EZproxy 7.3 release notes, February 2024

Introduction

EZproxy version 7.3 is an incremental release designed to improve the security of EZproxy and provide new functionality. 

Supporting materials

• Software download

New features and enhancements

• Added Wiley to the pseudonymous identifier.
• Updated EZproxy with OpenSSL 3.0.11t. This version is the LTS (Long Term Support) version. 
• Email notifications for security rules will now display the EZproxy server name. This will allow institutions that run multiple EZproxy servers to understand which server is sending the email notification.
• Cookie Filter directive has been enhanced. To allow more granular control over which cookies are passed to a website. The directive has been modified as follows:
  
  The original directive applied globally once placed in the config.txt
  
  CookieFilter name
  
  The syntax has been modified for clarity
  
  CookieFilter -global -block name 
   
  Three additional directives have been introduced to allow more granular control of cookie. 
   
  CookieFilter -global -forward name  
   
  Instructs EZproxy to forward the named cookie to all proxied websites with stanzas in the config. 
   
  CookieFilter -block name 
  
  Is position dependent and repeatable. Will affect only the resource that it is placed around. Can use a wildcard to block all cookies. 
   
  CookieFilter -forward name 
   
  Is position dependent and repeatable. Will affect only the resource that it is placed around. You can use a wildcard to block all cookies.
   

• LDAP now supports StartTLS which allows an application to serialize secure and plain requests against an LDAP server on a single connection.
       
      The following can be added to the LDAP block in the user.txt file to enable or disable StartTLS.
       
      StartTLS [enabled or disabled]
       
      Should appear above the URL directive.  
       
      When using ldap:// URLs with StartTLS:
       
      disabled – will not attempt to negotiate TLS
       
      enabled – will attempt to negotiate TLS over the connection and will block authentication if negotiation fails.

  When using ldaps:// URLs the StartTLS directive will be ignored by EZproxy
   

  For more details, please review the LDAP documentation here.
   

      The following directives now support comma separated entry
       

      AllowIP

      AutoLoginIP *

      ExcludeIP *

      IncludeIP *

      NeverProxy

      RejectIP

      RedirectSafe
       
      The directives marked with * appear on the extended status page. Each value will appear as a separate line.
       
      Examples:
       
      ExcludeIP 192.168.1.1-192.168.1.10, 192.168.2.1-192.168.2.10
      RedirectSafe example.org, other.org

Bug fixes

• Resolved an issue with security database migration command causing slow startup.
• Resolved an issue where EZproxy was not cleaning up temporary files that are created when EZproxy retrieves SAML metadata from a URL. If there is a failure retrieving the metadata, EZproxy may leave a temporary file named xl####.xml behind during each failure. EZproxy now cleans up these files.
• Resolved a bug that potentially caused EZproxy hosted on Linux to crash. Previously if there were no logged in users and a specific URL was used to access the server EZproxy would become unresponsive. This has been resolved.
• Remedied a vulnerability where EZproxy session identifiers were previously includeded int the URL’s presented on tables in the EZproxy admin status page. These values have been randomized to prevent identifying a user's specific session.

Known issues

Important links