head 1.2; access; symbols pkgsrc-2026Q2:1.2.0.2 pkgsrc-2026Q2-base:1.2 pkgsrc-2026Q1:1.1.0.38 pkgsrc-2026Q1-base:1.1 pkgsrc-2025Q4:1.1.0.36 pkgsrc-2025Q4-base:1.1 pkgsrc-2025Q3:1.1.0.34 pkgsrc-2025Q3-base:1.1 pkgsrc-2025Q2:1.1.0.32 pkgsrc-2025Q2-base:1.1 pkgsrc-2025Q1:1.1.0.30 pkgsrc-2025Q1-base:1.1 pkgsrc-2024Q4:1.1.0.28 pkgsrc-2024Q4-base:1.1 pkgsrc-2024Q3:1.1.0.26 pkgsrc-2024Q3-base:1.1 pkgsrc-2024Q2:1.1.0.24 pkgsrc-2024Q2-base:1.1 pkgsrc-2024Q1:1.1.0.22 pkgsrc-2024Q1-base:1.1 pkgsrc-2023Q4:1.1.0.20 pkgsrc-2023Q4-base:1.1 pkgsrc-2023Q3:1.1.0.18 pkgsrc-2023Q3-base:1.1 pkgsrc-2023Q2:1.1.0.16 pkgsrc-2023Q2-base:1.1 pkgsrc-2023Q1:1.1.0.14 pkgsrc-2023Q1-base:1.1 pkgsrc-2022Q4:1.1.0.12 pkgsrc-2022Q4-base:1.1 pkgsrc-2022Q3:1.1.0.10 pkgsrc-2022Q3-base:1.1 pkgsrc-2022Q2:1.1.0.8 pkgsrc-2022Q2-base:1.1 pkgsrc-2022Q1:1.1.0.6 pkgsrc-2022Q1-base:1.1 pkgsrc-2021Q4:1.1.0.4 pkgsrc-2021Q4-base:1.1 pkgsrc-2021Q3:1.1.0.2 pkgsrc-2021Q3-base:1.1; locks; strict; comment @# @; 1.2 date 2026.06.13.10.51.14; author markd; state Exp; branches; next 1.1; commitid 2BO8cmQQwzLgTCJG; 1.1 date 2021.07.22.15.58.49; author jperkin; state Exp; branches; next ; commitid y0z5NqEL9Tk6202D; desc @@ 1.2 log @ap-auth-openidc: update to version 2.4.19.3 == 2.4.19.3 The 2.4.19.x versions use a backwards incompatible session format so existing sessions (created by versions <=2.4.18.x) are invalid. Security * code: fix >25 cases of potential string/URL matching attacks, XSS attacks, buffer overload etc. * config: fix low-risk - insider admin attack based- security vulnerabilities * log: do not log refresh tokens at warn/error levels == 2.4.19 Features * cookie: support individual SameSite cookie settings on the session cookie, state cookie and Discovery CSRF cookie by adding 2 more arguments to OIDCCookieSameSite * id_token: add off option to OIDCPassIDTokenAs so no claims from the ID token will be passed on * passphrase: generate a crypto key when OIDCCryptoPassphrase is not set == 2.4.18 Bugfixes * fix segmentation faults upon gracefully restarting the same process: use the server process pool for static variable allocation rather than the pconf pool * fix setting OIDCMemCacheConnectionsTTL: interpret the value correctly in seconds instead of microseconds == 2.4.17 Features * proto: pass the scope parameter as returned from the token endpoint in the OIDC_scope header/environment variable and make it available for Require claim scope: purposes, if not available as a claim returned in the id_token or userinfo endpoint Bugfixes * fix memory leaks when using provider specific client keys and/or signed_jwks_uri_key in a multi-provider setup * allow for regular Apache processing (e.g. setting response/security headers) by deferring HTML/HTTP output generation to the content handler (instead of user id check handler) for the following use cases: * OIDCProviderAuthRequestMethod POST * OIDCPreservePost On (both internal and template-based) * POST page for the implicit grant type * Request URI handler * internally generated POST logout page * session management RP iframe * session management logout HTML top-window redirect page == 2.4.16 Security * disable support for the RSA PKCS v1.5 JWE/JWT encryption algorithm as it is considered insecure due to the Marvin attack; it is removed from libcjose >= 0.6.2.3 as well Features * add Relying Party support for the FAPI 2.0 Security Profile (OpenID Financial-grade API v2.0) * add Relying Party support for RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP) * add support for RFC 9126 OAuth 2.0 Pushed Authorization Requests * add the nbf claim to the Request Object * store the token_type in the session and make it available on the info hook together with the access_token * replace multi-provider .conf issuer_specific_redirect_uri boolean with