head 1.75; access; symbols pkgsrc-2023Q4:1.75.0.2 pkgsrc-2023Q4-base:1.75 pkgsrc-2023Q3:1.73.0.4 pkgsrc-2023Q3-base:1.73 pkgsrc-2023Q2:1.73.0.2 pkgsrc-2023Q2-base:1.73 pkgsrc-2023Q1:1.71.0.4 pkgsrc-2023Q1-base:1.71 pkgsrc-2022Q4:1.71.0.2 pkgsrc-2022Q4-base:1.71 pkgsrc-2022Q3:1.69.0.4 pkgsrc-2022Q3-base:1.69 pkgsrc-2022Q2:1.69.0.2 pkgsrc-2022Q2-base:1.69 pkgsrc-2022Q1:1.68.0.4 pkgsrc-2022Q1-base:1.68 pkgsrc-2021Q4:1.68.0.2 pkgsrc-2021Q4-base:1.68 pkgsrc-2021Q3:1.64.0.4 pkgsrc-2021Q3-base:1.64 pkgsrc-2021Q2:1.64.0.2 pkgsrc-2021Q2-base:1.64 pkgsrc-2021Q1:1.61.0.4 pkgsrc-2021Q1-base:1.61 pkgsrc-2020Q4:1.61.0.2 pkgsrc-2020Q4-base:1.61 pkgsrc-2020Q3:1.60.0.4 pkgsrc-2020Q3-base:1.60 pkgsrc-2020Q2:1.60.0.2 pkgsrc-2020Q2-base:1.60 pkgsrc-2020Q1:1.56.0.2 pkgsrc-2020Q1-base:1.56 pkgsrc-2019Q4:1.53.0.4 pkgsrc-2019Q4-base:1.53 pkgsrc-2019Q3:1.52.0.2 pkgsrc-2019Q3-base:1.52 pkgsrc-2019Q2:1.49.0.4 pkgsrc-2019Q2-base:1.49 pkgsrc-2019Q1:1.49.0.2 pkgsrc-2019Q1-base:1.49 pkgsrc-2018Q4:1.47.0.2 pkgsrc-2018Q4-base:1.47 pkgsrc-2018Q3:1.45.0.2 pkgsrc-2018Q3-base:1.45 pkgsrc-2018Q2:1.44.0.2 pkgsrc-2018Q2-base:1.44 pkgsrc-2018Q1:1.42.0.2 pkgsrc-2018Q1-base:1.42 pkgsrc-2017Q4:1.40.0.6 pkgsrc-2017Q4-base:1.40 pkgsrc-2017Q3:1.40.0.4 pkgsrc-2017Q3-base:1.40 pkgsrc-2017Q2:1.39.0.2 pkgsrc-2017Q2-base:1.39 pkgsrc-2017Q1:1.38.0.2 pkgsrc-2017Q1-base:1.38 pkgsrc-2016Q4:1.37.0.2 pkgsrc-2016Q4-base:1.37 pkgsrc-2016Q3:1.34.0.2 pkgsrc-2016Q3-base:1.34 pkgsrc-2016Q2:1.33.0.4 pkgsrc-2016Q2-base:1.33 pkgsrc-2016Q1:1.33.0.2 pkgsrc-2016Q1-base:1.33 pkgsrc-2015Q4:1.31.0.6 pkgsrc-2015Q4-base:1.31 pkgsrc-2015Q3:1.31.0.4 pkgsrc-2015Q3-base:1.31 pkgsrc-2015Q2:1.31.0.2 pkgsrc-2015Q2-base:1.31 pkgsrc-2015Q1:1.29.0.2 pkgsrc-2015Q1-base:1.29 pkgsrc-2014Q4:1.28.0.8 pkgsrc-2014Q4-base:1.28 pkgsrc-2014Q3:1.28.0.6 pkgsrc-2014Q3-base:1.28 pkgsrc-2014Q2:1.28.0.4 pkgsrc-2014Q2-base:1.28 pkgsrc-2014Q1:1.28.0.2 pkgsrc-2014Q1-base:1.28 pkgsrc-2013Q4:1.26.0.6 pkgsrc-2013Q4-base:1.26 pkgsrc-2013Q3:1.26.0.4 pkgsrc-2013Q3-base:1.26 pkgsrc-2013Q2:1.26.0.2 pkgsrc-2013Q2-base:1.26 pkgsrc-2013Q1:1.25.0.2 pkgsrc-2013Q1-base:1.25 pkgsrc-2012Q4:1.24.0.2 pkgsrc-2012Q4-base:1.24 pkgsrc-2012Q3:1.22.0.2 pkgsrc-2012Q3-base:1.22 pkgsrc-2012Q2:1.21.0.2 pkgsrc-2012Q2-base:1.21 pkgsrc-2012Q1:1.20.0.2 pkgsrc-2012Q1-base:1.20 pkgsrc-2011Q4:1.18.0.2 pkgsrc-2011Q4-base:1.18 pkgsrc-2011Q3:1.17.0.4 pkgsrc-2011Q3-base:1.17 pkgsrc-2011Q2:1.17.0.2 pkgsrc-2011Q2-base:1.17 pkgsrc-2011Q1:1.14.0.2 pkgsrc-2011Q1-base:1.14 pkgsrc-2010Q4:1.13.0.6 pkgsrc-2010Q4-base:1.13 pkgsrc-2010Q3:1.13.0.4 pkgsrc-2010Q3-base:1.13 pkgsrc-2010Q2:1.13.0.2 pkgsrc-2010Q2-base:1.13 pkgsrc-2010Q1:1.12.0.2 pkgsrc-2010Q1-base:1.12 pkgsrc-2009Q4:1.11.0.2 pkgsrc-2009Q4-base:1.11 pkgsrc-2009Q3:1.5.0.2 pkgsrc-2009Q3-base:1.5 pkgsrc-2009Q2:1.4.0.2 pkgsrc-2009Q2-base:1.4 pkgsrc-2009Q1:1.2.0.2 pkgsrc-2009Q1-base:1.2 pkgsrc-base:1.1.1.1 TNF:1.1.1; locks; strict; comment @# @; 1.75 date 2023.11.08.13.21.15; author wiz; state Exp; branches; next 1.74; commitid PsuHTklAIsF4bOLE; 1.74 date 2023.10.24.22.11.24; author wiz; state Exp; branches; next 1.73; commitid MTsrqKm6aGrQAVJE; 1.73 date 2023.04.21.04.27.39; author manu; state Exp; branches; next 1.72; commitid r0rqIx9EowlRHVlE; 1.72 date 2023.04.19.08.11.44; author adam; state Exp; branches; next 1.71; commitid B8gCWhWtMX9vZGlE; 1.71 date 2022.11.23.16.21.17; author adam; state Exp; branches; next 1.70; commitid ju2K3LUYlTJKqQ2E; 1.70 date 2022.10.26.10.32.03; author wiz; state Exp; branches; next 1.69; commitid PVFjlIYUKslkpdZD; 1.69 date 2022.04.18.19.12.15; author adam; state Exp; branches; next 1.68; commitid eC9Na3jrfOOUpIAD; 1.68 date 2021.12.08.16.06.53; author adam; state Exp; branches; next 1.67; commitid 2PyWjHx5T8rqARjD; 1.67 date 2021.11.15.18.17.05; author wiz; state Exp; branches; next 1.66; commitid CdaBjwgL1HaS4VgD; 1.66 date 2021.11.09.01.50.45; author manu; state Exp; branches; next 1.65; commitid Lfbo8kWCscllO3gD; 1.65 date 2021.09.29.19.01.25; author adam; state Exp; branches; next 1.64; commitid WsBUbBM52TSePSaD; 1.64 date 2021.06.08.07.26.52; author manu; state Exp; branches 1.64.4.1; next 1.63; commitid TCTCRjSGKtJfBiWC; 1.63 date 2021.04.21.13.25.28; author adam; state Exp; branches; next 1.62; commitid RAyVO2K5RkoQ8aQC; 1.62 date 2021.04.21.11.42.52; author adam; state Exp; branches; next 1.61; commitid fph0Axs0eT3az9QC; 1.61 date 2020.11.05.09.09.18; author ryoon; state Exp; branches; next 1.60; commitid VqGaBtHnBBcd5GuC; 1.60 date 2020.06.02.08.24.55; author adam; state Exp; branches; next 1.59; commitid nisovMpvvZm3RCaC; 1.59 date 2020.05.22.10.56.44; author adam; state Exp; branches; next 1.58; commitid m1Z0QPvTTTWz3e9C; 1.58 date 2020.05.06.14.05.05; author adam; state Exp; branches; next 1.57; commitid dLR3o37Fk2B5Cb7C; 1.57 date 2020.04.30.16.35.51; author rillig; state Exp; branches; next 1.56; commitid dozWvarhdi8KDq6C; 1.56 date 2020.03.08.16.51.35; author wiz; state Exp; branches; next 1.55; commitid rcNYzTQo8icypCZB; 1.55 date 2020.01.18.21.51.03; author jperkin; state Exp; branches; next 1.54; commitid JW4hJgY8ZdoTFdTB; 1.54 date 2020.01.12.20.20.47; author ryoon; state Exp; branches; next 1.53; commitid 5tyaDUwPevcZnrSB; 1.53 date 2019.11.04.22.09.51; author rillig; state Exp; branches; next 1.52; commitid 3HKsGoZT17shdAJB; 1.52 date 2019.08.22.12.23.52; author ryoon; state Exp; branches; next 1.51; commitid UuiyQ10Dn9Rtl1AB; 1.51 date 2019.07.20.22.46.54; author wiz; state Exp; branches; next 1.50; commitid dMrQLvIeoazTQPvB; 1.50 date 2019.07.01.04.08.51; author ryoon; state Exp; branches; next 1.49; commitid qsMjwmrvOSh6hitB; 1.49 date 2019.03.25.06.21.06; author leot; state Exp; branches; next 1.48; commitid dLZNDazQc9Q0aIgB; 1.48 date 2019.03.23.02.37.42; author manu; state Exp; branches; next 1.47; commitid 7yhrBRDuCBP7ZqgB; 1.47 date 2018.12.13.19.52.25; author adam; state Exp; branches; next 1.46; commitid XjJhLcEnCzYFVF3B; 1.46 date 2018.12.09.21.05.36; author adam; state Exp; branches; next 1.45; commitid