pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc Updated www/ap2-auth-mellon to 0.14.0
details: https://anonhg.NetBSD.org/pkgsrc/rev/f980b74373de
branches: trunk
changeset: 307263:f980b74373de
user: manu <manu%pkgsrc.org@localhost>
date: Fri May 04 02:53:38 2018 +0000
description:
Updated www/ap2-auth-mellon to 0.14.0
Changes since 0.12.0 include a fix for CVE-2017-6807
Version 0.14.0
==============
* Backwards incompatible changes
This version switches the default signature algorithm used when
signing messages from rsa-sha1 to rsa-sha256. If your IdP does not
allow messages to be signed with that algorithm, you need to add a
setting switching back to the old algorithm:
MellonSignatureMethod rsa-sha1
Note that this only affects messages sent from mod_auth_mellon to your
IdP. It does not affect authentication responses or other messages
sent from your IdP to mod_auth_mellon.
* New features
Many improvements in what is logged during various errors.
Diagnostics logging, which creates a detailed log during request
processing.
Add support for selecting which signature algorithm is used when
signing messages, and switch to rsa-sha256 by default.
* Bug fixes
Fix segmentation fault in POST replay functionality on empty value.
Fix incorrect error check for many lasso_*-functions.
Fix case sensitive match on MellonUser attribute name.
Version 0.13.1
==============
* Security fix
Fix a cross-site session transfer vulnerability. mod_auth_mellon
version 0.13.0 and older failed to validate that the session
specified in the user's session cookie was created for the web site
the user actually accesses.
If two different web sites are hosted on the same web server, and
both web sites use mod_auth_mellon for authentication, this
vulnerability makes it possible for an attacker with access to one
of the web sites to copy their session cookie to the other web
site, and then use the same session to get access to the other web
site.
Thanks to Fran?ois Kooman for reporting this vulnerability.
This vulnerability has been assigned CVE-2017-6807.
Note: The fix for this vunlerability makes mod_auth_mellon validate
that the cookie parameters used when creating the session match
the cookie parameters that should be used when accessing the current
page. If you currently use mod_auth_mellon across multiple subdomains,
you must make sure that you set the MellonCookie-option to the same
value on all domains. Bug fixes
Fix segmentation fault if a (trusted) identity provider returns
a SAML 2.0 attribute without a Name.
Fix segmentation fault if MellonPostReplay is enabled but
MellonPostDirectory is not set.
Version 0.13.0
==============
* Security fix
Fix a denial of service attack in the logout handler, which allows
a remote attacker to crash the Apache worker process with a
segmentation fault. This is caused by a null-pointer dereference
when processing a malformed logout message. New features
Allow MellonSecureCookie to be configured to enable just one
of the "httponly" of "secure" flags, instead of always enabling
both flags.
Support per-module log level with Apache 2.4.
Allow disabling the Cache-Control HTTP response header.
Add support for SameSite cookie parameter.
* Bug fixes
Fix MellonProbeDiscoveryIdP redirecting to the wrong IdP if no IdPs
respond to the probe request.
Fix mod_auth_mellon interfering with other Apache authentication
modules even when it is disabled for a path.
Fix wrong HTTP status code being returned in some cases during
user permission checks.
Fix default POST size limit to actually be 1 MB.
Fix error if authentication response is missing the optional
Conditions-element.
Fix AJAX requests being redirected to the IdP.
Fix wrong content type for ECP authentication request responses.
In addition there are various fixes for errors in the documentation,
as well as internal code changes that do not have any user visible
effects.
diffstat:
doc/CHANGES-2018 | 3 +-
www/ap2-auth-mellon/MESSAGE | 19 +++++++-
www/ap2-auth-mellon/Makefile | 6 +-
www/ap2-auth-mellon/distinfo | 12 ++---
www/ap2-auth-mellon/patches/patch-0274 | 55 ---------------------------
www/ap2-auth-mellon/patches/patch-0347 | 69 ----------------------------------
6 files changed, 26 insertions(+), 138 deletions(-)
diffs (216 lines):
diff -r efd3dfa7c6cf -r f980b74373de doc/CHANGES-2018
--- a/doc/CHANGES-2018 Thu May 03 23:02:49 2018 +0000
+++ b/doc/CHANGES-2018 Fri May 04 02:53:38 2018 +0000
@@ -1,4 +1,4 @@
-$NetBSD: CHANGES-2018,v 1.2155 2018/05/03 23:02:49 wiz Exp $
+$NetBSD: CHANGES-2018,v 1.2156 2018/05/04 02:53:38 manu Exp $
Changes to the packages collection and infrastructure in 2018:
@@ -3013,3 +3013,4 @@
Updated lang/nodejs to 10.0.0 [fhajny 2018-05-03]
Added security/ruby-openssl-ccm version 1.2.1 [minskim 2018-05-03]
Updated net/wireshark to 2.6.0nb1 [wiz 2018-05-03]
+ Updated www/ap2-auth-mellon to 0.14.0 [manu 2018-05-04]
diff -r efd3dfa7c6cf -r f980b74373de www/ap2-auth-mellon/MESSAGE
--- a/www/ap2-auth-mellon/MESSAGE Thu May 03 23:02:49 2018 +0000
+++ b/www/ap2-auth-mellon/MESSAGE Fri May 04 02:53:38 2018 +0000
@@ -1,12 +1,26 @@
===========================================================================
-$NetBSD: MESSAGE,v 1.3 2015/04/01 14:08:13 manu Exp $
+$NetBSD: MESSAGE,v 1.4 2018/05/04 02:53:38 manu Exp $
In order to use this module in your Apache installation, you need to
add the following to your httpd.conf file:
LoadModule auth_mellon_module lib/httpd/mod_auth_mellon.so
-If upgrading from version prior 0.6.0, please not the following
+If upgrading from version prior 0.14.0, please note the following
+backward-incompatible change:
+
+* This version switches the default signature algorithm used when
+ signing messages from rsa-sha1 to rsa-sha256. If your IdP does not
+ allow messages to be signed with that algorithm, you need to add a
+ setting switching back to the old algorithm:
+
+ MellonSignatureMethod rsa-sha1
+
+ Note that this only affects messages sent from mod_auth_mellon to your
+ IdP. It does not affect authentication responses or other messages
+ sent from your IdP to mod_auth_mellon.