response_require_iss boolean to require the Provider to pass the iss value in authorization responses, mitigating the OP mixup attack * return HTTP 502 when refreshing acces token or userinfo fails (default: 502_on_error) * add support for OIDCOAuthIntrospectionEndpointKeyPassword, i.e. to configure a password for accessing the private key file used for OAuth 2.0 token introspection * when an expression is configured for OIDCUnAuthAction (i.e. in the 2nd argument), also apply it to OIDCUnAutzAction so that it can be used to enable step-up authentication for SPAs with non-conformant browsers (some versions of Safari) and in (potentially insecure) iframes == 2.4.15 The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations New Defaults * use Proof Key for Code Exchange (PKCE S256) by default * use SameSite cookies Strict by default; disable by configuring OIDCCookieSameSite Off * apply ISO-8859-1 (latin1) as default encoding mechanism for claim values passed in headers and environment variables to comply with https://www.rfc-editor.org/rfc/rfc5987 == 2.4.14 Deprecated * OIDCHTMLErrorTemplate is now deprecated in favour of standard Apache error handling capabilities == 2.4.12 Release 2.4.12 was (re-)certified for all OpenID Connect Relying Party conformance profiles using the OpenID Foundation's certification suite: https://openid.net/certification/#RPs. == 2.4.11 Note that as of this release running mod_auth_openidc behind a reverse proxy that sets X-Forwarded-* headers needs explicit configuration of OIDCXForwardedHeaders for mod_auth_openidc to interpret those headers, thus this may break existing configurations if unmodified for the former. == 2.4.10 This release improves prevention of state cookies piling up (e.g. for Single Page Applications) by interpreting Sec-Fetc-* headers provided by modern browsers. This also means that - by default - authentication in an iframe is prevented, which may impact existing deployments. == 2.4.9 Note that the format of encrypted cache contents have changed and as such existing server side sessions cannot survive an update to 2.4.9. Clearing the cache contents before restarting the Apache server with the upgraded module is advised. @ text @$NetBSD: patch-configure,v 1.1 2021/07/22 15:58:49 jperkin Exp $ Shell portability. --- configure.orig 2026-06-01 10:24:45.000000000 +0000 +++ configure @@@@ -15705,7 +15705,7 @@@@ printf "%s\n" "yes" >&6; } with_libbrotlidec=yes fi fi - if test "${with_libbrotlienc}" == "yes" && test "${with_libbrotlidec}" == "yes"; then + if test "${with_libbrotlienc}" = "yes" && test "${with_libbrotlidec}" = "yes"; then HAVE_LIBBROTLI_TRUE= HAVE_LIBBROTLI_FALSE='#' else @@@@ -15816,7 +15816,7 @@@@ fi case "$with_hiredis" in #( yes) : - if test "$HIREDIS_LIBS" == ""; then + if test "$HIREDIS_LIBS" = ""; then pkg_failed=no { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for hiredis" >&5 printf %s "checking for hiredis... " >&6; } @@@@ -15987,15 +15987,15 @@@@ fi if test -n "$with_jq" then - if test "$JQ_CFLAGS" == ""; then - if test "$with_jq" == "yes"; then + if test "$JQ_CFLAGS" = ""; then + if test "$with_jq" = "yes"; then JQ_CFLAGS="-I/usr/include" else JQ_CFLAGS="-I$with_jq/include" fi fi - if test "$JQ_LIBS" == ""; then - if test "$with_jq" == "yes"; then + if test "$JQ_LIBS" = ""; then + if test "$with_jq" = "yes"; then JQ_LIBS="-L/usr/lib -ljq" else JQ_LIBS="-L$with_jq/lib -ljq" @ 1.1 log @ap-auth-openidc: Import version 2.4.8.4 Based on pull request joyent/pkgsrc#309 from Jeff Goeke-Smith. mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. @ text @d1 1 a1 1 $NetBSD$ d5 1 a5 1 --- configure.orig 2021-06-02 06:20:17.000000000 +0000 d7 10 a16 2 @@@@ -4181,7 +4181,7 @@@@ fi d19 3 a21 2 - if test "$HIREDIS_LIBS" == ""; then + if test "$HIREDIS_LIBS" = ""; then d25 20 @