The NetBSD Project

CVS log for pkgsrc/www/ap2-auth-mellon/Makefile

[BACK] Up to [cvs.NetBSD.org] / pkgsrc / www / ap2-auth-mellon

Request diff between arbitrary revisions


Default branch: MAIN


Revision 1.71 / (download) - annotate - [select for diffs], Wed Nov 23 16:21:17 2022 UTC (2 months, 1 week ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2022Q4-base, pkgsrc-2022Q4, HEAD
Changes since 1.70: +2 -2 lines
Diff to previous 1.70 (colored)

massive revision bump after textproc/icu update

Revision 1.70 / (download) - annotate - [select for diffs], Wed Oct 26 10:32:03 2022 UTC (3 months ago) by wiz
Branch: MAIN
Changes since 1.69: +2 -2 lines
Diff to previous 1.69 (colored)

*: bump PKGREVISION for libunistring shlib major bump

Revision 1.69 / (download) - annotate - [select for diffs], Mon Apr 18 19:12:15 2022 UTC (9 months, 1 week ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2022Q3-base, pkgsrc-2022Q3, pkgsrc-2022Q2-base, pkgsrc-2022Q2
Changes since 1.68: +2 -2 lines
Diff to previous 1.68 (colored)

revbump for textproc/icu update

Revision 1.68 / (download) - annotate - [select for diffs], Wed Dec 8 16:06:53 2021 UTC (13 months, 3 weeks ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2022Q1-base, pkgsrc-2022Q1, pkgsrc-2021Q4-base, pkgsrc-2021Q4
Changes since 1.67: +2 -2 lines
Diff to previous 1.67 (colored)

revbump for icu and libffi

Revision 1.64.4.1 / (download) - annotate - [select for diffs], Sat Nov 20 22:29:03 2021 UTC (14 months, 1 week ago) by tm
Branch: pkgsrc-2021Q3
Changes since 1.64: +8 -4 lines
Diff to previous 1.64 (colored) next main 1.65 (colored)

Pullup ticket #6533 - requested by bsiegert
www/ap2-auth-mellon: security fix

Revisions pulled up:
- www/ap2-auth-mellon/Makefile                                  1.66
- www/ap2-auth-mellon/distinfo                                  1.24

---
   Module Name:    pkgsrc
   Committed By:   manu
   Date:           Tue Nov  9 01:50:45 UTC 2021

   Modified Files:
           pkgsrc/doc: CHANGES-2021
           pkgsrc/www/ap2-auth-mellon: Makefile distinfo

   Log Message:
   Updated www/ap2-auth-mellon to 0.18.0

   Change sine 0.17 from NEWS file:

   Version 0.18.0
   ---------------------------------------------------------------------------

   Security fixes:

   * [CVE-2019-13038] Redirect URL validation bypass

     Version 0.17.0 and older of mod_auth_mellon allows the redirect URL
     validation to be bypassed by specifying an URL formatted as
     "///fishing-site.example.com/logout.html". In this case, the browser
     would interpret the URL differently than the APR parsing utility
     mellon uses and redirect to fishing-site.example.com.
     This could be reproduced with:
        https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com
   /logout.html

     This version fixes that issue by rejecting all URLs that start with "///".

   Enhancements:

   * A new option MellonSessionIdleTimeout that represents the amount of time
     a user can be inactive before the user's session times out in seconds.

   Bug fixes:

   * Several build-time fixes

   * The CookieTest SameSite attribute was only set to None if mellon configure
     option MellonCookieSameSite was set to something other than default.
     This is now fixed.

Revision 1.67 / (download) - annotate - [select for diffs], Mon Nov 15 18:17:05 2021 UTC (14 months, 2 weeks ago) by wiz
Branch: MAIN
Changes since 1.66: +1 -4 lines
Diff to previous 1.66 (colored)

ap2-auth-mellon: pkglint cleanup

Revision 1.66 / (download) - annotate - [select for diffs], Tue Nov 9 01:50:45 2021 UTC (14 months, 3 weeks ago) by manu
Branch: MAIN
Changes since 1.65: +8 -4 lines
Diff to previous 1.65 (colored)

Updated www/ap2-auth-mellon to 0.18.0

Change sine 0.17 from NEWS file:

Version 0.18.0
---------------------------------------------------------------------------

Security fixes:

* [CVE-2019-13038] Redirect URL validation bypass

  Version 0.17.0 and older of mod_auth_mellon allows the redirect URL
  validation to be bypassed by specifying an URL formatted as
  "///fishing-site.example.com/logout.html". In this case, the browser
  would interpret the URL differently than the APR parsing utility
  mellon uses and redirect to fishing-site.example.com.
  This could be reproduced with:
     https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com
/logout.html

  This version fixes that issue by rejecting all URLs that start with "///".

