head 1.26; access; symbols pkgsrc-2023Q4:1.26.0.6 pkgsrc-2023Q4-base:1.26 pkgsrc-2023Q3:1.26.0.4 pkgsrc-2023Q3-base:1.26 pkgsrc-2023Q2:1.26.0.2 pkgsrc-2023Q2-base:1.26 pkgsrc-2023Q1:1.25.0.12 pkgsrc-2023Q1-base:1.25 pkgsrc-2022Q4:1.25.0.10 pkgsrc-2022Q4-base:1.25 pkgsrc-2022Q3:1.25.0.8 pkgsrc-2022Q3-base:1.25 pkgsrc-2022Q2:1.25.0.6 pkgsrc-2022Q2-base:1.25 pkgsrc-2022Q1:1.25.0.4 pkgsrc-2022Q1-base:1.25 pkgsrc-2021Q4:1.25.0.2 pkgsrc-2021Q4-base:1.25 pkgsrc-2021Q3:1.21.0.4 pkgsrc-2021Q3-base:1.21 pkgsrc-2021Q2:1.21.0.2 pkgsrc-2021Q2-base:1.21 pkgsrc-2021Q1:1.20.0.18 pkgsrc-2021Q1-base:1.20 pkgsrc-2020Q4:1.20.0.16 pkgsrc-2020Q4-base:1.20 pkgsrc-2020Q3:1.20.0.14 pkgsrc-2020Q3-base:1.20 pkgsrc-2020Q2:1.20.0.12 pkgsrc-2020Q2-base:1.20 pkgsrc-2020Q1:1.20.0.8 pkgsrc-2020Q1-base:1.20 pkgsrc-2019Q4:1.20.0.10 pkgsrc-2019Q4-base:1.20 pkgsrc-2019Q3:1.20.0.6 pkgsrc-2019Q3-base:1.20 pkgsrc-2019Q2:1.20.0.4 pkgsrc-2019Q2-base:1.20 pkgsrc-2019Q1:1.20.0.2 pkgsrc-2019Q1-base:1.20 pkgsrc-2018Q4:1.19.0.6 pkgsrc-2018Q4-base:1.19 pkgsrc-2018Q3:1.19.0.4 pkgsrc-2018Q3-base:1.19 pkgsrc-2018Q2:1.19.0.2 pkgsrc-2018Q2-base:1.19 pkgsrc-2018Q1:1.18.0.12 pkgsrc-2018Q1-base:1.18 pkgsrc-2017Q4:1.18.0.10 pkgsrc-2017Q4-base:1.18 pkgsrc-2017Q3:1.18.0.8 pkgsrc-2017Q3-base:1.18 pkgsrc-2017Q2:1.18.0.4 pkgsrc-2017Q2-base:1.18 pkgsrc-2017Q1:1.18.0.2 pkgsrc-2017Q1-base:1.18 pkgsrc-2016Q4:1.17.0.2 pkgsrc-2016Q4-base:1.17 pkgsrc-2016Q3:1.15.0.6 pkgsrc-2016Q3-base:1.15 pkgsrc-2016Q2:1.15.0.4 pkgsrc-2016Q2-base:1.15 pkgsrc-2016Q1:1.15.0.2 pkgsrc-2016Q1-base:1.15 pkgsrc-2015Q4:1.14.0.2 pkgsrc-2015Q4-base:1.14 pkgsrc-2015Q3:1.13.0.6 pkgsrc-2015Q3-base:1.13 pkgsrc-2015Q2:1.13.0.4 pkgsrc-2015Q2-base:1.13 pkgsrc-2015Q1:1.13.0.2 pkgsrc-2015Q1-base:1.13 pkgsrc-2014Q4:1.12.0.14 pkgsrc-2014Q4-base:1.12 pkgsrc-2014Q3:1.12.0.12 pkgsrc-2014Q3-base:1.12 pkgsrc-2014Q2:1.12.0.10 pkgsrc-2014Q2-base:1.12 pkgsrc-2014Q1:1.12.0.8 pkgsrc-2014Q1-base:1.12 pkgsrc-2013Q4:1.12.0.6 pkgsrc-2013Q4-base:1.12 pkgsrc-2013Q3:1.12.0.4 pkgsrc-2013Q3-base:1.12 pkgsrc-2013Q2:1.12.0.2 pkgsrc-2013Q2-base:1.12 pkgsrc-2013Q1:1.11.0.12 pkgsrc-2013Q1-base:1.11 pkgsrc-2012Q4:1.11.0.10 pkgsrc-2012Q4-base:1.11 pkgsrc-2012Q3:1.11.0.8 pkgsrc-2012Q3-base:1.11 pkgsrc-2012Q2:1.11.0.6 pkgsrc-2012Q2-base:1.11 pkgsrc-2012Q1:1.11.0.4 pkgsrc-2012Q1-base:1.11 pkgsrc-2011Q4:1.11.0.2 pkgsrc-2011Q4-base:1.11 pkgsrc-2011Q3:1.10.0.4 pkgsrc-2011Q3-base:1.10 pkgsrc-2011Q2:1.10.0.2 pkgsrc-2011Q2-base:1.10 pkgsrc-2011Q1:1.8.0.8 pkgsrc-2011Q1-base:1.8 pkgsrc-2010Q4:1.8.0.6 pkgsrc-2010Q4-base:1.8 pkgsrc-2010Q3:1.8.0.4 pkgsrc-2010Q3-base:1.8 pkgsrc-2010Q2:1.8.0.2 pkgsrc-2010Q2-base:1.8 pkgsrc-2010Q1:1.7.0.4 pkgsrc-2010Q1-base:1.7 pkgsrc-2009Q4:1.7.0.2 pkgsrc-2009Q4-base:1.7 pkgsrc-2009Q3:1.5.0.2 pkgsrc-2009Q3-base:1.5 pkgsrc-2009Q2:1.3.0.2 pkgsrc-2009Q2-base:1.3 pkgsrc-2009Q1:1.1.1.1.0.2 pkgsrc-2009Q1-base:1.1.1.1 pkgsrc-base:1.1.1.1 TNF:1.1.1; locks; strict; comment @# @; 1.26 date 2023.04.21.04.27.39; author manu; state Exp; branches; next 1.25; commitid r0rqIx9EowlRHVlE; 1.25 date 2021.11.15.18.16.58; author wiz; state Exp; branches; next 1.24; commitid ih3YIJdeaBpP4VgD; 1.24 date 2021.11.09.01.50.45; author manu; state Exp; branches; next 1.23; commitid Lfbo8kWCscllO3gD; 1.23 date 2021.10.26.11.29.18; author nia; state Exp; branches; next 1.22; commitid Gv0TNLbuylhFsjeD; 1.22 date 2021.10.07.15.07.01; author nia; state Exp; branches; next 1.21; commitid kEwAbZZbki9jhTbD; 1.21 date 2021.06.08.07.26.52; author manu; state Exp; branches 1.21.4.1; next 1.20; commitid TCTCRjSGKtJfBiWC; 1.20 date 2019.03.23.02.37.42; author manu; state Exp; branches; next 1.19; commitid 7yhrBRDuCBP7ZqgB; 1.19 date 2018.05.04.02.53.38; author manu; state Exp; branches; next 1.18; commitid WYE8jX3FaxU5rVAA; 1.18 date 2017.03.23.17.07.01; author joerg; state Exp; branches; next 1.17; commitid wV5cYA8HzDvzgHKz; 1.17 date 2016.10.27.12.53.13; author manu; state Exp; branches; next 1.16; commitid U4C1X59cz0rBAMrz; 1.16 date 2016.10.18.15.13.41; author manu; state Exp; branches; next 1.15; commitid Mrx455DryexMEDqz; 1.15 date 2016.03.14.09.58.57; author manu; state Exp; branches; next 1.14; commitid Ix9MXQH30QyhUAYy; 1.14 date 2015.11.04.02.46.47; author agc; state Exp; branches; next 1.13; commitid iQwY7gbw5lDHJIHy; 1.13 date 2015.04.01.14.08.13; author manu; state Exp; branches; next 1.12; commitid uNCFjH91zHBEtTfy; 1.12 date 2013.04.15.15.35.01; author manu; state Exp; branches; next 1.11; 1.11 date 2011.12.06.09.58.01; author manu; state Exp; branches; next 1.10; 1.10 date 2011.05.07.05.15.21; author manu; state Exp; branches; next 1.9; 1.9 date 2011.04.04.08.45.43; author manu; state Exp; branches; next 1.8; 1.8 date 2010.05.31.16.46.30; author manu; state Exp; branches; next 1.7; 1.7 date 2009.12.20.11.31.30; author manu; state Exp; branches; next 1.6; 1.6 date 2009.11.16.09.48.28; author