	if ((r->user != NULL) && (authn_header != NULL))
@@ -1302,18 +1312,18 @@
 				OIDC_DEFAULT_HEADER_PREFIX, pass_headers, pass_envvars);
 	}
 
-	if (cfg->session_type != OIDC_SESSION_TYPE_CLIENT_COOKIE) {
-		if ((cfg->pass_idtoken_as & OIDC_PASS_IDTOKEN_AS_SERIALIZED)) {
+	if ((cfg->pass_idtoken_as & OIDC_PASS_IDTOKEN_AS_SERIALIZED)) {
+		if (cfg->session_type != OIDC_SESSION_TYPE_CLIENT_COOKIE) {
 			const char *s_id_token = NULL;
 			/* get the compact serialized JWT from the session */
 			oidc_session_get(r, session, OIDC_IDTOKEN_SESSION_KEY, &s_id_token);
 			/* pass the compact serialized JWT to the app in a header or environment variable */
 			oidc_util_set_app_info(r, "id_token", s_id_token,
 					OIDC_DEFAULT_HEADER_PREFIX, pass_headers, pass_envvars);
+		} else {
+			oidc_error(r,
+					"session type \"client-cookie\" does not allow storing/passing the id_token; use \"OIDCSessionType server-cache\" for that");
 		}
-	} else {
-		oidc_error(r,
-				"session type \"client-cookie\" does not allow storing/passing the id_token; use \"OIDCSessionType server-cache\" for that");
 	}
 
 	/* set the refresh_token in the app headers/variables, if enabled for this location/directory */
@@ -1846,6 +1856,7 @@
 	/* see if we've got any POST-ed data at all */
 	if ((apr_table_elts(params)->nelts < 1)
 			|| ((apr_table_elts(params)->nelts == 1)
+					&& apr_table_get(params, "response_mode")
 					&& (apr_strnatcmp(apr_table_get(params, "response_mode"),
 							"fragment") == 0))) {
 		return oidc_util_html_send_error(r, c->error_template,
@@ -2841,11 +2852,15 @@
 		oidc_handle_redirect_authorization_response(r, c, session);
 	}
 
+	oidc_error(r,
+			"The OpenID Connect callback URL received an invalid request: %s; returning HTTP_INTERNAL_SERVER_ERROR",
+			r->args);
+
 	/* something went wrong */
 	return oidc_util_html_send_error(r, c->error_template, "Invalid Request",
 			apr_psprintf(r->pool,
-					"The OpenID Connect callback URL received an invalid request: %s",
-					r->args), HTTP_INTERNAL_SERVER_ERROR);
+					"The OpenID Connect callback URL received an invalid request"),
+					HTTP_INTERNAL_SERVER_ERROR);
 }
 
 /*
@@ -2955,6 +2970,13 @@
 			return HTTP_UNAUTHORIZED;
 		case OIDC_UNAUTH_PASS:
 			r->user = "";
+
+			/*
+			 * we're not going to pass information about an authenticated user to the application,
+			 * but we do need to scrub the headers that mod_auth_openidc would set for security reasons
+			 */
+			oidc_scrub_headers(r);
+
 			return OK;
 		case OIDC_UNAUTH_AUTHENTICATE:
 			/* if this is a Javascript path we won't redirect the user and create a state cookie */
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/mod_auth_openidc.h libapache2-mod-auth-openidc-2.1.5/src/mod_auth_openidc.h
--- libapache2-mod-auth-openidc-2.1.3/src/mod_auth_openidc.h	2016-12-13 18:25:06.000000000 +0100
+++ libapache2-mod-auth-openidc-2.1.5/src/mod_auth_openidc.h	2017-01-29 15:05:57.000000000 +0100
@@ -18,7 +18,7 @@
  */
 
 /***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
  * All rights reserved.
  *
  * For further information please contact:
@@ -45,7 +45,7 @@
  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * @Author: Hans Zandbelt - hzandbelt@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
  */
 
 #ifndef MOD_AUTH_OPENIDC_H_
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/oauth.c libapache2-mod-auth-openidc-2.1.5/src/oauth.c
--- libapache2-mod-auth-openidc-2.1.3/src/oauth.c	2016-10-20 14:09:24.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/oauth.c	2017-01-28 14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
  */
 
 /***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
  * All rights reserved.
  *
  * For further information please contact:
@@ -45,7 +45,7 @@
  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * @Author: Hans Zandbelt - hzandbelt@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
  */
 
 #include <apr_lib.h>
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/parse.c libapache2-mod-auth-openidc-2.1.5/src/parse.c
--- libapache2-mod-auth-openidc-2.1.3/src/parse.c	2016-10-27 16:23:12.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/parse.c	2017-01-28 14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
  */
 
 /***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
  * All rights reserved.
  *
  * For further information please contact:
@@ -47,7 +47,7 @@
  *
  * Validation and parsing of configuration values.
  *
- * @Author: Hans Zandbelt - hzandbelt@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
  */
 