+
+If upgrading from version prior 0.6.0, please note the following
backward-incompatible changes:
* The POST replay functionality has been disabled by default, and the
@@ -29,5 +43,4 @@
startup. (Apache can normally create files in that directory
during startup.)
-
===========================================================================
diff -r efd3dfa7c6cf -r f980b74373de www/ap2-auth-mellon/Makefile
--- a/www/ap2-auth-mellon/Makefile Thu May 03 23:02:49 2018 +0000
+++ b/www/ap2-auth-mellon/Makefile Fri May 04 02:53:38 2018 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.43 2018/04/29 21:32:07 adam Exp $
+# $NetBSD: Makefile,v 1.44 2018/05/04 02:53:38 manu Exp $
-DISTNAME= mod_auth_mellon-0.12.0
+DISTNAME= mod_auth_mellon-0.14.0
PKGNAME= ${APACHE_PKG_PREFIX}-${DISTNAME:S/mod_//:S/_/-/g}
-PKGREVISION= 8
+#PKGREVISION= 1
CATEGORIES= www security
MASTER_SITES= ${MASTER_SITE_GITHUB:=UNINETT/}/mod_auth_mellon/releases/download/v${DISTNAME:C/.*-//}/
diff -r efd3dfa7c6cf -r f980b74373de www/ap2-auth-mellon/distinfo
--- a/www/ap2-auth-mellon/distinfo Thu May 03 23:02:49 2018 +0000
+++ b/www/ap2-auth-mellon/distinfo Fri May 04 02:53:38 2018 +0000
@@ -1,8 +1,6 @@
-$NetBSD: distinfo,v 1.18 2017/03/23 17:07:01 joerg Exp $
+$NetBSD: distinfo,v 1.19 2018/05/04 02:53:38 manu Exp $
-SHA1 (mod_auth_mellon-0.12.0.tar.gz) = 3d5cd4137154a7c848d8f3121e6497b88dc5f23e
-RMD160 (mod_auth_mellon-0.12.0.tar.gz) = 7ef278de6f4d0f0669d99c113706dc63d64f6fbc
-SHA512 (mod_auth_mellon-0.12.0.tar.gz) = 91e47509cfab9c6b472226aea79ff0120e71f80262d3b17a31ac691af4aacf58016741255409ec3272e54849efcde7c04f76dcc9670ee921503c8589656e8244
-Size (mod_auth_mellon-0.12.0.tar.gz) = 136754 bytes
-SHA1 (patch-0274) = b5dfdd4b944c3d2c3bf47cfb97869aa57c32ea68
-SHA1 (patch-0347) = d14d5a20d05fae3962e5168a0b23ab55835452ca
+SHA1 (mod_auth_mellon-0.14.0.tar.gz) = 4a93f8b093e1dea20e8a286931693c614903f2d9
+RMD160 (mod_auth_mellon-0.14.0.tar.gz) = 71a25b4fb1e9a6183a51225b588b10d330d84903
+SHA512 (mod_auth_mellon-0.14.0.tar.gz) = db1bf70c234fe89914b1bb34fc6afb5b901193a8c8c7e9946485a3e20a7d129c36427717eab53764edf5a5cff5c45dfe412e400cb1f50c49ef24dbbfd6ecbf25
+Size (mod_auth_mellon-0.14.0.tar.gz) = 948785 bytes
diff -r efd3dfa7c6cf -r f980b74373de www/ap2-auth-mellon/patches/patch-0274
--- a/www/ap2-auth-mellon/patches/patch-0274 Thu May 03 23:02:49 2018 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,55 +0,0 @@
-$NetBSD: patch-0274,v 1.2 2016/10/27 12:53:13 manu Exp $
-
-From fe0eb56e29f89513b2dcf3c222fa3a2e8a09383f Mon Sep 17 00:00:00 2001
-From: Olav Morken <olav.morken%uninett.no@localhost>
-Date: Mon, 14 Mar 2016 09:47:48 +0100
-Subject: [PATCH 274/274] Return 500 Internal Server Error if probe discovery
- fails.
