CVS commit: pkgsrc

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc
From: "Emmanuel Dreyfus" <manu%netbsd.org@localhost>
Date: Fri, 4 May 2018 02:53:39 +0000

Module Name:    pkgsrc
Committed By:   manu
Date:           Fri May  4 02:53:39 UTC 2018

Modified Files:
        pkgsrc/doc: CHANGES-2018
        pkgsrc/www/ap2-auth-mellon: MESSAGE Makefile distinfo
Removed Files:
        pkgsrc/www/ap2-auth-mellon/patches: patch-0274 patch-0347

Log Message:
Updated www/ap2-auth-mellon to 0.14.0

Changes since 0.12.0 include a fix for CVE-2017-6807

Version 0.14.0
==============

* Backwards incompatible changes

  This version switches the default signature algorithm used when
  signing messages from rsa-sha1 to rsa-sha256. If your IdP does not
  allow messages to be signed with that algorithm, you need to add a
  setting switching back to the old algorithm:

  MellonSignatureMethod rsa-sha1

  Note that this only affects messages sent from mod_auth_mellon to your
  IdP. It does not affect authentication responses or other messages
  sent from your IdP to mod_auth_mellon.

* New features

    Many improvements in what is logged during various errors.

    Diagnostics logging, which creates a detailed log during request
    processing.

    Add support for selecting which signature algorithm is used when
    signing messages, and switch to rsa-sha256 by default.

* Bug fixes

    Fix segmentation fault in POST replay functionality on empty value.

    Fix incorrect error check for many lasso_*-functions.

    Fix case sensitive match on MellonUser attribute name.

Version 0.13.1
==============

* Security fix

  Fix a cross-site session transfer vulnerability. mod_auth_mellon
  version 0.13.0 and older failed to validate that the session
  specified in the user's session cookie was created for the web site
  the user actually accesses.

  If two different web sites are hosted on the same web server, and
  both web sites use mod_auth_mellon for authentication, this
  vulnerability makes it possible for an attacker with access to one
  of the web sites to copy their session cookie to the other web
  site, and then use the same session to get access to the other web
  site.

  Thanks to Fran�ois Kooman for reporting this vulnerability.

  This vulnerability has been assigned CVE-2017-6807.

  Note: The fix for this vunlerability makes mod_auth_mellon validate
  that the cookie parameters used when creating the session match
  the cookie parameters that should be used when accessing the current
  page. If you currently use mod_auth_mellon across multiple subdomains,
  you must make sure that you set the MellonCookie-option to the same
  value on all domains.  Bug fixes

    Fix segmentation fault if a (trusted) identity provider returns
    a SAML 2.0 attribute without a Name.

    Fix segmentation fault if MellonPostReplay is enabled but
    MellonPostDirectory is not set.

Version 0.13.0
==============

* Security fix

  Fix a denial of service attack in the logout handler, which allows
  a remote attacker to crash the Apache worker process with a
  segmentation fault. This is caused by a null-pointer dereference
  when processing a malformed logout message.  New features

    Allow MellonSecureCookie to be configured to enable just one
    of the "httponly" of "secure" flags, instead of always enabling
    both flags.
    Support per-module log level with Apache 2.4.
    Allow disabling the Cache-Control HTTP response header.
    Add support for SameSite cookie parameter.

* Bug fixes

    Fix MellonProbeDiscoveryIdP redirecting to the wrong IdP if no IdPs
    respond to the probe request.
    Fix mod_auth_mellon interfering with other Apache authentication
    modules even when it is disabled for a path.
    Fix wrong HTTP status code being returned in some cases during
    user permission checks.
    Fix default POST size limit to actually be 1 MB.
    Fix error if authentication response is missing the optional
    Conditions-element.
    Fix AJAX requests being redirected to the IdP.
    Fix wrong content type for ECP authentication request responses.

In addition there are various fixes for errors in the documentation,
as well as internal code changes that do not have any user visible
effects.


To generate a diff of this commit:
cvs rdiff -u -r1.2155 -r1.2156 pkgsrc/doc/CHANGES-2018
cvs rdiff -u -r1.3 -r1.4 pkgsrc/www/ap2-auth-mellon/MESSAGE
cvs rdiff -u -r1.43 -r1.44 pkgsrc/www/ap2-auth-mellon/Makefile
cvs rdiff -u -r1.18 -r1.19 pkgsrc/www/ap2-auth-mellon/distinfo
cvs rdiff -u -r1.2 -r0 pkgsrc/www/ap2-auth-mellon/patches/patch-0274 \
    pkgsrc/www/ap2-auth-mellon/patches/patch-0347

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/doc/CHANGES-2018
diff -u pkgsrc/doc/CHANGES-2018:1.2155 pkgsrc/doc/CHANGES-2018:1.2156
--- pkgsrc/doc/CHANGES-2018:1.2155      Thu May  3 23:02:49 2018
+++ pkgsrc/doc/CHANGES-2018     Fri May  4 02:53:38 2018
@@ -1,4 +1,4 @@
-$NetBSD: CHANGES-2018,v 1.2155 2018/05/03 23:02:49 wiz Exp $
+$NetBSD: CHANGES-2018,v 1.2156 2018/05/04 02:53:38 manu Exp $
 
 Changes to the packages collection and infrastructure in 2018:
 