 #include <apr_base64.h>
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/parse.h libapache2-mod-auth-openidc-2.1.5/src/parse.h
--- libapache2-mod-auth-openidc-2.1.3/src/parse.h	2016-10-27 16:23:12.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/parse.h	2017-01-28 14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
  */
 
 /***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
  * All rights reserved.
  *
  * For further information please contact:
@@ -47,7 +47,7 @@
  *
  * Validation and parsing of configuration values.
  *
- * @Author: Hans Zandbelt - hzandbelt@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
  */
 
 #ifndef MOD_AUTH_OPENIDC_PARSE_H_
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/proto.c libapache2-mod-auth-openidc-2.1.5/src/proto.c
--- libapache2-mod-auth-openidc-2.1.3/src/proto.c	2016-11-19 13:46:48.000000000 +0100
+++ libapache2-mod-auth-openidc-2.1.5/src/proto.c	2017-01-28 14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
  */
 
 /***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
  * All rights reserved.
  *
  * For further information please contact:
@@ -45,7 +45,7 @@
  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * @Author: Hans Zandbelt - hzandbelt@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
  */
 
 #include <httpd.h>
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/session.c libapache2-mod-auth-openidc-2.1.5/src/session.c
--- libapache2-mod-auth-openidc-2.1.3/src/session.c	2016-12-13 18:25:06.000000000 +0100
+++ libapache2-mod-auth-openidc-2.1.5/src/session.c	2017-01-28 14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
  */
 
 /***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
  * All rights reserved.
  *
  * For further information please contact:
@@ -45,7 +45,7 @@
  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * @Author: Hans Zandbelt - hzandbelt@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
  */
 
 #include <apr_base64.h>
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/util.c libapache2-mod-auth-openidc-2.1.5/src/util.c
--- libapache2-mod-auth-openidc-2.1.3/src/util.c	2016-10-20 14:09:24.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/util.c	2017-01-28 14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
  */
 
 /***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
  * All rights reserved.
  *
  * For further information please contact:
@@ -45,7 +45,7 @@
  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * @Author: Hans Zandbelt - hzandbelt@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
  */
 
 #include <apr_strings.h>
@@ -449,28 +449,48 @@
 	return url;
 }
 
-/* maximum size of any response returned in HTTP calls */
-#define OIDC_CURL_MAX_RESPONSE_SIZE 65536
-
 /* buffer to hold HTTP call responses */
 typedef struct oidc_curl_buffer {
-	char buf[OIDC_CURL_MAX_RESPONSE_SIZE];
-	size_t written;
+	request_rec *r;
+	char *memory;
+	size_t size;
 } oidc_curl_buffer;
 
+/* maximum acceptable size of HTTP responses: 1 Mb */
+#define OIDC_CURL_MAX_RESPONSE_SIZE 1024 * 1024
+
 /*
  * callback for CURL to write bytes that come back from an HTTP call
  */
-size_t oidc_curl_write(const void *ptr, size_t size, size_t nmemb, void *stream) {
-	oidc_curl_buffer *curlBuffer = (oidc_curl_buffer *) stream;
+size_t oidc_curl_write(void *contents, size_t size, size_t nmemb, void *userp) {
+	size_t realsize = size * nmemb;
+	oidc_curl_buffer *mem = (oidc_curl_buffer *) userp;
+
+	/* check if we don't run over the maximum buffer/memory size for HTTP responses */
+	if (mem->size + realsize > OIDC_CURL_MAX_RESPONSE_SIZE) {
+		oidc_error(mem->r,
+				"HTTP response larger than maximum allowed size: current size=%ld, additional size=%ld, max=%d",
+				mem->size, realsize, OIDC_CURL_MAX_RESPONSE_SIZE);
+		return 0;
+	}
 
-	if ((nmemb * size) + curlBuffer->written >= OIDC_CURL_MAX_RESPONSE_SIZE)
+	/* allocate the new buffer for the current + new response bytes */
+	char *newptr = apr_palloc(mem->r->pool, mem->size + realsize + 1);
+	if (newptr == NULL) {
+		oidc_error(mem->r,
+				"memory allocation for new buffer of %ld bytes failed",
+				mem->size + realsize + 1);
 		return 0;
+	}
 
-	memcpy((curlBuffer->buf + curlBuffer->written), ptr, (nmemb * size));
-	curlBuffer->written += (nmemb * size);
+	/* copy over the data from current memory plus the cURL buffer */
+	memcpy(newptr, mem->memory, mem->size);
+	memcpy(&(newptr[mem->size]), contents, realsize);
+	mem->size += realsize;
+	mem->memory = newptr;
+	mem->memory[mem->size] = 0;
 
-	return (nmemb * size);
+	return realsize;
 }
 
 /* context structure for encoding parameters */
@@ -519,6 +539,9 @@
 		return FALSE;
 	}
 
+	/* set the error buffer as empty before performing a request */
+	curlError[0] = 0;
+
 	/* some of these are not really required */
 	curl_easy_setopt(curl, CURLOPT_HEADER, 0L);
 	curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 1L);
@@ -531,10 +554,11 @@
 	curl_easy_setopt(curl, CURLOPT_TIMEOUT, timeout);
 