Je6d0kS6YPv3ta3B; 1.45 date 2018.08.16.18.55.14; author adam; state Exp; branches; next 1.44; commitid myXuojHMA7ifrnOA; 1.44 date 2018.05.04.02.53.38; author manu; state Exp; branches; next 1.43; commitid WYE8jX3FaxU5rVAA; 1.43 date 2018.04.29.21.32.07; author adam; state Exp; branches; next 1.42; commitid QKwzJtFzAE0cOnAA; 1.42 date 2018.01.01.21.18.55; author adam; state Exp; branches; next 1.41; commitid VDVceOVT4khVwdlA; 1.41 date 2018.01.01.10.23.06; author wiz; state Exp; branches; next 1.40; commitid zjUBNlZlngYbU9lA; 1.40 date 2017.08.24.20.03.41; author adam; state Exp; branches; next 1.39; commitid SAladHuASDqXhv4A; 1.39 date 2017.04.30.01.22.02; author ryoon; state Exp; branches; next 1.38; commitid 1A40BlmMDYkiOuPz; 1.38 date 2017.01.01.16.06.38; author adam; state Exp; branches; next 1.37; commitid jkBZ9Kd0NEyexhAz; 1.37 date 2016.10.27.12.53.13; author manu; state Exp; branches; next 1.36; commitid U4C1X59cz0rBAMrz; 1.36 date 2016.10.18.15.13.41; author manu; state Exp; branches; next 1.35; commitid Mrx455DryexMEDqz; 1.35 date 2016.10.07.18.26.12; author adam; state Exp; branches; next 1.34; commitid WWBLkSP9Isuv4fpz; 1.34 date 2016.09.22.02.44.26; author mef; state Exp; branches; next 1.33; commitid 9LPJwchQOc8Alenz; 1.33 date 2016.03.14.09.58.57; author manu; state Exp; branches; next 1.32; commitid Ix9MXQH30QyhUAYy; 1.32 date 2016.03.05.11.29.34; author jperkin; state Exp; branches; next 1.31; commitid 1LoxeQftu903HrXy; 1.31 date 2015.04.13.08.10.29; author manu; state Exp; branches; next 1.30; commitid c8ZjtPys1PjA7phy; 1.30 date 2015.04.03.15.53.34; author manu; state Exp; branches; next 1.29; commitid WIOd8tGOjP5t0agy; 1.29 date 2015.04.01.14.08.13; author manu; state Exp; branches 1.29.2.1; next 1.28; commitid uNCFjH91zHBEtTfy; 1.28 date 2014.02.12.23.18.43; author tron; state Exp; branches; next 1.27; commitid dfJj7CwMMWJzNRox; 1.27 date 2014.01.01.11.52.37; author wiz; state Exp; branches; next 1.26; commitid QYCwxCyUCmbkmpjx; 1.26 date 2013.04.15.15.35.01; author manu; state Exp; branches; next 1.25; 1.25 date 2013.02.06.23.23.57; author jperkin; state Exp; branches; next 1.24; 1.24 date 2012.12.16.01.52.36; author obache; state Exp; branches; next 1.23; 1.23 date 2012.10.28.06.30.06; author asau; state Exp; branches; next 1.22; 1.22 date 2012.09.15.10.06.44; author obache; state Exp; branches; next 1.21; 1.21 date 2012.06.14.07.44.54; author sbd; state Exp; branches; next 1.20; 1.20 date 2012.03.03.00.14.04; author wiz; state Exp; branches; next 1.19; 1.19 date 2012.02.06.12.41.51; author wiz; state Exp; branches; next 1.18; 1.18 date 2011.12.06.09.58.01; author manu; state Exp; branches; next 1.17; 1.17 date 2011.05.07.05.15.21; author manu; state Exp; branches; next 1.16; 1.16 date 2011.04.22.13.44.57; author obache; state Exp; branches; next 1.15; 1.15 date 2011.04.04.08.45.43; author manu; state Exp; branches; next 1.14; 1.14 date 2011.03.18.09.48.54; author obache; state Exp; branches; next 1.13; 1.13 date 2010.05.31.16.46.30; author manu; state Exp; branches; next 1.12; 1.12 date 2010.01.17.12.02.48; author wiz; state Exp; branches; next 1.11; 1.11 date 2010.01.04.15.43.17; author joerg; state Exp; branches; next 1.10; 1.10 date 2009.12.20.11.31.30; author manu; state Exp; branches; next 1.9; 1.9 date 2009.12.11.14.45.38; author obache; state Exp; branches; next 1.8; 1.8 date 2009.12.11.11.43.37; author obache; state Exp; branches; next 1.7; 1.7 date 2009.12.11.11.38.20; author obache; state Exp; branches; next 1.6; 1.6 date 2009.11.16.09.48.28; author manu; state Exp; branches; next 1.5; 1.5 date 2009.08.11.15.53.41; author manu; state Exp; branches; next 1.4; 1.4 date 2009.06.15.19.45.14; author manu; state Exp; branches; next 1.3; 1.3 date 2009.06.06.10.27.30; author manu; state Exp; branches; next 1.2; 1.2 date 2009.03.03.10.53.15; author manu; state Exp; branches; next 1.1; 1.1 date 2009.03.02.16.47.42; author manu; state Exp; branches 1.1.1.1; next ; 1.64.4.1 date 2021.11.20.22.29.03; author tm; state Exp; branches; next ; commitid MJTM3fpK1yrmjAhD; 1.29.2.1 date 2015.04.18.14.52.51; author bsiegert; state Exp; branches; next ; commitid sKW1Gas45i3Lb5iy; 1.1.1.1 date 2009.03.02.16.47.42; author manu; state Exp; branches; next ; desc @@ 1.75 log @*: recursive bump for icu 74.1 @ text @# $NetBSD: Makefile,v 1.74 2023/10/24 22:11:24 wiz Exp $ DISTNAME= mod_auth_mellon-0.18.1 PKGNAME= ${APACHE_PKG_PREFIX}-${DISTNAME:S/mod_//:S/_/-/g} PKGREVISION= 2 #PKGREVISION= 1 CATEGORIES= www security MASTER_SITES= ${MASTER_SITE_GITHUB:=latchset/} GITHUB_PROJECT= mod_auth_mellon GITHUB_TAG= refs/tags/v${PKGVERSION_NOREV} WRKSRC= ${WRKDIR}/${DISTNAME} MAINTAINER= manu@@NetBSD.org HOMEPAGE= https://github.com/latchset/mod_auth_mellon COMMENT= SAML 2.0 authentication for Apache LICENSE= gnu-gpl-v2 # or later GNU_CONFIGURE= YES USE_LIBTOOL= YES USE_TOOLS+= pkg-config autoconf automake APACHE_MODULE= YES .include "../../mk/apache.mk" SUBST_CLASSES+= pthflags SUBST_STAGE.pthflags= post-configure SUBST_FILES.pthflags= Makefile SUBST_SED.pthflags= -e 's| -pthread | |g' SUBST_NOOP_OK.pthflags= yes INSTALLATION_DIRS+= lib/httpd pre-configure: cd ${WRKSRC} && ./autogen.sh do-install: cd ${WRKSRC} && \ libexecdir=`${APXS} -q LIBEXECDIR` && \ ${APXS} -i -S LIBEXECDIR=${DESTDIR}"$${libexecdir}" \ -n auth_mellon mod_auth_mellon.la .include "../../security/lasso/buildlink3.mk" .include "../../mk/pthread.buildlink3.mk" .include "../../www/curl/buildlink3.mk" .include "../../mk/bsd.pkg.mk" @ 1.74 log @*: bump for openssl 3 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.73 2023/04/21 04:27:39 manu Exp $ d5 1 a5 1 PKGREVISION= 1 @ 1.73 log @Updated www/ap2-auth-mellon to 0.18.1 Add persistent sessions patch from upsrtream https://github.com/latchset/mod_auth_mellon/pull/120 Changes since 0.18.0 from the NEWS file: * Logout endpoint can handle POST response. * Ensure compatibility with OpenSSL 3. * Add encryption certificate in mellon_create_metadata.sh. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.72 2023/04/19 08:11:44 adam Exp $ d5 1 @ 1.72 log @revbump after textproc/icu update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.71 2022/11/23 16:21:17 adam Exp $ d3 1 a3 1 DISTNAME= mod_auth_mellon-0.18.0 a4 1 PKGREVISION= 6 @ 1.71 log @massive revision bump after textproc/icu update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.70 2022/10/26 10:32:03 wiz Exp $ d5 1 a5 1 PKGREVISION= 5 @ 1.70 log @*: bump PKGREVISION for libunistring shlib major bump @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.69 2022/04/18 19:12:15 adam Exp $ d5 1 a5 1 PKGREVISION= 4 @ 1.69 log @revbump for textproc/icu update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.68 2021/12/08 16:06:53 adam Exp $ d5 1 a5 1 PKGREVISION= 3 @ 1.68 log @revbump for icu and libffi @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.67 2021/11/15 18:17:05 wiz Exp $ d5 1 a5 1 PKGREVISION= 2 @ 1.67 log @ap2-auth-mellon: pkglint cleanup @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.66 2021/11/09 01:50:45 manu Exp $ d5 1 a5 1 PKGREVISION= 1 @ 1.66 log @Updated www/ap2-auth-mellon to 0.18.0 Change sine 0.17 from NEWS file: Version 0.18.0 --------------------------------------------------------------------------- Security fixes: * [CVE-2019-13038] Redirect URL validation bypass Version 0.17.0 and older of mod_auth_mellon allows the redirect URL validation to be bypassed by specifying an URL formatted as "///fishing-site.example.com/logout.html". In this case, the browser would interpret the URL differently than the APR parsing utility mellon uses and redirect to fishing-site.example.com. This could be reproduced with: https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com /logout.html This version fixes that issue by rejecting all URLs that start with "///". Enhancements: * A new option MellonSessionIdleTimeout that represents the amount of time a user can be inactive before the user's session times out in seconds. Bug fixes: * Several build-time fixes * The CookieTest SameSite attribute was only set to None if mellon configure option MellonCookieSameSite was set to something other than default. This is now fixed. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.65 2021/09/29 19:01:25 adam Exp $ a41 2 BUILDLINK_ABI_DEPENDS.lasso+= lasso>=2.1.0 a44 1 @ 1.65 log @revbump for boost-libs @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.64 2021/06/08 07:26:52 manu Exp $ d3 1 a3 1 DISTNAME= mod_auth_mellon-0.17.0 d10 2 a11 1 GITHUB_RELEASE= v${PKGVERSION_NOREV} d20 1 a20 1 USE_TOOLS+= pkg-config d33 3 @ 1.64 log @Updated www/ap2-auth-mellon to 0.17.0 Switch to Latchset distribution now that Uninett version is abandonware. Changes since 0.14.2 from the NEWS file: Version 0.17.0 --------------------------------------------------------------------------- Enhancements: * New option MellonSendExpectHeader (default On) which allows to disable sending the Expect header in the HTTP-Artifact binding to improve performance when the remote party does not support this header. * Set SameSite attribute to None on on the cookietest cookie. * Bump default generated keysize to 3072 bits in mellon_create_metadata. Bug fixes: * Validate if the assertion ID has not been used earlier before creating a new session. * Release session cache after calling invalidate endpoint. * In MellonCond directives, fix a bug that setting the NC option would also activate substring match and that REG would activate REF. * Fix MellonCond substring match to actually match the substring on the attribute value. Version 0.16.0 --------------------------------------------------------------------------- Enhancements: * The MellonCookieSameSite option accepts a new valid "None". This is intended to be used together with "MellonSecureCookie On". With some newer browsers, only cookies with "SameSite=None; Secure" would be available for cross-site access. * A new option MellonEnabledInvalidateSessionEndpoint was added. When this option is enabled, then a user can invalidate their session locally by calling the "/invalidate" endpoint. Version 0.15.0 --------------------------------------------------------------------------- Security fixes: * [CVE-2019-13038] Redirect URL validation bypass Version 0.14.1 and older of mod_auth_mellon allows the redirect URL validation to be bypassed by specifying an URL formatted as "http:www.hostname.com". In this case, the APR parsing utility would parse the scheme as http, host as NULL and path as www.hostname.com. Browsers, however, interpret the URL differently and redirect to www.hostname.com. This could be reproduced with: https://application.com/mellon/login?ReturnTo=http:www.hostname.com This version fixes that issue by rejecting all URLs with scheme, but no host name. Enhancements: * A XSLT script that allows converting attribute maps from Shibboleth to a set of MellonSetEnvNoPrefix entries was added. The script can be found at doc/mellon-attribute-map.xsl * A new configuration option MellonEnvPrefix was added. This option allows you to configure the variable prefix, which normally defaults to MELLON_ * A new configuration option MellonAuthnContextComparisonType was added. This option allows you to set the "Comparison" attribute within the AuthnRequest Notable bug fixes: * Compilation issues on Solaris were fixed @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.60 2020/06/02 08:24:55 adam Exp $ d5 1 @ 1.64.4.1 log @Pullup ticket #6533 - requested by bsiegert www/ap2-auth-mellon: security fix Revisions pulled up: - www/ap2-auth-mellon/Makefile 1.66 - www/ap2-auth-mellon/distinfo 1.24 --- Module Name: pkgsrc Committed By: manu Date: Tue Nov 9 01:50:45 UTC 2021 Modified Files: pkgsrc/doc: CHANGES-2021 pkgsrc/www/ap2-auth-mellon: Makefile distinfo Log Message: Updated www/ap2-auth-mellon to 0.18.0 Change sine 0.17 from NEWS file: Version 0.18.0 --------------------------------------------------------------------------- Security