manu; state Exp; branches; next 1.5; 1.5 date 2009.08.27.19.39.54; author wiz; state Exp; branches; next 1.4; 1.4 date 2009.08.11.15.53.41; author manu; state Exp; branches; next 1.3; 1.3 date 2009.06.15.19.45.14; author manu; state Exp; branches; next 1.2; 1.2 date 2009.06.06.10.27.30; author manu; state Exp; branches; next 1.1; 1.1 date 2009.03.02.16.47.42; author manu; state Exp; branches 1.1.1.1; next ; 1.21.4.1 date 2021.11.20.22.29.03; author tm; state Exp; branches; next ; commitid MJTM3fpK1yrmjAhD; 1.1.1.1 date 2009.03.02.16.47.42; author manu; state Exp; branches; next ; desc @@ 1.26 log @Updated www/ap2-auth-mellon to 0.18.1 Add persistent sessions patch from upsrtream https://github.com/latchset/mod_auth_mellon/pull/120 Changes since 0.18.0 from the NEWS file: * Logout endpoint can handle POST response. * Ensure compatibility with OpenSSL 3. * Add encryption certificate in mellon_create_metadata.sh. @ text @$NetBSD: distinfo,v 1.25 2021/11/15 18:16:58 wiz Exp $ BLAKE2s (mod_auth_mellon-0.18.1.tar.gz) = f1b221f630a236c2404727fd988ac54a3612701450d90bee812f49bc3a1acbb1 SHA512 (mod_auth_mellon-0.18.1.tar.gz) = fab00f1cb00eb9d3f083efaff7ef3b356c4816c996ef86efb495955cd6ee9abb9433d5193e067840a8f0bd555c5ffbab1f8b4a4f3c1e3c09d36b34346a224696 Size (mod_auth_mellon-0.18.1.tar.gz) = 918912 bytes SHA1 (patch-auth_mellon_handler.c) = 3e7ea95ae2dee876dd415cff1a237d5914519aef SHA1 (patch-persistent_sessions) = 203a2ff2312ac5f26763223c3d0a17c13093e0a8 @ 1.25 log @ap2-auth-mellon: use BLAKE2s @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.24 2021/11/09 01:50:45 manu Exp $ d3 5 a7 3 BLAKE2s (mod_auth_mellon-0.18.0.tar.gz) = 8f21b5c8b8a402f3207d0e28cefdc8f66d7136e6302acf8d0ac78f3eb8bcf4e9 SHA512 (mod_auth_mellon-0.18.0.tar.gz) = 477ac302fda9ed33b2ca51e88379250a41cc85111e71cacc8ba9f16cd8a2b63af6393fb038fc8f5c211b97926ef368c5989c92570c2e3c9eae072c7b4d32d7d5 Size (mod_auth_mellon-0.18.0.tar.gz) = 918471 bytes @ 1.24 log @Updated www/ap2-auth-mellon to 0.18.0 Change sine 0.17 from NEWS file: Version 0.18.0 --------------------------------------------------------------------------- Security fixes: * [CVE-2019-13038] Redirect URL validation bypass Version 0.17.0 and older of mod_auth_mellon allows the redirect URL validation to be bypassed by specifying an URL formatted as "///fishing-site.example.com/logout.html". In this case, the browser would interpret the URL differently than the APR parsing utility mellon uses and redirect to fishing-site.example.com. This could be reproduced with: https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com /logout.html This version fixes that issue by rejecting all URLs that start with "///". Enhancements: * A new option MellonSessionIdleTimeout that represents the amount of time a user can be inactive before the user's session times out in seconds. Bug fixes: * Several build-time fixes * The CookieTest SameSite attribute was only set to None if mellon configure option MellonCookieSameSite was set to something other than default. This is now fixed. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.23 2021/10/26 11:29:18 nia Exp $ d3 1 a3 2 SHA1 (mod_auth_mellon-0.18.0.tar.gz) = 7103c5f2e50bcbba81710c4f26087d8ac98f1e65 RMD160 (mod_auth_mellon-0.18.0.tar.gz) = 9ef0edbbfd11d326ceb88d3525e9a3b282b45001 @ 1.23 log @www: Replace RMD160 checksums with BLAKE2s checksums All checksums have been double-checked against existing RMD160 and SHA512 hashes Not committed (merge conflicts): www/nghttp2/distinfo Unfetchable distfiles (almost certainly fetched conditionally...): ./www/nginx-devel/distinfo array-var-nginx-module-0.05.tar.gz ./www/nginx-devel/distinfo echo-nginx-module-0.62.tar.gz ./www/nginx-devel/distinfo encrypted-session-nginx-module-0.08.tar.gz ./www/nginx-devel/distinfo form-input-nginx-module-0.12.tar.gz ./www/nginx-devel/distinfo headers-more-nginx-module-0.33.tar.gz ./www/nginx-devel/distinfo lua-nginx-module-0.10.19.tar.gz ./www/nginx-devel/distinfo naxsi-1.3.tar.gz ./www/nginx-devel/distinfo nginx-dav-ext-module-3.0.0.tar.gz ./www/nginx-devel/distinfo nginx-rtmp-module-1.2.2.tar.gz ./www/nginx-devel/distinfo nginx_http_push_module-1.2.10.tar.gz ./www/nginx-devel/distinfo ngx_cache_purge-2.5.1.tar.gz ./www/nginx-devel/distinfo ngx_devel_kit-0.3.1.tar.gz ./www/nginx-devel/distinfo ngx_http_geoip2_module-3.3.tar.gz ./www/nginx-devel/distinfo njs-0.5.0.tar.gz ./www/nginx-devel/distinfo set-misc-nginx-module-0.32.tar.gz ./www/nginx/distinfo array-var-nginx-module-0.05.tar.gz ./www/nginx/distinfo echo-nginx-module-0.62.tar.gz ./www/nginx/distinfo encrypted-session-nginx-module-0.08.tar.gz ./www/nginx/distinfo form-input-nginx-module-0.12.tar.gz ./www/nginx/distinfo headers-more-nginx-module-0.33.tar.gz ./www/nginx/distinfo lua-nginx-module-0.10.19.tar.gz ./www/nginx/distinfo naxsi-1.3.tar.gz ./www/nginx/distinfo nginx-dav-ext-module-3.0.0.tar.gz ./www/nginx/distinfo nginx-rtmp-module-1.2.2.tar.gz ./www/nginx/distinfo nginx_http_push_module-1.2.10.tar.gz ./www/nginx/distinfo ngx_cache_purge-2.5.1.tar.gz ./www/nginx/distinfo ngx_devel_kit-0.3.1.tar.gz ./www/nginx/distinfo ngx_http_geoip2_module-3.3.tar.gz ./www/nginx/distinfo njs-0.5.0.tar.gz ./www/nginx/distinfo set-misc-nginx-module-0.32.tar.gz @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.22 2021/10/07 15:07:01 nia Exp $ d3 4 a6 3 BLAKE2s (mod_auth_mellon-0.17.0.tar.gz) = a616ec354f289e4ea985c9c59fbd341877a9dbf1eb778dbad44ea93a51956145 SHA512 (mod_auth_mellon-0.17.0.tar.gz) = 93919b46e5966d16b334f8f633345d8566f6873a68d1e619835a52a12a70fa7068fe036c69a43ca7b46e51b4c49354d51df13ffd64c60b82747eec86fe357d2e Size (mod_auth_mellon-0.17.0.tar.gz) = 955298 bytes @ 1.22 log @www: Remove SHA1 hashes for distfiles @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.21 2021/06/08 07:26:52 manu Exp $ d3 1 a3 1 RMD160 (mod_auth_mellon-0.17.0.tar.gz) = 80454ec3823ec80af73bd5f58f3a051848f1bb90 @ 1.21 log @Updated www/ap2-auth-mellon to 0.17.0 Switch to Latchset distribution now that Uninett version is abandonware. Changes since 0.14.2 from the NEWS file: Version 0.17.0 --------------------------------------------------------------------------- Enhancements: * New option MellonSendExpectHeader (default On) which allows to disable sending the Expect header in the HTTP-Artifact binding to improve performance when the remote party does not support this header. * Set SameSite attribute to None on on the cookietest cookie. * Bump default generated keysize to 3072 bits in mellon_create_metadata. Bug fixes: * Validate if the assertion ID has not been used earlier before creating a new session. * Release session cache after calling invalidate endpoint. * In MellonCond directives, fix a bug that setting the NC option would also activate substring match and that REG would activate REF. * Fix MellonCond substring match to actually match the substring on the attribute value. Version 0.16.0 --------------------------------------------------------------------------- Enhancements: * The MellonCookieSameSite option accepts a new valid "None". This is intended to be used together with "MellonSecureCookie On". With some newer browsers, only cookies with "SameSite=None; Secure" would be available for cross-site access. * A new option MellonEnabledInvalidateSessionEndpoint was added. When this option is enabled, then a user can invalidate their session locally by calling the "/invalidate" endpoint. Version 0.15.0 --------------------------------------------------------------------------- Security fixes: * [CVE-2019-13038] Redirect URL validation bypass Version 0.14.1 and older of mod_auth_mellon allows the redirect URL validation to be bypassed by specifying an URL formatted as "http:www.hostname.com". In this case, the APR parsing utility would parse the scheme as http, host as NULL and path as www.hostname.com. Browsers, however, interpret the URL differently and redirect to www.hostname.com. This could be reproduced with: https://application.com/mellon/login?ReturnTo=http:www.hostname.com This version fixes that issue by rejecting all URLs with scheme, but no host name. Enhancements: * A XSLT script that allows converting attribute maps from Shibboleth to a set of MellonSetEnvNoPrefix entries was added. The script can be found at doc/mellon-attribute-map.xsl * A new configuration option MellonEnvPrefix was added. This option allows you to configure the variable prefix, which normally defaults to MELLON_ * A new configuration option MellonAuthnContextComparisonType was added. This option allows you to set the "Comparison" attribute within the AuthnRequest Notable bug fixes: * Compilation issues on Solaris were fixed @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.20 2019/03/23 02:37:42 manu Exp $ a2 1 SHA1 (mod_auth_mellon-0.17.0.tar.gz) = df4039cca9d706b10c49ea3435af0382da2b959a @ 1.21.4.1 log @Pullup ticket #6533 - requested by bsiegert www/ap2-auth-mellon: security fix Revisions pulled up: - www/ap2-auth-mellon/Makefile 1.66 - www/ap2-auth-mellon/distinfo 1.24 --- Module Name: pkgsrc Committed By: manu Date: Tue Nov 9 01:50:45 UTC 2021 Modified Files: pkgsrc/doc: CHANGES-2021 pkgsrc/www/ap2-auth-mellon: Makefile distinfo Log Message: Updated www/ap2-auth-mellon to 0.18.0 Change sine 0.17 from NEWS file: Version 0.18.0 --------------------------------------------------------------------------- Security fixes: * [CVE-2019-13038] Redirect URL validation bypass Version 0.17.0 and older of mod_auth_mellon allows the redirect URL validation to be bypassed by specifying an URL formatted as "///fishing-site.example.com/logout.html". In this case, the browser would interpret the URL differently