Hello everyone,
We've released version 0.9.7 of the openid4java library.
Most notable update is the fix for the XML external entity injection
vulnerability. See the change log below for more.
The new version is available for download from the project's home page:
http://code.google.com/p/openid4java/downloads
and can also be easily included in your projects using maven:
http://code.google.com/p/openid4java/wiki/MavenHowTo
Changelog since the previous version:
-----------------------------------------------------------------------
Notable changes:
Fixed XML external entity injection vulnerability when parsing discovery
data.
Fixed maven2 dependency declarations for easy inclusion in maven projects.
HttpClient dependency upgraded to 4.2.2.
Google Guice dependency updated to use the current com.google.inject id.
Configurable consumer nonces.
Default HttpCache limited to 1 minute.
Fixed Attribute Exchange handling of unlimited count request.
Fixed JdbcNonceVerifier database cleanup.
Fixed handling of declared preferred association types.
Fixed handling of PAPE custom auth level.
Plus a few minor bugs.
-----------------------------------------------------------------------
Thanks again to everyone who contributed, either directly or with
feedback and bug reports!
Johnny