Add persistent sessions patch from upsrtream
https://github.com/latchset/mod_auth_mellon/pull/120
Changes since 0.18.0 from the NEWS file:
* Logout endpoint can handle POST response.
* Ensure compatibility with OpenSSL 3.
* Add encryption certificate in mellon_create_metadata.sh.
Change sine 0.17 from NEWS file:
Version 0.18.0
---------------------------------------------------------------------------
Security fixes:
* [CVE-2019-13038] Redirect URL validation bypass
Version 0.17.0 and older of mod_auth_mellon allows the redirect URL
validation to be bypassed by specifying an URL formatted as
"///fishing-site.example.com/logout.html". In this case, the browser
would interpret the URL differently than the APR parsing utility
mellon uses and redirect to fishing-site.example.com.
This could be reproduced with:
https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com
/logout.html
This version fixes that issue by rejecting all URLs that start with "///".
Enhancements:
* A new option MellonSessionIdleTimeout that represents the amount of time
a user can be inactive before the user's session times out in seconds.
Bug fixes:
* Several build-time fixes
* The CookieTest SameSite attribute was only set to None if mellon configure
option MellonCookieSameSite was set to something other than default.
This is now fixed.
Switch to Latchset distribution now that Uninett version is abandonware.
Changes since 0.14.2 from the NEWS file:
Version 0.17.0
---------------------------------------------------------------------------
Enhancements:
* New option MellonSendExpectHeader (default On) which allows to disable
sending the Expect header in the HTTP-Artifact binding to improve
performance when the remote party does not support this header.
* Set SameSite attribute to None on on the cookietest cookie.
* Bump default generated keysize to 3072 bits in mellon_create_metadata.
Bug fixes:
* Validate if the assertion ID has not been used earlier before creating
a new session.
* Release session cache after calling invalidate endpoint.
* In MellonCond directives, fix a bug that setting the NC option would
also activate substring match and that REG would activate REF.
* Fix MellonCond substring match to actually match the substring on
the attribute value.
Version 0.16.0
---------------------------------------------------------------------------
Enhancements:
* The MellonCookieSameSite option accepts a new valid "None". This is intended
to be used together with "MellonSecureCookie On". With some newer browsers,
only cookies with "SameSite=None; Secure" would be available for cross-site
access.
* A new option MellonEnabledInvalidateSessionEndpoint was added. When this
option is enabled, then a user can invalidate their session locally by
calling the "/invalidate" endpoint.
Version 0.15.0
---------------------------------------------------------------------------
Security fixes:
* [CVE-2019-13038] Redirect URL validation bypass
Version 0.14.1 and older of mod_auth_mellon allows the redirect URL
validation to be bypassed by specifying an URL formatted as
"http:www.hostname.com". In this case, the APR parsing utility
would parse the scheme as http, host as NULL and path as www.hostname.com.
Browsers, however, interpret the URL differently and redirect to
www.hostname.com. This could be reproduced with:
https://application.com/mellon/login?ReturnTo=http:www.hostname.com
This version fixes that issue by rejecting all URLs with
scheme, but no host name.
Enhancements:
* A XSLT script that allows converting attribute maps from Shibboleth
to a set of MellonSetEnvNoPrefix entries was added. The script can
be found at doc/mellon-attribute-map.xsl
* A new configuration option MellonEnvPrefix was added. This option allows
you to configure the variable prefix, which normally defaults to MELLON_
* A new configuration option MellonAuthnContextComparisonType was added.
This option allows you to set the "Comparison" attribute within
the AuthnRequest
Notable bug fixes:
* Compilation issues on Solaris were fixed
Changes since 0.12.0 include a fix for CVE-2017-6807
Version 0.14.0
==============
* Backwards incompatible changes
This version switches the default signature algorithm used when
signing messages from rsa-sha1 to rsa-sha256. If your IdP does not
allow messages to be signed with that algorithm, you need to add a
setting switching back to the old algorithm:
MellonSignatureMethod rsa-sha1
Note that this only affects messages sent from mod_auth_mellon to your
IdP. It does not affect authentication responses or other messages
sent from your IdP to mod_auth_mellon.