than the APR parsing utility mellon uses and redirect to fishing-site.example.com. This could be reproduced with: https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com /logout.html This version fixes that issue by rejecting all URLs that start with "///". Enhancements: * A new option MellonSessionIdleTimeout that represents the amount of time a user can be inactive before the user's session times out in seconds. Bug fixes: * Several build-time fixes * The CookieTest SameSite attribute was only set to None if mellon configure option MellonCookieSameSite was set to something other than default. This is now fixed. @ text @d1 1 a1 1 $NetBSD$ d3 4 a6 4 SHA1 (mod_auth_mellon-0.18.0.tar.gz) = 7103c5f2e50bcbba81710c4f26087d8ac98f1e65 RMD160 (mod_auth_mellon-0.18.0.tar.gz) = 9ef0edbbfd11d326ceb88d3525e9a3b282b45001 SHA512 (mod_auth_mellon-0.18.0.tar.gz) = 477ac302fda9ed33b2ca51e88379250a41cc85111e71cacc8ba9f16cd8a2b63af6393fb038fc8f5c211b97926ef368c5989c92570c2e3c9eae072c7b4d32d7d5 Size (mod_auth_mellon-0.18.0.tar.gz) = 918471 bytes @ 1.20 log @Updated www/ap2-auth-mellon to 0.14.2 Changes sine 0.14.0 include: - Fix CVE-2019-3878 Authentication bypass when Apache is used as reverse proxy - Fix CVE-2019-3877 Redirect URL validation bypass - Fix environment variables in MellonCond - Fix detection of AJAX requests - Fix trailing semi-colon in Set-Cookie header @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.19 2018/05/04 02:53:38 manu Exp $ d3 4 a6 4 SHA1 (mod_auth_mellon-0.14.2.tar.gz) = 35d4359487fb97e9982b501ef3581b49bf985888 RMD160 (mod_auth_mellon-0.14.2.tar.gz) = 412ecf6e1a616ca7c1caa6470976d1f66c8c76e6 SHA512 (mod_auth_mellon-0.14.2.tar.gz) = 9d14b1482a73ce7e86f5f7618454aab8759533649f34fa0088264b7b09dbd90db46011c629303b2f3ad969379937ff5adaa0d7b63a502cdfbba0cd1b762502a6 Size (mod_auth_mellon-0.14.2.tar.gz) = 950737 bytes @ 1.19 log @Updated www/ap2-auth-mellon to 0.14.0 Changes since 0.12.0 include a fix for CVE-2017-6807 Version 0.14.0 ============== * Backwards incompatible changes This version switches the default signature algorithm used when signing messages from rsa-sha1 to rsa-sha256. If your IdP does not allow messages to be signed with that algorithm, you need to add a setting switching back to the old algorithm: MellonSignatureMethod rsa-sha1 Note that this only affects messages sent from mod_auth_mellon to your IdP. It does not affect authentication responses or other messages sent from your IdP to mod_auth_mellon. * New features Many improvements in what is logged during various errors. Diagnostics logging, which creates a detailed log during request processing. Add support for selecting which signature algorithm is used when signing messages, and switch to rsa-sha256 by default. * Bug fixes Fix segmentation fault in POST replay functionality on empty value. Fix incorrect error check for many lasso_*-functions. Fix case sensitive match on MellonUser attribute name. Version 0.13.1 ============== * Security fix Fix a cross-site session transfer vulnerability. mod_auth_mellon version 0.13.0 and older failed to validate that the session specified in the user's session cookie was created for the web site the user actually accesses. If two different web sites are hosted on the same web server, and both web sites use mod_auth_mellon for authentication, this vulnerability makes it possible for an attacker with access to one of the web sites to copy their session cookie to the other web site, and then use the same session to get access to the other web site. Thanks to François Kooman for reporting this vulnerability. This vulnerability has been assigned CVE-2017-6807. Note: The fix for this vunlerability makes mod_auth_mellon validate that the cookie parameters used when creating the session match the cookie parameters that should be used when accessing the current page. If you currently use mod_auth_mellon across multiple subdomains, you must make sure that you set the MellonCookie-option to the same value on all domains. Bug fixes Fix segmentation fault if a (trusted) identity provider returns a SAML 2.0 attribute without a Name. Fix segmentation fault if MellonPostReplay is enabled but MellonPostDirectory is not set. Version 0.13.0 ============== * Security fix Fix a denial of service attack in the logout handler, which allows a remote attacker to crash the Apache worker process with a segmentation fault. This is caused by a null-pointer dereference when processing a malformed logout message. New features Allow MellonSecureCookie to be configured to enable just one of the "httponly" of "secure" flags, instead of always enabling both flags. Support per-module log level with Apache 2.4. Allow disabling the Cache-Control HTTP response header. Add support for SameSite cookie parameter. * Bug fixes Fix MellonProbeDiscoveryIdP redirecting to the wrong IdP if no IdPs respond to the probe request. Fix mod_auth_mellon interfering with other Apache authentication modules even when it is disabled for a path. Fix wrong HTTP status code being returned in some cases during user permission checks. Fix default POST size limit to actually be 1 MB. Fix error if authentication response is missing the optional Conditions-element. Fix AJAX requests being redirected to the IdP. Fix wrong content type for ECP authentication request responses. In addition there are various fixes for errors in the documentation, as well as internal code changes that do not have any user visible effects. