kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
pkgsrc/www/ap2-auth-mellon/MESSAGE
manu 4d7dd45f9f Updated www/ap2-auth-mellon to 0.14.0 
Changes since 0.12.0 include a fix for CVE-2017-6807

Version 0.14.0
==============

* Backwards incompatible changes

  This version switches the default signature algorithm used when
  signing messages from rsa-sha1 to rsa-sha256. If your IdP does not
  allow messages to be signed with that algorithm, you need to add a
  setting switching back to the old algorithm:

  MellonSignatureMethod rsa-sha1

  Note that this only affects messages sent from mod_auth_mellon to your
  IdP. It does not affect authentication responses or other messages
  sent from your IdP to mod_auth_mellon.

* New features

    Many improvements in what is logged during various errors.

    Diagnostics logging, which creates a detailed log during request
    processing.

    Add support for selecting which signature algorithm is used when
    signing messages, and switch to rsa-sha256 by default.

* Bug fixes

    Fix segmentation fault in POST replay functionality on empty value.

    Fix incorrect error check for many lasso_*-functions.

    Fix case sensitive match on MellonUser attribute name.


Version 0.13.1
==============

* Security fix

  Fix a cross-site session transfer vulnerability. mod_auth_mellon
  version 0.13.0 and older failed to validate that the session
  specified in the user's session cookie was created for the web site
  the user actually accesses.

  If two different web sites are hosted on the same web server, and
  both web sites use mod_auth_mellon for authentication, this
  vulnerability makes it possible for an attacker with access to one
  of the web sites to copy their session cookie to the other web
  site, and then use the same session to get access to the other web
  site.

  Thanks to François Kooman for reporting this vulnerability.

  This vulnerability has been assigned CVE-2017-6807.

  Note: The fix for this vunlerability makes mod_auth_mellon validate
  that the cookie parameters used when creating the session match
  the cookie parameters that should be used when accessing the current
  page. If you currently use mod_auth_mellon across multiple subdomains,
  you must make sure that you set the MellonCookie-option to the same
  value on all domains.  Bug fixes

    Fix segmentation fault if a (trusted) identity provider returns
    a SAML 2.0 attribute without a Name.

    Fix segmentation fault if MellonPostReplay is enabled but
    MellonPostDirectory is not set.

Version 0.13.0
==============

* Security fix

  Fix a denial of service attack in the logout handler, which allows
  a remote attacker to crash the Apache worker process with a
  segmentation fault. This is caused by a null-pointer dereference
  when processing a malformed logout message.  New features

    Allow MellonSecureCookie to be configured to enable just one
    of the "httponly" of "secure" flags, instead of always enabling
    both flags.
    Support per-module log level with Apache 2.4.
    Allow disabling the Cache-Control HTTP response header.
    Add support for SameSite cookie parameter.

* Bug fixes

    Fix MellonProbeDiscoveryIdP redirecting to the wrong IdP if no IdPs
    respond to the probe request.
    Fix mod_auth_mellon interfering with other Apache authentication
    modules even when it is disabled for a path.
    Fix wrong HTTP status code being returned in some cases during
    user permission checks.
    Fix default POST size limit to actually be 1 MB.
    Fix error if authentication response is missing the optional
    Conditions-element.
    Fix AJAX requests being redirected to the IdP.
    Fix wrong content type for ECP authentication request responses.

In addition there are various fixes for errors in the documentation,
as well as internal code changes that do not have any user visible
effects.
2018-05-04 02:53:38 +00:00

46 lines
1.9 KiB
Text
Raw Blame History

===========================================================================
$NetBSD: MESSAGE,v 1.4 2018/05/04 02:53:38 manu Exp $
In order to use this module in your Apache installation, you need to
add the following to your httpd.conf file:
LoadModule auth_mellon_module lib/httpd/mod_auth_mellon.so
If upgrading from version prior 0.14.0, please note the following
backward-incompatible change:
* This version switches the default signature algorithm used when
signing messages from rsa-sha1 to rsa-sha256. If your IdP does not
allow messages to be signed with that algorithm, you need to add a
setting switching back to the old algorithm:
MellonSignatureMethod rsa-sha1
Note that this only affects messages sent from mod_auth_mellon to your
IdP. It does not affect authentication responses or other messages
sent from your IdP to mod_auth_mellon.
If upgrading from version prior 0.6.0, please note the following
backward-incompatible changes:
* The POST replay functionality has been disabled by default, and the
automatic creation of the MellonPostDirectory target directory has been
removed. If you want to use the POST replay functionality, create a
directory accessible only by the apache user (e.g.: /var/spool/mellon)
and add this after the LoadModule for mod_auth_mellon.so:
MellonPostDirectory /var/spool/mellon
* Start discovery service when accessing the login endpoint. We used
to bypass the discovery service in this case, and just pick the first
IdP. This has been changed to send a request to the discovery service
instead, if one is configured.
* The MellonLockFile default path has been changed to:
/var/run/mod_auth_mellon.lock
This only affects platforms where a lock file is required and
where Apache doesn't have write access to that directory during
startup. (Apache can normally create files in that directory
during startup.)
===========================================================================
Reference in a new issue View git blame Copy permalink