* New features
Many improvements in what is logged during various errors.
Diagnostics logging, which creates a detailed log during request
processing.
Add support for selecting which signature algorithm is used when
signing messages, and switch to rsa-sha256 by default.
* Bug fixes
Fix segmentation fault in POST replay functionality on empty value.
Fix incorrect error check for many lasso_*-functions.
Fix case sensitive match on MellonUser attribute name.
Version 0.13.1
==============
* Security fix
Fix a cross-site session transfer vulnerability. mod_auth_mellon
version 0.13.0 and older failed to validate that the session
specified in the user's session cookie was created for the web site
the user actually accesses.
If two different web sites are hosted on the same web server, and
both web sites use mod_auth_mellon for authentication, this
vulnerability makes it possible for an attacker with access to one
of the web sites to copy their session cookie to the other web
site, and then use the same session to get access to the other web
site.
Thanks to François Kooman for reporting this vulnerability.
This vulnerability has been assigned CVE-2017-6807.
Note: The fix for this vunlerability makes mod_auth_mellon validate
that the cookie parameters used when creating the session match
the cookie parameters that should be used when accessing the current
page. If you currently use mod_auth_mellon across multiple subdomains,
you must make sure that you set the MellonCookie-option to the same
value on all domains. Bug fixes
Fix segmentation fault if a (trusted) identity provider returns
a SAML 2.0 attribute without a Name.
Fix segmentation fault if MellonPostReplay is enabled but
MellonPostDirectory is not set.
Version 0.13.0
==============
* Security fix
Fix a denial of service attack in the logout handler, which allows
a remote attacker to crash the Apache worker process with a
segmentation fault. This is caused by a null-pointer dereference
when processing a malformed logout message. New features
Allow MellonSecureCookie to be configured to enable just one
of the "httponly" of "secure" flags, instead of always enabling
both flags.
Support per-module log level with Apache 2.4.
Allow disabling the Cache-Control HTTP response header.
Add support for SameSite cookie parameter.
* Bug fixes
Fix MellonProbeDiscoveryIdP redirecting to the wrong IdP if no IdPs
respond to the probe request.
Fix mod_auth_mellon interfering with other Apache authentication
modules even when it is disabled for a path.
Fix wrong HTTP status code being returned in some cases during
user permission checks.
Fix default POST size limit to actually be 1 MB.
Fix error if authentication response is missing the optional
Conditions-element.
Fix AJAX requests being redirected to the IdP.
Fix wrong content type for ECP authentication request responses.
In addition there are various fixes for errors in the documentation,
as well as internal code changes that do not have any user visible
effects.
When MellonEnable is "auth" and we get an unauthenticated AJAX
request (identified by the X-Request-With: XMLHttpRequest HTTP
header), fail with HTTP code 403 Forbidden instead of redirecting
to the IdP. This saves resources, as the client has no opportunity
to interract with the user to complete authentification.
Fixes CVE-2016-2145 and CVE-2016-2146
Changes since 0.10.0 frome NEWS file and patches/patch-0274
patch-0274
---------------------------------------------------------------------------
* Return 500 Internal Server Error if probe discovery fails.
Version 0.12.0
---------------------------------------------------------------------------
Security fixes:
* [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to
incorrect error handling when reading POST data from client.
* [CVE-2016-2146] Fix DOS attack (Apache worker process crash /
resource exhaustion) due to missing size checks when reading
POST data.
In addition this release contains the following new features and fixes:
* Add MellonRedirecDomains option to limit the sites that
mod_auth_mellon can redirect to. This option is enabled by default.
* Add support for ECP service options in PAOS requests.