 	/* setup the buffer where the response will be written to */
-	curlBuffer.written = 0;
-	memset(curlBuffer.buf, '\0', sizeof(curlBuffer.buf));
-	curl_easy_setopt(curl, CURLOPT_WRITEDATA, &curlBuffer);
+	curlBuffer.r = r;
+	curlBuffer.memory = NULL;
+	curlBuffer.size = 0;
 	curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, oidc_curl_write);
+	curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void * )&curlBuffer);
 
 #ifndef LIBCURL_NO_CURLPROTO
 	curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS,
@@ -635,7 +659,8 @@
 	/* call it and record the result */
 	int rv = TRUE;
 	if (curl_easy_perform(curl) != CURLE_OK) {
-		oidc_error(r, "curl_easy_perform() failed on: %s (%s)", url, curlError);
+		oidc_error(r, "curl_easy_perform() failed on: %s (%s)", url,
+				curlError[0] ? curlError : "");
 		rv = FALSE;
 		goto out;
 	}
@@ -644,10 +669,10 @@
 	curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &response_code);
 	oidc_debug(r, "HTTP response code=%ld", response_code);
 
-	*response = apr_pstrndup(r->pool, curlBuffer.buf, curlBuffer.written);
+	*response = apr_pstrndup(r->pool, curlBuffer.memory, curlBuffer.size);
 
 	/* set and log the response */
-	oidc_debug(r, "response=%s", *response);
+	oidc_debug(r, "response=%s", *response ? *response : "");
 
 out:
 
diff -Nru libapache2-mod-auth-openidc-2.1.3/test/test.c libapache2-mod-auth-openidc-2.1.5/test/test.c
--- libapache2-mod-auth-openidc-2.1.3/test/test.c	2016-10-20 14:09:24.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/test/test.c	2017-01-28 14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
  */
 
 /***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
  * All rights reserved.
  *
  * For further information please contact:
@@ -45,7 +45,7 @@
  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * @Author: Hans Zandbelt - hzandbelt@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
  *
  **************************************************************************/
 
diff -Nru libapache2-mod-auth-openidc-2.1.3/test/test-cmd.c libapache2-mod-auth-openidc-2.1.5/test/test-cmd.c
--- libapache2-mod-auth-openidc-2.1.3/test/test-cmd.c	2016-11-09 19:14:02.000000000 +0100
+++ libapache2-mod-auth-openidc-2.1.5/test/test-cmd.c	2017-01-28 14:28:49.000000000 +0100
@@ -1,3 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/***************************************************************************
+ * Copyright (C) 2013-2017 Ping Identity Corporation
+ * All rights reserved.
+ *
+ * For further information please contact:
+ *
+ *      Ping Identity Corporation
+ *      1099 18th St Suite 2950
+ *      Denver, CO 80202
+ *      303.468.2900
+ *      http://www.pingidentity.com
+ *
+ * DISCLAIMER OF WARRANTIES:
+ *
+ * THE SOFTWARE PROVIDED HEREUNDER IS PROVIDED ON AN "AS IS" BASIS, WITHOUT
+ * ANY WARRANTIES OR REPRESENTATIONS EXPRESS, IMPLIED OR STATUTORY; INCLUDING,
+ * WITHOUT LIMITATION, WARRANTIES OF QUALITY, PERFORMANCE, NONINFRINGEMENT,
+ * MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.  NOR ARE THERE ANY
+ * WARRANTIES CREATED BY A COURSE OR DEALING, COURSE OF PERFORMANCE OR TRADE
+ * USAGE.  FURTHERMORE, THERE ARE NO WARRANTIES THAT THE SOFTWARE WILL MEET
+ * YOUR NEEDS OR BE FREE FROM ERRORS, OR THAT THE OPERATION OF THE SOFTWARE
+ * WILL BE UNINTERRUPTED.  IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
+ *
+ **************************************************************************/
+
 #include <stdio.h>
 #include <string.h>
 
@@ -47,6 +98,12 @@
 
 	(*rbuf)[bytes_read] = '\0';
 
+	bytes_read--;
+	while ((*rbuf)[bytes_read] == '\n') {
+		(*rbuf)[bytes_read] = '\0';
+		bytes_read --;
+	}
+
 	apr_file_close(fd);
 
 	return 0;

begin:vcard
fn:Christoph Martin
n:Martin;Christoph
org;quoted-printable;quoted-printable:Johannes Gutenberg-Universit=C3=A4t Mainz;Zentrum f=C3=BCr Datenverarbeitung
adr:;;Anselm Franz von Bentzel-Weg 12;Mainz;Rheinland-Pfalz;55128;Germany
email;internet:martin@uni-mainz.de
title:Leiter Unix-Systeme
tel;work:+49-6131-3926337
tel;fax:+49-6131-3926407
tel;cell:+49-179-7952652
x-mozilla-html:FALSE
version:2.1
end:vcard

Attachment: signature.asc
Description: OpenPGP digital signature