Enhancements:

* A new option MellonSessionIdleTimeout that represents the amount of time
  a user can be inactive before the user's session times out in seconds.

Bug fixes:

* Several build-time fixes

* The CookieTest SameSite attribute was only set to None if mellon configure
  option MellonCookieSameSite was set to something other than default.
  This is now fixed.

Revision 1.65 / (download) - annotate - [select for diffs], Wed Sep 29 19:01:25 2021 UTC (16 months ago) by adam
Branch: MAIN
Changes since 1.64: +2 -1 lines
Diff to previous 1.64 (colored)

revbump for boost-libs

Revision 1.64 / (download) - annotate - [select for diffs], Tue Jun 8 07:26:52 2021 UTC (19 months, 3 weeks ago) by manu
Branch: MAIN
CVS Tags: pkgsrc-2021Q3-base, pkgsrc-2021Q2-base, pkgsrc-2021Q2
Branch point for: pkgsrc-2021Q3
Changes since 1.63: +4 -5 lines
Diff to previous 1.63 (colored)

Updated www/ap2-auth-mellon to 0.17.0

Switch to Latchset distribution now that Uninett version is abandonware.

Changes since 0.14.2 from the NEWS file:

Version 0.17.0
---------------------------------------------------------------------------

Enhancements:

 * New option MellonSendExpectHeader (default On) which allows to disable
   sending the Expect header in the HTTP-Artifact binding to improve
   performance when the remote party does not support this header.

 * Set SameSite attribute to None on on the cookietest cookie.

 * Bump default generated keysize to 3072 bits in mellon_create_metadata.

Bug fixes:

 * Validate if the assertion ID has not been used earlier before creating
   a new session.

 * Release session cache after calling invalidate endpoint.

 * In MellonCond directives, fix a bug that setting the NC option would
   also activate substring match and that REG would activate REF.

 * Fix MellonCond substring match to actually match the substring on
   the attribute value.

Version 0.16.0
---------------------------------------------------------------------------

Enhancements:

 * The MellonCookieSameSite option accepts a new valid "None". This is intended
   to be used together with "MellonSecureCookie On". With some newer browsers,
   only cookies with "SameSite=None; Secure" would be available for cross-site
   access.

 * A new option MellonEnabledInvalidateSessionEndpoint was added. When this
   option is enabled, then a user can invalidate their session locally by
   calling the "/invalidate" endpoint.

Version 0.15.0
---------------------------------------------------------------------------

Security fixes:

* [CVE-2019-13038] Redirect URL validation bypass

  Version 0.14.1 and older of mod_auth_mellon allows the redirect URL
  validation to be bypassed by specifying an URL formatted as
  "http:www.hostname.com". In this case, the APR parsing utility
  would parse the scheme as http, host as NULL and path as www.hostname.com.
  Browsers, however, interpret the URL differently and redirect to
  www.hostname.com. This could be reproduced with:
     https://application.com/mellon/login?ReturnTo=http:www.hostname.com

  This version fixes that issue by rejecting all URLs with
  scheme, but no host name.

Enhancements:

 * A XSLT script that allows converting attribute maps from Shibboleth
   to a set of MellonSetEnvNoPrefix entries was added. The script can
   be found at doc/mellon-attribute-map.xsl

 * A new configuration option MellonEnvPrefix was added. This option allows
   you to configure the variable prefix, which normally defaults to MELLON_

 * A new configuration option MellonAuthnContextComparisonType was added.
   This option allows you to set the "Comparison" attribute within
   the AuthnRequest

Notable bug fixes:

  * Compilation issues on Solaris were fixed

Revision 1.63 / (download) - annotate - [select for diffs], Wed Apr 21 13:25:28 2021 UTC (21 months, 1 week ago) by adam
Branch: MAIN
Changes since 1.62: +2 -2 lines
Diff to previous 1.62 (colored)

revbump for boost-libs

Revision 1.62 / (download) - annotate - [select for diffs], Wed Apr 21 11:42:52 2021 UTC (21 months, 1 week ago) by adam
Branch: MAIN
Changes since 1.61: +2 -2 lines
Diff to previous 1.61 (colored)

revbump for textproc/icu

Revision 1.61 / (download) - annotate - [select for diffs], Thu Nov 5 09:09:18 2020 UTC (2 years, 2 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2021Q1-base, pkgsrc-2021Q1, pkgsrc-2020Q4-base, pkgsrc-2020Q4
Changes since 1.60: +2 -2 lines
Diff to previous 1.60 (colored)

