Gluu 4.4.1 Release Notes

August 3, 2022

Updates for stability, the introduction of an allowlist and blocklist for redirect_uris (which enhances security if this optional parameter is used) and more secure email handling for MFA (and other email services)

`request_uri` blocklist and allowlist implemented to enhance security

The request_uri Authorization Request parameter enables OpenID Connect requests to be passed by reference, rather than by value (see the spec). However, when implemented as written in the spec, the request_uri could be used to launch an SSRF (Server-Side Request Forgery) attack against the IDP. To mitigate this risk, we’ve implemented both a request_uri blocklist and a request_uri allowlist that are configurable in the Gluu Server OpenID Provider JSON configuration.

Version 4.4.1
- request_uri blocklist and allowlist implemented to enhance security
Version 4.4
- Support for MySQL in Gluu Server virtual machine deployments
Version 4.3
Version 4.2
Version 4.1
Version 4.0

Gluu 4.4.1 Release Notes

Updates for stability, the introduction of an allowlist and blocklist for redirect_uris (which enhances security if this optional parameter is used) and more secure email handling for MFA (and other email services)

request_uri blocklist and allowlist implemented to enhance security

Upgrade to Gluu Enterprise

`request_uri` blocklist and allowlist implemented to enhance security