@@ -3013,3 +3013,4 @@ Changes to the packages collection and i
        Updated lang/nodejs to 10.0.0 [fhajny 2018-05-03]
        Added security/ruby-openssl-ccm version 1.2.1 [minskim 2018-05-03]
        Updated net/wireshark to 2.6.0nb1 [wiz 2018-05-03]
+       Updated www/ap2-auth-mellon to 0.14.0 [manu 2018-05-04]

Index: pkgsrc/www/ap2-auth-mellon/MESSAGE
diff -u pkgsrc/www/ap2-auth-mellon/MESSAGE:1.3 pkgsrc/www/ap2-auth-mellon/MESSAGE:1.4
--- pkgsrc/www/ap2-auth-mellon/MESSAGE:1.3      Wed Apr  1 14:08:13 2015
+++ pkgsrc/www/ap2-auth-mellon/MESSAGE  Fri May  4 02:53:38 2018
@@ -1,12 +1,26 @@
 ===========================================================================
-$NetBSD: MESSAGE,v 1.3 2015/04/01 14:08:13 manu Exp $
+$NetBSD: MESSAGE,v 1.4 2018/05/04 02:53:38 manu Exp $
 
 In order to use this module in your Apache installation, you need to
 add the following to your httpd.conf file:
 
   LoadModule auth_mellon_module lib/httpd/mod_auth_mellon.so
 
-If upgrading from version prior 0.6.0, please not the following
+If upgrading from version prior 0.14.0, please note the following
+backward-incompatible change:
+
+* This version switches the default signature algorithm used when
+  signing messages from rsa-sha1 to rsa-sha256. If your IdP does not
+  allow messages to be signed with that algorithm, you need to add a
+  setting switching back to the old algorithm:
+  
+  MellonSignatureMethod rsa-sha1
+  
+  Note that this only affects messages sent from mod_auth_mellon to your
+  IdP. It does not affect authentication responses or other messages
+  sent from your IdP to mod_auth_mellon.
+
+If upgrading from version prior 0.6.0, please note the following
 backward-incompatible changes:
 
 * The POST replay functionality has been disabled by default, and the
@@ -29,5 +43,4 @@ backward-incompatible changes:
   startup. (Apache can normally create files in that directory
   during startup.)
 
-
 ===========================================================================

Index: pkgsrc/www/ap2-auth-mellon/Makefile
diff -u pkgsrc/www/ap2-auth-mellon/Makefile:1.43 pkgsrc/www/ap2-auth-mellon/Makefile:1.44
--- pkgsrc/www/ap2-auth-mellon/Makefile:1.43    Sun Apr 29 21:32:07 2018
+++ pkgsrc/www/ap2-auth-mellon/Makefile Fri May  4 02:53:38 2018
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.43 2018/04/29 21:32:07 adam Exp $
+# $NetBSD: Makefile,v 1.44 2018/05/04 02:53:38 manu Exp $
 
-DISTNAME=      mod_auth_mellon-0.12.0
+DISTNAME=      mod_auth_mellon-0.14.0
 PKGNAME=       ${APACHE_PKG_PREFIX}-${DISTNAME:S/mod_//:S/_/-/g}
-PKGREVISION=   8
+#PKGREVISION=  1
 CATEGORIES=    www security
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=UNINETT/}/mod_auth_mellon/releases/download/v${DISTNAME:C/.*-//}/
 

Index: pkgsrc/www/ap2-auth-mellon/distinfo
diff -u pkgsrc/www/ap2-auth-mellon/distinfo:1.18 pkgsrc/www/ap2-auth-mellon/distinfo:1.19
--- pkgsrc/www/ap2-auth-mellon/distinfo:1.18    Thu Mar 23 17:07:01 2017
+++ pkgsrc/www/ap2-auth-mellon/distinfo Fri May  4 02:53:38 2018
@@ -1,8 +1,6 @@
-$NetBSD: distinfo,v 1.18 2017/03/23 17:07:01 joerg Exp $
+$NetBSD: distinfo,v 1.19 2018/05/04 02:53:38 manu Exp $
 
-SHA1 (mod_auth_mellon-0.12.0.tar.gz) = 3d5cd4137154a7c848d8f3121e6497b88dc5f23e
-RMD160 (mod_auth_mellon-0.12.0.tar.gz) = 7ef278de6f4d0f0669d99c113706dc63d64f6fbc
-SHA512 (mod_auth_mellon-0.12.0.tar.gz) = 91e47509cfab9c6b472226aea79ff0120e71f80262d3b17a31ac691af4aacf58016741255409ec3272e54849efcde7c04f76dcc9670ee921503c8589656e8244
-Size (mod_auth_mellon-0.12.0.tar.gz) = 136754 bytes
-SHA1 (patch-0274) = b5dfdd4b944c3d2c3bf47cfb97869aa57c32ea68
-SHA1 (patch-0347) = d14d5a20d05fae3962e5168a0b23ab55835452ca
+SHA1 (mod_auth_mellon-0.14.0.tar.gz) = 4a93f8b093e1dea20e8a286931693c614903f2d9
+RMD160 (mod_auth_mellon-0.14.0.tar.gz) = 71a25b4fb1e9a6183a51225b588b10d330d84903
+SHA512 (mod_auth_mellon-0.14.0.tar.gz) = db1bf70c234fe89914b1bb34fc6afb5b901193a8c8c7e9946485a3e20a7d129c36427717eab53764edf5a5cff5c45dfe412e400cb1f50c49ef24dbbfd6ecbf25
+Size (mod_auth_mellon-0.14.0.tar.gz) = 948785 bytes

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/lang/nodejs
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/lang/nodejs
Indexes:

Home | Main Index | Thread Index | Old Index