*: Recursive revbump from textproc/icu-68.1

Revision 1.60 / (download) - annotate - [select for diffs], Tue Jun 2 08:24:55 2020 UTC (2 years, 7 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2020Q3-base, pkgsrc-2020Q3, pkgsrc-2020Q2-base, pkgsrc-2020Q2
Changes since 1.59: +2 -2 lines
Diff to previous 1.59 (colored)

Revbump for icu

Revision 1.59 / (download) - annotate - [select for diffs], Fri May 22 10:56:44 2020 UTC (2 years, 8 months ago) by adam
Branch: MAIN
Changes since 1.58: +2 -2 lines
Diff to previous 1.58 (colored)

revbump after updating security/nettle

Revision 1.58 / (download) - annotate - [select for diffs], Wed May 6 14:05:05 2020 UTC (2 years, 8 months ago) by adam
Branch: MAIN
Changes since 1.57: +2 -2 lines
Diff to previous 1.57 (colored)

revbump after boost update

Revision 1.57 / (download) - annotate - [select for diffs], Thu Apr 30 16:35:51 2020 UTC (2 years, 9 months ago) by rillig
Branch: MAIN
Changes since 1.56: +2 -1 lines
Diff to previous 1.56 (colored)

www/ap2-auth-mellon: fix build with SUBST_NOOP_OK=no

The CFLAG -pthread may be added to the Makefile by one of the
placeholders, depending on the actual configuration.

Revision 1.56 / (download) - annotate - [select for diffs], Sun Mar 8 16:51:35 2020 UTC (2 years, 10 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2020Q1-base, pkgsrc-2020Q1
Changes since 1.55: +2 -2 lines
Diff to previous 1.55 (colored)

*: recursive bump for libffi

Revision 1.55 / (download) - annotate - [select for diffs], Sat Jan 18 21:51:03 2020 UTC (3 years ago) by jperkin
Branch: MAIN
Changes since 1.54: +2 -2 lines
Diff to previous 1.54 (colored)

*: Recursive revision bump for openssl 1.1.1.

Revision 1.54 / (download) - annotate - [select for diffs], Sun Jan 12 20:20:47 2020 UTC (3 years ago) by ryoon
Branch: MAIN
Changes since 1.53: +2 -2 lines
Diff to previous 1.53 (colored)

*: Recursive revbump from devel/boost-libs

Revision 1.53 / (download) - annotate - [select for diffs], Mon Nov 4 22:09:51 2019 UTC (3 years, 2 months ago) by rillig
Branch: MAIN
CVS Tags: pkgsrc-2019Q4-base, pkgsrc-2019Q4
Changes since 1.52: +2 -2 lines
Diff to previous 1.52 (colored)

www: align variable assignments

pkglint -Wall -F --only aligned --only indent -r

Manually excluded phraseanet since pkglint got the indentation wrong.

Revision 1.52 / (download) - annotate - [select for diffs], Thu Aug 22 12:23:52 2019 UTC (3 years, 5 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2019Q3-base, pkgsrc-2019Q3
Changes since 1.51: +2 -2 lines
Diff to previous 1.51 (colored)

Recursive revbump from boost-1.71.0

Revision 1.51 / (download) - annotate - [select for diffs], Sat Jul 20 22:46:54 2019 UTC (3 years, 6 months ago) by wiz
Branch: MAIN
Changes since 1.50: +2 -2 lines
Diff to previous 1.50 (colored)

*: recursive bump for nettle 3.5.1

Revision 1.50 / (download) - annotate - [select for diffs], Mon Jul 1 04:08:51 2019 UTC (3 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.49: +2 -1 lines
Diff to previous 1.49 (colored)

Recursive revbump from boost-1.70.0

Revision 1.49 / (download) - annotate - [select for diffs], Mon Mar 25 06:21:06 2019 UTC (3 years, 10 months ago) by leot
Branch: MAIN
CVS Tags: pkgsrc-2019Q2-base, pkgsrc-2019Q2, pkgsrc-2019Q1-base, pkgsrc-2019Q1
Changes since 1.48: +4 -2 lines
Diff to previous 1.48 (colored)

ap2-auth-mellon: Adjust MASTER_SITES handling (NFCI)

Use GITHUB_PROJECT and GITHUB_RELEASE instead of manually adjusting
MASTER_SITES.