-
-If we don't, we can end up sending an authentication request to an IdP
-that is not in the MellonProbeDiscoveryIdP list, which is probably not
-what the user wants.
-
-Patch by Emmanuel Dreyfus.
----
- README | 3 +++
- auth_mellon_handler.c | 10 +++++++++-
- 2 files changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/README b/README
-index 638329c..4e4f229 100644
---- README
-+++ README
-@@ -471,6 +471,9 @@ MellonPostCount 100
-
- # MellonProbeDiscoveryIdP can be used to restrict the
- # list of IdP queried by the IdP probe discovery service.
-+ # If probe discovery fails and this is provided, an
-+ # HTTP error 500 is returned, instead of proceeding
-+ # with first available IdP.
- #
- # Default unset, which means that all configured IdP are
- # queried.
-diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
-index 7f4b73a..a72e1ca 100644
---- auth_mellon_handler.c
-+++ auth_mellon_handler.c
-@@ -3316,9 +3316,17 @@ static int am_handle_probe_discovery(request_rec *r) {
- }
-
- /*
-- * On failure, try default
-+ * On failure, fail if a MellonProbeDiscoveryIdP
-+ * list was provided, otherwise try first IdP.
- */
- if (disco_idp == NULL) {
-+ if (!apr_is_empty_table(cfg->probe_discovery_idp)) {
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "probeDiscovery failed and non empty "
-+ "MellonProbeDiscoveryIdP was provided.");
-+ return HTTP_INTERNAL_SERVER_ERROR;
-+ }
-+
- disco_idp = am_first_idp(r);
- if (disco_idp == NULL) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
diff -r efd3dfa7c6cf -r f980b74373de www/ap2-auth-mellon/patches/patch-0347
--- a/www/ap2-auth-mellon/patches/patch-0347 Thu May 03 23:02:49 2018 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,69 +0,0 @@
-$NetBSD: patch-0347,v 1.2 2016/10/27 12:53:13 manu Exp $
-
-From 78fe67641918016a6108e325be351156999109c9 Mon Sep 17 00:00:00 2001
-From: Emmanuel Dreyfus <manu%netbsd.org@localhost>
-Date: Tue, 18 Oct 2016 01:42:53 +0200
-Subject: [PATCH] Do not redirect unauthenticated AJAX request to the IdP
-
-When MellonEnable is "auth" and we get an unauthenticated AJAX
-request (identified by the X-Request-With: XMLHttpRequest HTTP
-header), fail with HTTP code 403 Forbidden instead of redirecting
-to the IdP. This saves resources, as the client has no opportunity
-to interract with the user to complete authentification.
----
- README | 6 ++++++
- auth_mellon_handler.c | 14 ++++++++++++++
- 2 files changed, 20 insertions(+)
-
-diff --git README README
-index ec323ab..5960cc8 100644
---- README
-+++ README
-@@ -166,6 +166,12 @@ MellonPostCount 100
- # return a 403 Forbidden error. If he isn't authenticated
- # then we will redirect him to the login page of the IdP.
- #
-+ # There is a special handling of AJAX requests, that are
-+ # identified by the "X-Request-With: XMLHttpRequest" HTTP
-+ # header. Since no user interaction can happen there,
-+ # we always fail unauthenticated (not logged in) requests
-+ # with a 403 Forbidden error without redirecting to the IdP.
-+ #
- # Default: MellonEnable "off"
- MellonEnable "auth"
-
-diff --git auth_mellon_handler.c auth_mellon_handler.c
-index 0457189..a55828a 100644
---- auth_mellon_handler.c
-+++ auth_mellon_handler.c
-@@ -3491,6 +3491,7 @@ int am_auth_mellon_user(request_rec *r)
- am_dir_cfg_rec *dir = am_get_dir_cfg(r);
- int return_code = HTTP_UNAUTHORIZED;
- am_cache_entry_t *session;
-+ const char *ajax_header;
-
- if (r->main) {
- /* We are a subrequest. Trust the main request to have
-@@ -3534,6 +3535,19 @@ int am_auth_mellon_user(request_rec *r)
- am_release_request_session(r, session);
- }
-
-+ /*
-+ * If this is an AJAX request, we cannot proceed to the IdP,
-+ * Just fail early to save our resources
-+ */
-+ ajax_header = apr_table_get(r->headers_in, "X-Request-With");
-+ if (ajax_header != NULL &&
-+ strcmp(ajax_header, "XMLHttpRequest") == 0) {
-+ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-+ "Deny unauthenticated X-Request-With XMLHttpRequest "
-+ "(AJAX) request");
-+ return HTTP_FORBIDDEN;
-+ }
-+
- #ifdef HAVE_ECP
- /*
- * If PAOS set a flag on the request indicating we're
---
-2.3.2
-
Home |
Main Index |
Thread Index |
Old Index