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.18 2017/03/23 17:07:01 joerg Exp $ d3 4 a6 4 SHA1 (mod_auth_mellon-0.14.0.tar.gz) = 4a93f8b093e1dea20e8a286931693c614903f2d9 RMD160 (mod_auth_mellon-0.14.0.tar.gz) = 71a25b4fb1e9a6183a51225b588b10d330d84903 SHA512 (mod_auth_mellon-0.14.0.tar.gz) = db1bf70c234fe89914b1bb34fc6afb5b901193a8c8c7e9946485a3e20a7d129c36427717eab53764edf5a5cff5c45dfe412e400cb1f50c49ef24dbbfd6ecbf25 Size (mod_auth_mellon-0.14.0.tar.gz) = 948785 bytes @ 1.18 log @Extend SHA512 checksums to various files I have on my local distfile mirror. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.17 2016/10/27 12:53:13 manu Exp $ d3 4 a6 6 SHA1 (mod_auth_mellon-0.12.0.tar.gz) = 3d5cd4137154a7c848d8f3121e6497b88dc5f23e RMD160 (mod_auth_mellon-0.12.0.tar.gz) = 7ef278de6f4d0f0669d99c113706dc63d64f6fbc SHA512 (mod_auth_mellon-0.12.0.tar.gz) = 91e47509cfab9c6b472226aea79ff0120e71f80262d3b17a31ac691af4aacf58016741255409ec3272e54849efcde7c04f76dcc9670ee921503c8589656e8244 Size (mod_auth_mellon-0.12.0.tar.gz) = 136754 bytes SHA1 (patch-0274) = b5dfdd4b944c3d2c3bf47cfb97869aa57c32ea68 SHA1 (patch-0347) = d14d5a20d05fae3962e5168a0b23ab55835452ca @ 1.17 log @Fix pkglint complains @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.15 2016/03/14 09:58:57 manu Exp $ d5 1 @ 1.16 log @Do not redirect unauthenticated AJAX request to the IdP When MellonEnable is "auth" and we get an unauthenticated AJAX request (identified by the X-Request-With: XMLHttpRequest HTTP header), fail with HTTP code 403 Forbidden instead of redirecting to the IdP. This saves resources, as the client has no opportunity to interract with the user to complete authentification. @ text @d6 1 a6 1 SHA1 (patch-0274) = e523b560f8220352090db686a32a5f81f6579fda @ 1.15 log @Update mod_auth_mellon to 0.12.0 Fixes CVE-2016-2145 and CVE-2016-2146 Changes since 0.10.0 frome NEWS file and patches/patch-0274 patch-0274 --------------------------------------------------------------------------- * Return 500 Internal Server Error if probe discovery fails. Version 0.12.0 --------------------------------------------------------------------------- Security fixes: * [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to incorrect error handling when reading POST data from client. * [CVE-2016-2146] Fix DOS attack (Apache worker process crash / resource exhaustion) due to missing size checks when reading POST data. In addition this release contains the following new features and fixes: * Add MellonRedirecDomains option to limit the sites that mod_auth_mellon can redirect to. This option is enabled by default. * Add support for ECP service options in PAOS requests. * Fix AssertionConsumerService lookup for PAOS requests. Version 0.11.1 --------------------------------------------------------------------------- Security fixes: * [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to incorrect error handling when reading POST data from client. * [CVE-2016-2146] Fix DOS attack (Apache worker process crash / resource exhaustion) due to missing size checks when reading POST data Version 0.11.0 --------------------------------------------------------------------------- * Add SAML 2.0 ECP support. * The MellonDecode option has been disabled. It was used to decode attributes in a Feide-specific encoding that is no longer used. * Set max-age=0 in Cache-Control header, to ensure that all browsers verifies the data on each request. * MellonMergeEnvVars On now accepts second optional parameter, the separator to be used instead of the default ';'. * Add option MellonEnvVarsSetCount to specify if the number of values for any attribute should also be stored in environment variable suffixed _N. * Add option MellonEnvVarsIndexStart to specify if environment variables for multi-valued attributes should start indexing with 0 (default) or with 1. * Bugfixes: * Fix error about missing authentication with DirectoryIndex in Apache 2.4. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.13 2015/04/01 14:08:13 manu Exp $ d7 1 @ 1.14 log @Add SHA512 digests for distfiles for www category Problems found locating distfiles: Package haskell-cgi: missing distfile haskell-cgi-20001206.tar.gz Package nginx: missing distfile array-var-nginx-module-0.04.tar.gz Package nginx: missing distfile encrypted-session-nginx-module-0.04.tar.gz Package nginx: missing distfile headers-more-nginx-module-0.261.tar.gz Package nginx: missing distfile nginx_http_push_module-0.692.tar.gz Package nginx: missing distfile set-misc-nginx-module-0.29.tar.gz Package nginx-devel: missing distfile echo-nginx-module-0.58.tar.gz Package nginx-devel: missing distfile form-input-nginx-module-0.11.tar.gz Package nginx-devel: missing distfile lua-nginx-module-0.9.16.tar.gz Package nginx-devel: missing distfile nginx_http_push_module-0.692.tar.gz Package nginx-devel: missing distfile set-misc-nginx-module-0.29.tar.gz Package php-owncloud: missing distfile owncloud-8.2.0.tar.bz2 Otherwise, existing SHA1 digests verified and found to be the same on the machine holding the existing distfiles (morden). All existing SHA1 digests retained for now as an audit trail. @ text @d3 4 a6 4 SHA1 (mod_auth_mellon-0.10.0.tar.gz) = 853bd8506c3e70c9f0b7f7c6625a0c896dcf92bc RMD160 (mod_auth_mellon-0.10.0.tar.gz) = 7f8e40a9a7a5a7c5df772523dbb2c65e34658364 SHA512 (mod_auth_mellon-0.10.0.tar.gz) = 7a3958f1e151a3f1521b8cddf605c201bdd2fd23d44a12052192c13faa9bec46dc4b9c731ed94e6f85fd1e2b0c5b3798136867db2404df478a83485fe7bd24ed Size (mod_auth_mellon-0.10.0.tar.gz) = 115727 bytes @ 1.13 log @Update mod_auth_mellon after lasso upgrade. Approved by wiz@@ NEWS since last version imported in pkgsrc Version 0.10.0 --------------------------------------------------------------------------- * Make sure that we fail in the unlikely case where OpenSSL is not able to provide us with a secure session id. * Increase the number of key-value pairs in the session to 2048. * Add MellonMergeEnvVars-option to store multi-valued attributes in a single environment variable, separated with ';'. * Bugfixes: * Fix the [MAP] option for MellonCond. * Fix cookie deletion for the session cookie. (Logout is not dependent on the cookie being deleted, so this only fixes the cookie showing up after the session is deleted.) Version 0.9.1 --------------------------------------------------------------------------- * Bugfixes: * Fix session offset calculation that prevented us from having active sessions at once. * Run mod_auth_mellon request handler before most other handlers, so that other handlers cannot block it by accident. Version 0.9.0 --------------------------------------------------------------------------- * Set the AssertionConsumerServiceURL attribute in authentication requests. * Bugfixes: * Fix use of uninitialized data during logout. * Fix session entry overflow leading to segmentation faults. * Fix looking up sessions by NameID, which is used during logout. Version 0.8.1 --------------------------------------------------------------------------- This is a security release with fixes backported from version 0.9.1. It turned out that session overflow bugs fixes in version 0.9.0 and 0.9.1 can lead to information disclosure, where data from one session is leaked to another session. Depending on how this data is used by the web application, this may lead to data from one session being disclosed to an user in a different session. (CVE-2014-8566) In addition to the information disclosure, this release contains some fixes for logout processing, where logout requests would crash the Apache web server. (CVE-2014-8567) Version 0.8.0 --------------------------------------------------------------------------- * Add support for receiving HTTP-Artifact identifiers as POST data. * Simplify caching headers. * Map login errors into more appropriate HTTP error codes than 400 Bad Request. * Add MellonNoSuccessErrorPage option to redirect to a error page on login failure. * Turn session storage into a dynamic pool of memory, which means that attribute values (and other items) can have arbitrary sizes as long as they fit in the session as a whole. * Various bugfixes: * Fix for compatibility with recent versions of CURL. * Fix broken option MellonDoNotVerifyLogoutSignature. * Fix deadlock that could occur during logout processing. * Fix some compile warnings. * Fix some NULL derefernce bugs that may lead to segmentation faults. * Fix a minor memory leak during IdP metadata loading. Version 0.7.0 --------------------------------------------------------------------------- * Add MellonSPentityId to control entityId in autogenerated metadata * Fix compatibility with Apache 2.4. * Handle empty RelayState the same as missing RelayState. * Add MellonSetEvnNoPrefix directive to set environment variables without "MELLON_"-prefix. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.12 2013/04/15 15:35:01 manu Exp $ d5 1 @ 1.12 log @Upgrade ap2-auth-mellon to 0.6.1 plus a patch from upstream Changes since 0.4.0, from NEWS file: * Add MellonSPentityId to control entityId in autogenerated metadata Version 0.6.1 --------------------------------------------------------------------------- * Fix the POST replay functionality when multiple users logging in at once. * Add a fallback for the case where the POST replay data has expired before the user logs in. Version 0.6.0 --------------------------------------------------------------------------- Backwards-incompatible changes: * The POST replay functionality has been disabled by default, and the automatic creation of the MellonPostDirectory target directory has been removed. If you want to use the POST replay functionality, take a look at the README file for instructions for how to enable this. * Start discovery service when accessing the login endpoint. We used to bypass the discovery service in this case, and just pick the first IdP. This has been changed to send a request to the discovery service instead, if one is configured. * The MellonLockFile default path has been changed to: /var/run/mod_auth_mellon.lock This only affects platforms where a lock file is required and where Apache doesn't have write access to that directory during startup. (Apache can normally create files in that directory during startup.) Other changes: * Fix support for SOAP logout. * Local logout when IdP does not support SAML 2.0 Single Logout. * MellonDoNotVerifyLogoutSignature option to disable logout signature validation. * Support for relative file paths in configuration. * The debian build-directory has been removed from the repository. * Various cleanups and bugfixes: * Fix cookie parsing header parsing for some HTTP libraries. * Fix inheritance of MellonAuthnContextClassRef option. * Use ap_set_content_type() instead of accessing request->content_type. * README indentation cleanups. * Support for even older versions of GLib. * Fixes for error handling during session initialization. * Directly link with GLib rather than relying on the Lasso library linking to it for us. * Some code cleanups. Version 0.5.0 --------------------------------------------------------------------------- * Honour MellonProbeDiscoveryIdP order when sending probes. * MellonAuthnContextClassRef configuration directive, to limit authentication to specific authentication methods. * Support for the HTTP-POST binding when sending authentication requests to the IdP. * MellonSubjectConfirmationDataAddressCheck option to disable received address checking. * Various cleanups and bugfixes: * Support for older versions of GLib and APR. * Send the correct SP entityID to the discovery service. * Do not set response headers twice. * Several cleanups in the code that starts authentication. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.11 2011/12/06 09:58:01 manu Exp $ d3 3 a5 4 SHA1 (mod_auth_mellon-0.6.1.tar.gz) = c1704daaafdb2105ee5f1d488f88ec914f2dd646 RMD160 (mod_auth_mellon-0.6.1.tar.gz) = 0cef669feeb0fba516cd934f1fe8a93e6bc67239 Size (mod_auth_mellon-0.6.1.tar.gz) = 108734 bytes SHA1 (patch-aj) = c8219d53538cf9e10acaec861a66a3f29e22a582 @ 1.11 log @Update to mod_auth_mellon 0.4.0 plus upstream patch: * Honour MellonProbeDiscoveryIdP order when sending probes * Allow MellonUser variable to be translated through MellonSetEnv * A /mellon/probeDisco endpoint replaces the builtin:get-metadata IdP dicovery URL scheme * New MellonCond directive to enable attribute filtering beyond MellonRequire functionalities. * New MellonIdPMetadataGlob directive to load mulitple IdP metadata using a glob(3) pattern. * Support for running behind reverse proxy. * MellonCookieDomain and MellonCookiePath options to configure cookie settings. * Support for loading federation metadata files. * Several bugfixes. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.10 2011/05/07 05:15:21 manu Exp $ d3 4 a6 4 SHA1 (mod_auth_mellon-0.4.0.tar.gz) = d09f7bbefe32c2eaa624612584eab1ea8e89820a RMD160 (mod_auth_mellon-0.4.0.tar.gz) = 92ef003ae22c43ef81d22f5027486244e76e3d3f Size (mod_auth_mellon-0.4.0.tar.gz) = 103708 bytes SHA1 (patch-ai) = a7a4f729301bff79cb39d441f9fa48993cdc2899 @ 1.10 log @Unbreak SP initiated SLO with lasso >= 2.3.5 (patch backported from upstream) @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.8 2010/05/31 16:46:30 manu Exp $ d3 4 a6 9 SHA1 (mod_auth_mellon-0.3.0.tar.gz) = 658dda51652f491552f2ecc84572ed7750f914ff RMD160 (mod_auth_mellon-0.3.0.tar.gz) = 69237b1ec266018a86e7134a4662b491af3c261e Size (mod_auth_mellon-0.3.0.tar.gz) = 92252 bytes SHA1 (patch-ac) = 7976528d9c77b8e30accf60edc958db53ac5e8fb SHA1 (patch-ad) = a1bebae20bfbb99bd71d68de19901eaef6c52dbd SHA1 (patch-ae) = d51040b6d827940a2c3cf8928dee175efa946e37 SHA1 (patch-af) = 0803665a14df8582ac20d950a070f73d794b08ea SHA1 (patch-ag) = c1ef8704268d99b01d1e96fc2da9be74a7726b9d SHA1 (patch-ah) = 