CVS commit: pkgsrc/www/ap2-auth-mellon

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/www/ap2-auth-mellon
From: "Emmanuel Dreyfus" <manu%netbsd.org@localhost>
Date: Mon, 14 Mar 2016 09:58:57 +0000

Module Name:    pkgsrc
Committed By:   manu
Date:           Mon Mar 14 09:58:57 UTC 2016

Modified Files:
        pkgsrc/www/ap2-auth-mellon: Makefile distinfo
Added Files:
        pkgsrc/www/ap2-auth-mellon/patches: patch-0274

Log Message:
Update mod_auth_mellon to 0.12.0

Fixes CVE-2016-2145 and CVE-2016-2146

Changes since 0.10.0 frome NEWS file and patches/patch-0274

patch-0274
---------------------------------------------------------------------------
* Return 500 Internal Server Error if probe discovery fails.

Version 0.12.0
---------------------------------------------------------------------------

Security fixes:

* [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to
  incorrect error handling when reading POST data from client.

* [CVE-2016-2146] Fix DOS attack (Apache worker process crash /
  resource exhaustion) due to missing size checks when reading
  POST data.

In addition this release contains the following new features and fixes:

* Add MellonRedirecDomains option to limit the sites that
  mod_auth_mellon can redirect to. This option is enabled by default.

* Add support for ECP service options in PAOS requests.

* Fix AssertionConsumerService lookup for PAOS requests.

Version 0.11.1
---------------------------------------------------------------------------

Security fixes:

* [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to
  incorrect error handling when reading POST data from client.

* [CVE-2016-2146] Fix DOS attack (Apache worker process crash /
  resource exhaustion) due to missing size checks when reading
  POST data

Version 0.11.0
---------------------------------------------------------------------------

* Add SAML 2.0 ECP support.

* The MellonDecode option has been disabled. It was used to decode
  attributes in a Feide-specific encoding that is no longer used.

* Set max-age=0 in Cache-Control header, to ensure that all browsers
  verifies the data on each request.

* MellonMergeEnvVars On now accepts second optional parameter, the
  separator to be used instead of the default ';'.

* Add option MellonEnvVarsSetCount to specify if the number of values
  for any attribute should also be stored in environment variable
  suffixed _N.

* Add option MellonEnvVarsIndexStart to specify if environment variables
  for multi-valued attributes should start indexing with 0 (default) or
  with 1.

* Bugfixes:

  * Fix error about missing authentication with DirectoryIndex in
    Apache 2.4.


To generate a diff of this commit:
cvs rdiff -u -r1.32 -r1.33 pkgsrc/www/ap2-auth-mellon/Makefile
cvs rdiff -u -r1.14 -r1.15 pkgsrc/www/ap2-auth-mellon/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/www/ap2-auth-mellon/patches/patch-0274

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index