fixes: * [CVE-2019-13038] Redirect URL validation bypass Version 0.17.0 and older of mod_auth_mellon allows the redirect URL validation to be bypassed by specifying an URL formatted as "///fishing-site.example.com/logout.html". In this case, the browser would interpret the URL differently than the APR parsing utility mellon uses and redirect to fishing-site.example.com. This could be reproduced with: https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com /logout.html This version fixes that issue by rejecting all URLs that start with "///". Enhancements: * A new option MellonSessionIdleTimeout that represents the amount of time a user can be inactive before the user's session times out in seconds. Bug fixes: * Several build-time fixes * The CookieTest SameSite attribute was only set to None if mellon configure option MellonCookieSameSite was set to something other than default. This is now fixed. @ text @d1 1 a1 1 # $NetBSD$ d3 1 a3 1 DISTNAME= mod_auth_mellon-0.18.0 d9 1 a9 2 GITHUB_TAG= refs/tags/v${PKGVERSION_NOREV} WRKSRC= ${WRKDIR}/${DISTNAME} d18 1 a18 1 USE_TOOLS+= pkg-config autoconf automake a30 3 pre-configure: cd ${WRKSRC} && ./autogen.sh @ 1.63 log @revbump for boost-libs @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.62 2021/04/21 11:42:52 adam Exp $ d3 1 a3 1 DISTNAME= mod_auth_mellon-0.14.2 a4 1 PKGREVISION= 12 d7 1 a7 1 MASTER_SITES= ${MASTER_SITE_GITHUB:=UNINETT/} d12 1 a12 1 HOMEPAGE= https://github.com/UNINETT/mod_auth_mellon @ 1.62 log @revbump for textproc/icu @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.61 2020/11/05 09:09:18 ryoon Exp $ d5 1 a5 1 PKGREVISION= 11 @ 1.61 log @*: Recursive revbump from textproc/icu-68.1 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.60 2020/06/02 08:24:55 adam Exp $ d5 1 a5 1 PKGREVISION= 10 @ 1.60 log @Revbump for icu @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.59 2020/05/22 10:56:44 adam Exp $ d5 1 a5 1 PKGREVISION= 9 @ 1.59 log @revbump after updating security/nettle @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.58 2020/05/06 14:05:05 adam Exp $ d5 1 a5 1 PKGREVISION= 8 @ 1.58 log @revbump after boost update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.57 2020/04/30 16:35:51 rillig Exp $ d5 1 a5 1 PKGREVISION= 7 @ 1.57 log @www/ap2-auth-mellon: fix build with SUBST_NOOP_OK=no The CFLAG -pthread may be added to the Makefile by one of the placeholders, depending on the actual configuration. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.56 2020/03/08 16:51:35 wiz Exp $ d5 1 a5 1 PKGREVISION= 6 @ 1.56 log @*: recursive bump for libffi @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.55 2020/01/18 21:51:03 jperkin Exp $ d28 1 @ 1.55 log @*: Recursive revision bump for openssl 1.1.1. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.54 2020/01/12 20:20:47 ryoon Exp $ d5 1 a5 1 PKGREVISION= 5 @ 1.54 log @*: Recursive revbump from devel/boost-libs @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.53 2019/11/04 22:09:51 rillig Exp $ d5 1 a5 1 PKGREVISION= 4 @ 1.53 log @www: align variable assignments pkglint -Wall -F --only aligned --only indent -r Manually excluded phraseanet since pkglint got the indentation wrong. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.52 2019/08/22 12:23:52 ryoon Exp $ d5 1 a5 1 PKGREVISION= 3 @ 1.52 log @Recursive revbump from boost-1.71.0 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.51 2019/07/20 22:46:54 wiz Exp $ d37 1 a37 1 BUILDLINK_ABI_DEPENDS.lasso+= lasso>=2.1.0 @ 1.51 log @*: recursive bump for nettle 3.5.1 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.50 2019/07/01 04:08:51 ryoon Exp $ d5 1 a5 1 PKGREVISION= 2 @ 1.50 log @Recursive revbump from boost-1.70.0 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.49 2019/03/25 06:21:06 leot Exp $ d5 1 a5 1 PKGREVISION= 1 @ 1.49 log @ap2-auth-mellon: Adjust MASTER_SITES handling (NFCI) Use GITHUB_PROJECT and GITHUB_RELEASE instead of manually adjusting MASTER_SITES. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.48 2019/03/23 02:37:42 manu Exp $ d5 1 @ 1.48 log @Updated www/ap2-auth-mellon to 0.14.2 Changes sine 0.14.0 include: - Fix CVE-2019-3878 Authentication bypass when Apache is used as reverse proxy - Fix CVE-2019-3877 Redirect URL validation bypass - Fix environment variables in MellonCond - Fix detection of AJAX requests - Fix trailing semi-colon in Set-Cookie header @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.44 2018/05/04 02:53:38 manu Exp $ d7 3 a9 1 MASTER_SITES= ${MASTER_SITE_GITHUB:=UNINETT/}/mod_auth_mellon/releases/download/v${DISTNAME:C/.*-//}/ @ 1.47 log @revbump for boost 1.69.0 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.46 2018/12/09 21:05:36 adam Exp $ d3 1 a3 1 DISTNAME= mod_auth_mellon-0.14.0 d5 1 a5 1 PKGREVISION= 2 @ 1.46 log @Removed commented-out PKGREVISIONs @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.45 2018/08/16 18:55:14 adam Exp $ d5 1 a5 1 PKGREVISION= 1 @ 1.45 log @revbump after boost-libs update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.44 2018/05/04 02:53:38 manu Exp $ a5 1 #PKGREVISION= 1 @ 1.44 log @Updated www/ap2-auth-mellon to 0.14.0 Changes since 0.12.0 include a fix for CVE-2017-6807 Version 0.14.0 ============== * Backwards incompatible changes This version switches the default signature algorithm used when signing messages from rsa-sha1 to rsa-sha256. If your IdP does not allow messages to be signed with that algorithm, you need to add a setting switching back to the old algorithm: MellonSignatureMethod rsa-sha1 Note that this only affects messages sent from mod_auth_mellon to your IdP. It does not affect authentication responses or other messages sent from your IdP to mod_auth_mellon. * New features Many improvements in what is logged during various errors. Diagnostics logging, which creates a detailed log during request processing. Add support for selecting which signature algorithm is used when signing messages, and switch to rsa-sha256 by