6287c038aee79e66539dda12ff447dfd5d9529bf @ 1.9 log @Update ap2-auth-mellon to 2.3.5, plus patches pulled from upstream: Pulled from upcoming 0.3.1 --------------------------------------------------------------------------- * Allow MellonUser variable to be translated through MellonSetEnv * A /mellon/probeDisco endpoint replaces the builtin:get-metadata IdP dicovery URL scheme * New MellonCond directive to enable attribute filtering beyond MellonRequire functionalities. * New MellonIdPMetadataGlob directive to load mulitple IdP metadata using a glob(3) pattern. Version 0.3.0 --------------------------------------------------------------------------- * New login-endpoint, which allows easier manual initiation of login requests, and specifying parameters such as IsPassive. * Validation of Conditions and SubjectConfirmation data in the assertion we receive from the IdP. * Various bugfixes. @ text @d11 1 @ 1.8 log @Update to 0.2.7. From the NEWS file: Version 0.2.7 --------------------------------------------------------------------------- * Optionaly ave the remote IdP entityId in the environment * Shibboleth 2 interoperability Version 0.2.6 --------------------------------------------------------------------------- * Fix XSS/DOS vulnerability in repost handler. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.7 2009/12/20 11:31:30 manu Exp $ d3 8 a10 3 SHA1 (mod_auth_mellon-0.2.7.tar.gz) = ed6b7e74d00bcf32889eff7d647b93e7adb41bd8 RMD160 (mod_auth_mellon-0.2.7.tar.gz) = 35acee9d78f20388792dae0ec96f7490e36ea685 Size (mod_auth_mellon-0.2.7.tar.gz) = 90018 bytes @ 1.7 log @Fix a XSS vulnerability @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.6 2009/11/16 09:48:28 manu Exp $ d3 3 a5 4 SHA1 (mod_auth_mellon-0.2.5.tar.gz) = f1d75456df39d183b6d1919f06dc2bc7b9b1afb6 RMD160 (mod_auth_mellon-0.2.5.tar.gz) = 7db221e431384ff9f73badc208eed55a0a0011a7 Size (mod_auth_mellon-0.2.5.tar.gz) = 89404 bytes SHA1 (patch-aa) = b8a46a2a82f228a95cf28c1d395394373e0f6ccb @ 1.6 log @Update to mod_auth_mellon 0.2.5. From the NEWS file: * Replay POST requests after been sent to the IdP * Fix HTTP response splitting vulnerability. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.5 2009/08/27 19:39:54 wiz Exp $ d6 1 @ 1.5 log @Remove empty line. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.4 2009/08/11 15:53:41 manu Exp $ d3 3 a5 3 SHA1 (mod_auth_mellon-0.2.4.tar.gz) = 6a8ff475bb7b4c0027a834c10b2d45a5ef1a7fed RMD160 (mod_auth_mellon-0.2.4.tar.gz) = ffbcdc9dcfa5ea47ad3319e84a9e84e220307929 Size (mod_auth_mellon-0.2.4.tar.gz) = 82568 bytes @ 1.4 log @Change since 0.2.4: * Fix for downloads of files with Internet Explorer with SSL enabled. * Mark session as disabled as soon as logout starts, in case the IdP doesn't respond. * Bugfix for session lifetime. Take the session lifetime from the SessionNotOnOrAfter attribute if it is present. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.3 2009/06/15 19:45:14 manu Exp $ a5 1 @ 1.3 log @Update to 0.2.2. From NEWS: * Improve metadata autogeneration: cleanup certificate, allow Organizarion element data to be supplied from Apache configuration @ text @d1 5 a5 1 $NetBSD: distinfo,v 1.2 2009/06/06 10:27:30 manu Exp $ a6 3 SHA1 (mod_auth_mellon-0.2.2.tar.gz) = 7a6078a126d4c924484a59cff0215099e73cbbc4 RMD160 (mod_auth_mellon-0.2.2.tar.gz) = 042461aabaa72afada0bcde3b9acb9fe00706fc1 Size (mod_auth_mellon-0.2.2.tar.gz) = 82930 bytes @ 1.2 log @Update to 0.2.1: * Make SAML authentication assertion and Lasso session available in the environement. * Autogeneration of SP metadata. (Requires Lasso 2.2.2 or newer.) * Multiple IdP support, with discovery service. * Built in discovery service which tests the availability of each IdP, and uses the first available IdP. * Fix a mutex leak. * MellonSecureCookie option, which enables Secure + HttpOnly flags on session cookies. * Better handling of logout request when the user is already logged out. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.1.1.1 2009/03/02 16:47:42 manu Exp $ d3 3 a5 4 SHA1 (mod_auth_mellon-0.2.1.tar.gz) = 5d11289aa4c44d235f4fd599cf215b46a37efb09 RMD160 (mod_auth_mellon-0.2.1.tar.gz) = 6f6e62abb3e5ff4b251e5bd5363aab22b817efe2 Size (mod_auth_mellon-0.2.1.tar.gz) = 81619 bytes SHA1 (patch-ab) = 65c0706feb5e9875d1eaf55a15f3b47cc59d4842 @ 1.1 log @Initial revision @ text @d1 1 a1 1 $NetBSD$ d3 4 a6 4 SHA1 (mod_auth_mellon-0.1.0.tar.gz) = d8f20efa3165a55bdc05526bf2077c182cd3bb80 RMD160 (mod_auth_mellon-0.1.0.tar.gz) = 2c347b2a28867a5d0e3d1c0716e25a6e7d7756c8 Size (mod_auth_mellon-0.1.0.tar.gz) = 74563 bytes SHA1 (patch-aa) = 0a9d7ec8b672b21ad828fde64a75b709cdbf808a @ 1.1.1.1 log @mod_auth_mellon is a authentication module for apache. It authenticates the user against a SAML 2.0 IdP, and and grants access to directories depending on attributes received from the IdP. @ text @@