Changes since 0.12.0 include a fix for CVE-2017-6807
Version 0.14.0
==============
* Backwards incompatible changes
This version switches the default signature algorithm used when
signing messages from rsa-sha1 to rsa-sha256. If your IdP does not
allow messages to be signed with that algorithm, you need to add a
setting switching back to the old algorithm:
MellonSignatureMethod rsa-sha1
Note that this only affects messages sent from mod_auth_mellon to your
IdP. It does not affect authentication responses or other messages
sent from your IdP to mod_auth_mellon.
* New features
Many improvements in what is logged during various errors.
Diagnostics logging, which creates a detailed log during request
processing.
Add support for selecting which signature algorithm is used when
signing messages, and switch to rsa-sha256 by default.
* Bug fixes
Fix segmentation fault in POST replay functionality on empty value.
Fix incorrect error check for many lasso_*-functions.
Fix case sensitive match on MellonUser attribute name.
Version 0.13.1
==============
* Security fix
Fix a cross-site session transfer vulnerability. mod_auth_mellon
version 0.13.0 and older failed to validate that the session
specified in the user's session cookie was created for the web site
the user actually accesses.
If two different web sites are hosted on the same web server, and
both web sites use mod_auth_mellon for authentication, this
vulnerability makes it possible for an attacker with access to one
of the web sites to copy their session cookie to the other web
site, and then use the same session to get access to the other web
site.
Thanks to François Kooman for reporting this vulnerability.
This vulnerability has been assigned CVE-2017-6807.
Note: The fix for this vunlerability makes mod_auth_mellon validate
that the cookie parameters used when creating the session match
the cookie parameters that should be used when accessing the current
page. If you currently use mod_auth_mellon across multiple subdomains,
you must make sure that you set the MellonCookie-option to the same
value on all domains. Bug fixes
Fix segmentation fault if a (trusted) identity provider returns
a SAML 2.0 attribute without a Name.
Fix segmentation fault if MellonPostReplay is enabled but
MellonPostDirectory is not set.
Version 0.13.0
==============
* Security fix
Fix a denial of service attack in the logout handler, which allows
a remote attacker to crash the Apache worker process with a
segmentation fault. This is caused by a null-pointer dereference
when processing a malformed logout message. New features
Allow MellonSecureCookie to be configured to enable just one
of the "httponly" of "secure" flags, instead of always enabling
both flags.
Support per-module log level with Apache 2.4.
Allow disabling the Cache-Control HTTP response header.
Add support for SameSite cookie parameter.
* Bug fixes
Fix MellonProbeDiscoveryIdP redirecting to the wrong IdP if no IdPs
respond to the probe request.
Fix mod_auth_mellon interfering with other Apache authentication
modules even when it is disabled for a path.
Fix wrong HTTP status code being returned in some cases during
user permission checks.
Fix default POST size limit to actually be 1 MB.
Fix error if authentication response is missing the optional
Conditions-element.
Fix AJAX requests being redirected to the IdP.
Fix wrong content type for ECP authentication request responses.
In addition there are various fixes for errors in the documentation,
as well as internal code changes that do not have any user visible
effects.