default. * Bug fixes Fix segmentation fault in POST replay functionality on empty value. Fix incorrect error check for many lasso_*-functions. Fix case sensitive match on MellonUser attribute name. Version 0.13.1 ============== * Security fix Fix a cross-site session transfer vulnerability. mod_auth_mellon version 0.13.0 and older failed to validate that the session specified in the user's session cookie was created for the web site the user actually accesses. If two different web sites are hosted on the same web server, and both web sites use mod_auth_mellon for authentication, this vulnerability makes it possible for an attacker with access to one of the web sites to copy their session cookie to the other web site, and then use the same session to get access to the other web site. Thanks to François Kooman for reporting this vulnerability. This vulnerability has been assigned CVE-2017-6807. Note: The fix for this vunlerability makes mod_auth_mellon validate that the cookie parameters used when creating the session match the cookie parameters that should be used when accessing the current page. If you currently use mod_auth_mellon across multiple subdomains, you must make sure that you set the MellonCookie-option to the same value on all domains. Bug fixes Fix segmentation fault if a (trusted) identity provider returns a SAML 2.0 attribute without a Name. Fix segmentation fault if MellonPostReplay is enabled but MellonPostDirectory is not set. Version 0.13.0 ============== * Security fix Fix a denial of service attack in the logout handler, which allows a remote attacker to crash the Apache worker process with a segmentation fault. This is caused by a null-pointer dereference when processing a malformed logout message. New features Allow MellonSecureCookie to be configured to enable just one of the "httponly" of "secure" flags, instead of always enabling both flags. Support per-module log level with Apache 2.4. Allow disabling the Cache-Control HTTP response header. Add support for SameSite cookie parameter. * Bug fixes Fix MellonProbeDiscoveryIdP redirecting to the wrong IdP if no IdPs respond to the probe request. Fix mod_auth_mellon interfering with other Apache authentication modules even when it is disabled for a path. Fix wrong HTTP status code being returned in some cases during user permission checks. Fix default POST size limit to actually be 1 MB. Fix error if authentication response is missing the optional Conditions-element. Fix AJAX requests being redirected to the IdP. Fix wrong content type for ECP authentication request responses. In addition there are various fixes for errors in the documentation, as well as internal code changes that do not have any user visible effects. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.43 2018/04/29 21:32:07 adam Exp $ d5 1 @ 1.43 log @revbump for boost-libs update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.42 2018/01/01 21:18:55 adam Exp $ d3 1 a3 1 DISTNAME= mod_auth_mellon-0.12.0 d5 1 a5 1 PKGREVISION= 8 @ 1.42 log @Revbump after boost update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.41 2018/01/01 10:23:06 wiz Exp $ d5 1 a5 1 PKGREVISION= 7 @ 1.41 log @apache22: remove, it was eol'd in June 2017 Remove packages that only work with apache22. Remove apache22 references. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.40 2017/08/24 20:03:41 adam Exp $ d5 1 a5 1 PKGREVISION= 6 @ 1.40 log @Revbump for boost update @ text @d1 1 a1 2 # $NetBSD: Makefile,v 1.39 2017/04/30 01:22:02 ryoon Exp $ # a18 1 PKG_APACHE_ACCEPTED= apache22 apache24 a19 1 BUILDLINK_API_DEPENDS.apache+= apache>=2.0.47 @ 1.39 log @Recursive revbump from boost update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.38 2017/01/01 16:06:38 adam Exp $ d6 1 a6 1 PKGREVISION= 5 @ 1.38 log @Revbump after boost update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.37 2016/10/27 12:53:13 manu Exp $ d6 1 a6 1 PKGREVISION= 4 @ 1.37 log @Fix pkglint complains @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.35 2016/10/07 18:26:12 adam Exp $ d6 1 a6 1 PKGREVISION= 3 @ 1.36 log @Do not redirect unauthenticated AJAX request to the IdP When MellonEnable is "auth" and we get an unauthenticated AJAX request (identified by the X-Request-With: XMLHttpRequest HTTP header), fail with HTTP code 403 Forbidden instead of redirecting to the IdP. This saves resources, as the client has no opportunity to interract with the user to complete authentification. @ text @d4 1 a4 1 DISTNAME= mod_auth_mellon-0.12.0 d8 1 a8 1 MASTER_SITES= https://github.com/UNINETT/mod_auth_mellon/releases/download/v${DISTNAME:C/.*-//}/ @ 1.35 log @Revbump post boost update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.34 2016/09/22 02:44:26 mef Exp $ d6 1 a6 1 PKGREVISION= 2 @ 1.34 log @Update HOMEPAGE, previous was 404 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.33 2016/03/14 09:58:57 manu Exp $ d6 1 a6 1 PKGREVISION= 1 @ 1.33 log @Update mod_auth_mellon to 0.12.0 Fixes CVE-2016-2145 and CVE-2016-2146 Changes since 0.10.0 frome NEWS file and patches/patch-0274 patch-0274 --------------------------------------------------------------------------- * Return 500 Internal Server Error if probe discovery fails. Version 0.12.0 --------------------------------------------------------------------------- Security fixes: * [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to incorrect error handling when reading POST data from client. * [CVE-2016-2146] Fix DOS attack (Apache worker process crash / resource exhaustion) due to missing size checks when reading POST data. In addition this release contains the following new features and fixes: * Add MellonRedirecDomains option to limit the sites that mod_auth_mellon can redirect to. This option is enabled by default. * Add support for ECP service options in PAOS requests. * Fix AssertionConsumerService lookup for PAOS requests. Version 0.11.1 --------------------------------------------------------------------------- Security