* Fix AssertionConsumerService lookup for PAOS requests.
Version 0.11.1
---------------------------------------------------------------------------
Security fixes:
* [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to
incorrect error handling when reading POST data from client.
* [CVE-2016-2146] Fix DOS attack (Apache worker process crash /
resource exhaustion) due to missing size checks when reading
POST data
Version 0.11.0
---------------------------------------------------------------------------
* Add SAML 2.0 ECP support.
* The MellonDecode option has been disabled. It was used to decode
attributes in a Feide-specific encoding that is no longer used.
* Set max-age=0 in Cache-Control header, to ensure that all browsers
verifies the data on each request.
* MellonMergeEnvVars On now accepts second optional parameter, the
separator to be used instead of the default ';'.
* Add option MellonEnvVarsSetCount to specify if the number of values
for any attribute should also be stored in environment variable
suffixed _N.
* Add option MellonEnvVarsIndexStart to specify if environment variables
for multi-valued attributes should start indexing with 0 (default) or
with 1.
* Bugfixes:
* Fix error about missing authentication with DirectoryIndex in
Apache 2.4.
NEWS since last version imported in pkgsrc
Version 0.10.0
---------------------------------------------------------------------------
* Make sure that we fail in the unlikely case where OpenSSL is not able
to provide us with a secure session id.
* Increase the number of key-value pairs in the session to 2048.
* Add MellonMergeEnvVars-option to store multi-valued attributes in
a single environment variable, separated with ';'.
* Bugfixes:
* Fix the [MAP] option for MellonCond.
* Fix cookie deletion for the session cookie. (Logout is not dependent
on the cookie being deleted, so this only fixes the cookie showing
up after the session is deleted.)
Version 0.9.1
---------------------------------------------------------------------------
* Bugfixes:
* Fix session offset calculation that prevented us from having
active sessions at once.
* Run mod_auth_mellon request handler before most other handlers,
so that other handlers cannot block it by accident.
Version 0.9.0
---------------------------------------------------------------------------
* Set the AssertionConsumerServiceURL attribute in authentication
requests.
* Bugfixes:
* Fix use of uninitialized data during logout.
* Fix session entry overflow leading to segmentation faults.
* Fix looking up sessions by NameID, which is used during logout.
Version 0.8.1
---------------------------------------------------------------------------
This is a security release with fixes backported from version 0.9.1.
It turned out that session overflow bugs fixes in version 0.9.0 and
0.9.1 can lead to information disclosure, where data from one session
is leaked to another session. Depending on how this data is used by the
web application, this may lead to data from one session being disclosed
to an user in a different session. (CVE-2014-8566)
In addition to the information disclosure, this release contains some
fixes for logout processing, where logout requests would crash the
Apache web server. (CVE-2014-8567)
Version 0.8.0
---------------------------------------------------------------------------
* Add support for receiving HTTP-Artifact identifiers as POST data.
* Simplify caching headers.
* Map login errors into more appropriate HTTP error codes than
400 Bad Request.
* Add MellonNoSuccessErrorPage option to redirect to a error page on login
failure.
* Turn session storage into a dynamic pool of memory, which means that
attribute values (and other items) can have arbitrary sizes as long as
they fit in the session as a whole.
* Various bugfixes:
* Fix for compatibility with recent versions of CURL.
* Fix broken option MellonDoNotVerifyLogoutSignature.
* Fix deadlock that could occur during logout processing.
* Fix some compile warnings.
* Fix some NULL derefernce bugs that may lead to segmentation faults.
* Fix a minor memory leak during IdP metadata loading.
Version 0.7.0
---------------------------------------------------------------------------
* Add MellonSPentityId to control entityId in autogenerated metadata
* Fix compatibility with Apache 2.4.
* Handle empty RelayState the same as missing RelayState.
* Add MellonSetEvnNoPrefix directive to set environment variables
without "MELLON_"-prefix.
