authboss v2.4.1 Release NotesRelease Date: 2020-05-18 // about 2 months ago
🛠 Fix a security issue where a user could brute-force a password based on differing responses that are returned from the site when the incorrect password is entered versus the correct password.
This comes with a slight change in behavior to minimize differences between the code paths of a correct vs incorrect password: The "attempt" time is always ⬆️ bumped in the DB no matter if it was the right or wrong password when being rejected for locking.
Previous changes from v2.4.0
- ➕ Add config option MailNoGoroutine which prevents the modules from using a goroutine to launch the mailer. This is important because the context that it passes from the http request will be cancelled in a race condition and will affect mailer implementations that honor context cancellation.