fixes: * [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to incorrect error handling when reading POST data from client. * [CVE-2016-2146] Fix DOS attack (Apache worker process crash / resource exhaustion) due to missing size checks when reading POST data Version 0.11.0 --------------------------------------------------------------------------- * Add SAML 2.0 ECP support. * The MellonDecode option has been disabled. It was used to decode attributes in a Feide-specific encoding that is no longer used. * Set max-age=0 in Cache-Control header, to ensure that all browsers verifies the data on each request. * MellonMergeEnvVars On now accepts second optional parameter, the separator to be used instead of the default ';'. * Add option MellonEnvVarsSetCount to specify if the number of values for any attribute should also be stored in environment variable suffixed _N. * Add option MellonEnvVarsIndexStart to specify if environment variables for multi-valued attributes should start indexing with 0 (default) or with 1. * Bugfixes: * Fix error about missing authentication with DirectoryIndex in Apache 2.4. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.31 2015/04/13 08:10:29 manu Exp $ d11 1 a11 1 HOMEPAGE= http://modmellon.googlecode.com/files/ @ 1.32 log @Bump PKGREVISION for security/openssl ABI bump. @ text @d4 1 a4 1 DISTNAME= mod_auth_mellon-0.10.0 a6 1 #PKGREVISION= 1 a17 1 CFLAGS+= -DLASSO_SERVER_LOAD_METADATA_FLAG_DEFAULT=0 d37 2 @ 1.31 log @Allow apache 2.4 ito be used with ap2-auth-mellon. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.30 2015/04/03 15:53:34 manu Exp $ d6 1 @ 1.30 log @Remove obsolete PKG_DESTDIR_SUPPORT @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.29 2015/04/01 14:08:13 manu Exp $ d21 1 a21 1 PKG_APACHE_ACCEPTED= apache22 @ 1.29 log @Update mod_auth_mellon after lasso upgrade. Approved by wiz@@ NEWS since last version imported in pkgsrc Version 0.10.0 --------------------------------------------------------------------------- * Make sure that we fail in the unlikely case where OpenSSL is not able to provide us with a secure session id. * Increase the number of key-value pairs in the session to 2048. * Add MellonMergeEnvVars-option to store multi-valued attributes in a single environment variable, separated with ';'. * Bugfixes: * Fix the [MAP] option for MellonCond. * Fix cookie deletion for the session cookie. (Logout is not dependent on the cookie being deleted, so this only fixes the cookie showing up after the session is deleted.) Version 0.9.1 --------------------------------------------------------------------------- * Bugfixes: * Fix session offset calculation that prevented us from having active sessions at once. * Run mod_auth_mellon request handler before most other handlers, so that other handlers cannot block it by accident. Version 0.9.0 --------------------------------------------------------------------------- * Set the AssertionConsumerServiceURL attribute in authentication requests. * Bugfixes: * Fix use of uninitialized data during logout. * Fix session entry overflow leading to segmentation faults. * Fix looking up sessions by NameID, which is used during logout. Version 0.8.1 --------------------------------------------------------------------------- This is a security release with fixes backported from version 0.9.1. It turned out that session overflow bugs fixes in version 0.9.0 and 0.9.1 can lead to information disclosure, where data from one session is leaked to another session. Depending on how this data is used by the web application, this may lead to data from one session being disclosed to an user in a different session. (CVE-2014-8566) In addition to the information disclosure, this release contains some fixes for logout processing, where logout requests would crash the Apache web server. (CVE-2014-8567) Version 0.8.0 --------------------------------------------------------------------------- * Add support for receiving HTTP-Artifact identifiers as POST data. * Simplify caching headers. * Map login errors into more appropriate HTTP error codes than 400 Bad Request. * Add MellonNoSuccessErrorPage option to redirect to a error page on login failure. * Turn session storage into a dynamic pool of memory, which means that attribute values (and other items) can have arbitrary sizes as long as they fit in the session as a whole. * Various bugfixes: * Fix for compatibility with recent versions of CURL. * Fix broken option MellonDoNotVerifyLogoutSignature. * Fix deadlock that could occur during logout processing. * Fix some compile warnings. * Fix some NULL derefernce bugs that may lead to segmentation faults. * Fix a minor memory leak during IdP metadata loading. Version 0.7.0 --------------------------------------------------------------------------- * Add MellonSPentityId to control entityId in autogenerated metadata * Fix compatibility with Apache 2.4. * Handle empty RelayState the same as missing RelayState. * Add MellonSetEvnNoPrefix directive to set environment variables without "MELLON_"-prefix. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.26 2013/04/15 15:35:01 manu Exp $ a14 2 PKG_DESTDIR_SUPPORT= user-destdir @ 1.29.2.1 log @Pullup ticket #4668 - requested by manu www/ap2-auth-mellon - apache24 support Revisions pulled up: - www/ap2-auth-mellon/Makefile 1.31 --- Module Name: pkgsrc Committed By: manu Date: Mon Apr 13 08:10:29 UTC 2015 Modified Files: pkgsrc/www/ap2-auth-mellon: Makefile Log Message: Allow apache 2.4 ito be used with ap2-auth-mellon. @ text @d1 1 a1 1 # $NetBSD$ d23 1 a23 1 PKG_APACHE_ACCEPTED= apache22 apache24 @ 1.28 log @Recursive PKGREVISION bump for OpenSSL API version bump. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.27 2014/01/01 11:52:37 wiz Exp $ d4 2 a5 2 PKGNAME= ${APACHE_PKG_PREFIX}-${DISTNAME:S/mod_//:S/_/-/} DISTNAME= mod_auth_mellon-0.6.1 a6 1 PKGREVISION= 2 d8 1 a8 1 MASTER_SITES= http://modmellon.googlecode.com/files/ d11 1 a11 1 HOMEPAGE= http://code.google.com/p/modmellon/ a22 1 APACHE_MODULE_NAME= auth_mellon_module a27 1 SUBST_MESSAGES= Remove -pthread flag @ 1.27 log @Recursive PKGREVISION bump for libgcrypt-1.6.0 shlib major bump. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.26 2013/04/15 15:35:01 manu Exp $ d7 1 a7 1 PKGREVISION= 1 @ 1.26 log @Upgrade ap2-auth-mellon to 0.6.1 plus a patch from upstream Changes since 0.4.0, from NEWS file: * Add MellonSPentityId to control entityId in autogenerated metadata Version 0.6.1 --------------------------------------------------------------------------- * Fix the POST replay functionality when multiple users logging in at once. * Add a fallback for the case where the POST replay data has expired before the user logs in. Version 0.6.0 --------------------------------------------------------------------------- Backwards-incompatible changes: * The POST replay functionality has been disabled by default, and the automatic creation of the MellonPostDirectory target directory has been removed. If you want to use the POST replay functionality, take a look at the README file for instructions for how to enable this. * Start discovery service when accessing the login endpoint. We used to bypass the discovery service in this case, and just pick the first IdP. This has been changed to send a request to the discovery service instead, if one is configured. * The MellonLockFile default path has been changed to: /var/run/mod_auth_mellon.lock This only affects platforms where a lock file is required and where Apache doesn't have write access to that directory during startup. (Apache can normally create files in that directory during startup.) Other changes: * Fix support for SOAP logout. * Local logout when IdP does not support SAML 2.0 Single Logout. * MellonDoNotVerifyLogoutSignature option to disable logout signature validation. * Support for relative file paths in configuration. * The debian build-directory has been removed from the repository. * Various cleanups and bugfixes: * Fix cookie parsing header parsing for some HTTP libraries. * Fix inheritance of MellonAuthnContextClassRef option. * Use ap_set_content_type() instead of accessing request->content_type. * README indentation cleanups. * Support for even older versions of GLib. * Fixes for error handling during session initialization. * Directly link with GLib rather than relying on the Lasso library linking to it for us. * Some code cleanups. Version 0.5.0 --------------------------------------------------------------------------- * Honour MellonProbeDiscoveryIdP order when sending probes. * MellonAuthnContextClassRef configuration directive, to limit authentication to specific authentication methods. * Support for the HTTP-POST binding when sending authentication requests to the IdP. * MellonSubjectConfirmationDataAddressCheck option to disable received address checking. * Various cleanups and bugfixes: * Support for older versions of GLib and APR. * Send the correct SP entityID to the discovery service. * Do not set response headers twice. * Several cleanups in the code that starts authentication. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.22 2012/09/15 10:06:44 obache Exp $ d7 1 @ 1.25 log @PKGREVISION bumps for the security/openssl 1.0.1d update. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.24 2012/12/16 01:52:36 obache Exp $ d5 2 a6 2 DISTNAME= mod_auth_mellon-0.4.0 PKGREVISION= 7 d15 2 @ 1.24 log @recursive bump from cyrus-sasl libsasl2 shlib major bump. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.23 2012/10/28 06:30:06 asau Exp $ d6 1 a6 1 PKGREVISION= 6 @ 1.23 log @Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.22 2012/09/15 10:06:44 obache Exp $ d6 1 a6 1 PKGREVISION= 5 @ 1.22 log @recursive bump from libffi shlib major bump (additionaly, reset PKGREVISION of qt4-* sub packages from base qt4 update) @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.21 2012/06/14 07:44:54 sbd Exp $ a14 2 PKG_DESTDIR_SUPPORT= user-destdir @ 1.21 log @Recursive PKGREVISION bump for libxml2 buildlink addition. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.20 2012/03/03 00:14:04 wiz Exp $ d6 1 a6 1 PKGREVISION= 4 @ 1.20 log @Recursive bump for pcre-8.30* (shlib major change) @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.19 2012/02/06 12:41:51 wiz Exp $ d6 1 a6 1 PKGREVISION= 3 @ 1.19 log @Revbump for a) tiff update to 4.0 (shlib major change) b) glib2 update 2.30.2 (adds libffi dependency to buildlink3.mk) Enjoy. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.18 2011/12/06 09:58:01 manu Exp $ d6 1 a6 1 PKGREVISION= 2 @ 1.18 log @Update to mod_auth_mellon 0.4.0 plus upstream patch: * Honour MellonProbeDiscoveryIdP order when sending probes * Allow MellonUser variable to be translated through MellonSetEnv * A /mellon/probeDisco endpoint replaces the builtin:get-metadata IdP dicovery URL scheme * New MellonCond directive to enable attribute filtering beyond MellonRequire functionalities. * New MellonIdPMetadataGlob directive to load mulitple IdP metadata using a glob(3) pattern. * Support for running behind reverse proxy. * MellonCookieDomain and MellonCookiePath options to configure cookie settings. * Support for loading federation metadata files. * Several bugfixes. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.17 2011/05/07 05:15:21 manu Exp $ d6 1 a6 1 PKGREVISION= 1 @ 1.17 log @Unbreak SP initiated SLO with lasso >= 2.3.5 (patch backported from upstream) @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.16 2011/04/22 13:44:57 obache Exp $ d5 2 a6 2 DISTNAME= mod_auth_mellon-0.3.0 PKGREVISION= 3 d20 1 d29 1 a29 1 SUBST_MESSAGES= Convert -pthread flag to apxs style d32 1 a32 1 SUBST_SED.pthflags= -e 's| -pthread | ${"${PTHREAD_CFLAGS:M-pthread}":?-Wc,-pthread:} ${"${PTHREAD_LDFLAGS:M-pthread}":?-Wl,-pthread:} |g' d43 1 @ 1.16 log @recursive bump from gettext-lib shlib bump. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.15 2011/04/04 08:45:43 manu Exp $ d6 1 a6 1 PKGREVISION= 2 @ 1.15 log @Update ap2-auth-mellon to 2.3.5, plus patches pulled from upstream: Pulled from upcoming 0.3.1 --------------------------------------------------------------------------- * Allow MellonUser variable to be translated through MellonSetEnv * A /mellon/probeDisco endpoint replaces the builtin:get-metadata IdP dicovery URL scheme * New MellonCond directive to enable attribute filtering beyond MellonRequire functionalities. * New MellonIdPMetadataGlob directive to load mulitple IdP metadata using a glob(3) pattern. Version 0.3.0 --------------------------------------------------------------------------- * New login-endpoint, which allows easier manual initiation of login requests, and specifying parameters such as IsPassive. * Validation of Conditions and SubjectConfirmation data in the assertion we receive from the IdP. * Various bugfixes. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.14 2011/03/18 09:48:54 obache Exp $ d6 1 a6 1 PKGREVISION= 1 @ 1.14 log @* LICENSE=gnu-gpl-v2 * remove unwanted CONFIGURE_ENV and CONFIGURE_ARGS items. * add a trick to convert `-pthread' flags to apxs style. * add user-destdir installation support @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.13 2010/05/31 16:46:30 manu Exp $ d5 2 a6 1 DISTNAME= mod_auth_mellon-0.2.7 @ 1.13 log @Update to 0.2.7. From the NEWS file: Version 0.2.7 --------------------------------------------------------------------------- * Optionaly ave the remote IdP entityId in the environment * Shibboleth 2 interoperability Version 0.2.6 --------------------------------------------------------------------------- * Fix XSS/DOS vulnerability in repost handler. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.12 2010/01/17 12:02:48 wiz Exp $ d12 3 d22 1 a22 1 PKG_APACHE_ACCEPTED= apache22 d24 1 a24 9 BUILDLINK_API_DEPENDS.apache+= apache>=2.0.47 CPPFLAGS+= -I${BUILDLINK_PREFIX.openssl}/include/openssl OPENSSL_LIBS= -L${PREFIX}/lib -lssl -lcrypto CONFIGURE_ENV+= PKG_CONFIG_PATH=${PREFIX}/lib/pkgconfig CONFIGURE_ENV+= OPENSSL_CFLAGS=${CPPFLAGS:Q} CONFIGURE_ENV+= OPENSSL_LIBS=${OPENSSL_LIBS:Q} CONFIGURE_ARGS+= --with-apxs2=${APXS:Q} d26 13 a38 1 # url2pkg-marker (please do not remove this line.) @ 1.12 log @Recursive PKGREVISION bump for jpeg update to 8. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.11 2010/01/04 15:43:17 joerg Exp $ d5 1 a5 2 DISTNAME= mod_auth_mellon-0.2.5 PKGREVISION= 3 @ 1.11 log @Installation doesn't work with destdir. Make sure to pull include/openssl into the include path. Mark as only for Apache 2.2. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.10 2009/12/20 11:31:30 manu Exp $ d6 1 a6 1 PKGREVISION= 2 @ 1.10 log @Fix a XSS vulnerability @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.6 2009/11/16 09:48:28 manu Exp $ a13 2 PKG_DESTDIR_SUPPORT= destdir d20 1 a20 1 PKG_APACHE_ACCEPTED= apache2 apache22 d24 3 d28 2 a29 2 CONFIGURE_ENV+= OPENSSL_CFLAGS="${CPPFLAGS}" CONFIGURE_ENV+= OPENSSL_LIBS="-L${PREFIX}/lib -lssl -lcrypto" @ 1.9 log @Remove additions to CONFIGURE_ENV. They are automatically handled automatically by pkgsrc with more sufficient variables. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.8 2009/12/11 11:43:37 obache Exp $ d6 1 d14 2 d26 3 d31 2 @ 1.8 log @apxs does not support DESTDIR installation. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.7 2009/12/11 11:38:20 obache Exp $ a22 3 CONFIGURE_ENV+= PKG_CONFIG_PATH=${PREFIX}/lib/pkgconfig CONFIGURE_ENV+= OPENSSL_CFLAGS="${CPPFLAGS}" CONFIGURE_ENV+= OPENSSL_LIBS="-L${PREFIX}/lib -lssl -lcrypto" @ 1.7 log @Remove comments from url2pkg. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.6 2009/11/16 09:48:28 manu Exp $ a12 2 PKG_DESTDIR_SUPPORT= destdir @ 1.6 log @Update to mod_auth_mellon 0.2.5. From the NEWS file: * Replay POST requests after been sent to the IdP * Fix HTTP response splitting vulnerability. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.5 2009/08/11 15:53:41 manu Exp $ a29 2 # url2pkg-marker (please do not remove this line.) @ 1.5 log @Change since 0.2.4: * Fix for downloads of files with Internet Explorer with SSL enabled. * Mark session as disabled as soon as logout starts, in case the IdP doesn't respond. * Bugfix for session lifetime. Take the session lifetime from the SessionNotOnOrAfter attribute if it is present. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.4 2009/06/15 19:45:14 manu Exp $ d5 1 a5 1 DISTNAME= mod_auth_mellon-0.2.4 @ 1.4 log @Update to 0.2.2. From NEWS: * Improve metadata autogeneration: cleanup certificate, allow Organizarion element data to be supplied from Apache configuration @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.3 2009/06/06 10:27:30 manu Exp $ d5 1 a5 1 DISTNAME= mod_auth_mellon-0.2.2 @ 1.3 log @Update to 0.2.1: * Make SAML authentication assertion and Lasso session available in the environement. * Autogeneration of SP metadata. (Requires Lasso 2.2.2 or newer.) * Multiple IdP support, with discovery service. * Built in discovery service which tests the availability of each IdP, and uses the first available IdP. * Fix a mutex leak. * MellonSecureCookie option, which enables Secure + HttpOnly flags on session cookies. * Better handling of logout request when the user is already logged out. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.2 2009/03/03 10:53:15 manu Exp $ d5 1 a5 1 DISTNAME= mod_auth_mellon-0.2.1 @ 1.2 log @Add missing version in package names @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.1.1.1 2009/03/02 16:47:42 manu Exp $ d5 1 a5 1 DISTNAME= mod_auth_mellon-0.1.0 d28 1 a28 1 CONFIGURE_ARGS+= --with-apxs=${APXS:Q} @ 1.1 log @Initial revision @ text @d1 1 a1 1 # $NetBSD$ d4 1 a4 1 PKGNAME= ${APACHE_PKG_PREFIX}-auth-mellon @ 1.1.1.1 log @mod_auth_mellon is a authentication module for apache. It authenticates the user against a SAML 2.0 IdP, and and grants access to directories depending on attributes received from the IdP. @ text @@