Revision 1.48 / (download) - annotate - [select for diffs], Sat Mar 23 02:37:42 2019 UTC (3 years, 10 months ago) by manu
Branch: MAIN
Changes since 1.47: +3 -3 lines
Diff to previous 1.47 (colored)

Updated www/ap2-auth-mellon to 0.14.2

Changes sine 0.14.0 include:
- Fix CVE-2019-3878 Authentication bypass when Apache is used as reverse proxy
- Fix CVE-2019-3877 Redirect URL validation bypass
- Fix environment variables in MellonCond
- Fix detection of AJAX requests
- Fix trailing semi-colon in Set-Cookie header

Revision 1.47 / (download) - annotate - [select for diffs], Thu Dec 13 19:52:25 2018 UTC (4 years, 1 month ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2018Q4-base, pkgsrc-2018Q4
Changes since 1.46: +2 -2 lines
Diff to previous 1.46 (colored)

revbump for boost 1.69.0

Revision 1.46 / (download) - annotate - [select for diffs], Sun Dec 9 21:05:36 2018 UTC (4 years, 1 month ago) by adam
Branch: MAIN
Changes since 1.45: +1 -2 lines
Diff to previous 1.45 (colored)

Removed commented-out PKGREVISIONs

Revision 1.45 / (download) - annotate - [select for diffs], Thu Aug 16 18:55:14 2018 UTC (4 years, 5 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2018Q3-base, pkgsrc-2018Q3
Changes since 1.44: +2 -1 lines
Diff to previous 1.44 (colored)

revbump after boost-libs update

Revision 1.44 / (download) - annotate - [select for diffs], Fri May 4 02:53:38 2018 UTC (4 years, 8 months ago) by manu
Branch: MAIN
CVS Tags: pkgsrc-2018Q2-base, pkgsrc-2018Q2
Changes since 1.43: +3 -3 lines
Diff to previous 1.43 (colored)

Updated www/ap2-auth-mellon to 0.14.0

Changes since 0.12.0 include a fix for CVE-2017-6807

Version 0.14.0
==============

* Backwards incompatible changes

  This version switches the default signature algorithm used when
  signing messages from rsa-sha1 to rsa-sha256. If your IdP does not
  allow messages to be signed with that algorithm, you need to add a
  setting switching back to the old algorithm:

  MellonSignatureMethod rsa-sha1

  Note that this only affects messages sent from mod_auth_mellon to your
  IdP. It does not affect authentication responses or other messages
  sent from your IdP to mod_auth_mellon.

* New features

    Many improvements in what is logged during various errors.

    Diagnostics logging, which creates a detailed log during request
    processing.

    Add support for selecting which signature algorithm is used when
    signing messages, and switch to rsa-sha256 by default.

* Bug fixes

    Fix segmentation fault in POST replay functionality on empty value.

    Fix incorrect error check for many lasso_*-functions.

    Fix case sensitive match on MellonUser attribute name.


Version 0.13.1
==============

* Security fix

  Fix a cross-site session transfer vulnerability. mod_auth_mellon
  version 0.13.0 and older failed to validate that the session
  specified in the user's session cookie was created for the web site
  the user actually accesses.

  If two different web sites are hosted on the same web server, and
  both web sites use mod_auth_mellon for authentication, this
  vulnerability makes it possible for an attacker with access to one
  of the web sites to copy their session cookie to the other web
  site, and then use the same session to get access to the other web
  site.

  Thanks to FraníĐis Kooman for reporting this vulnerability.

  This vulnerability has been assigned CVE-2017-6807.

  Note: The fix for this vunlerability makes mod_auth_mellon validate
  that the cookie parameters used when creating the session match
  the cookie parameters that should be used when accessing the current
  page. If you currently use mod_auth_mellon across multiple subdomains,
  you must make sure that you set the MellonCookie-option to the same
  value on all domains.  Bug fixes

    Fix segmentation fault if a (trusted) identity provider returns
    a SAML 2.0 attribute without a Name.

    Fix segmentation fault if MellonPostReplay is enabled but
    MellonPostDirectory is not set.

Version 0.13.0
==============

* Security fix

  Fix a denial of service attack in the logout handler, which allows
  a remote attacker to crash the Apache worker process with a
  segmentation fault. This is caused by a null-pointer dereference
  when processing a malformed logout message.  New features

    Allow MellonSecureCookie to be configured to enable just one
    of the "httponly" of "secure" flags, instead of always enabling
    both flags.
    Support per-module log level with Apache 2.4.
    Allow disabling the Cache-Control HTTP response header.
    Add support for SameSite cookie parameter.

* Bug fixes

    Fix MellonProbeDiscoveryIdP redirecting to the wrong IdP if no IdPs
    respond to the probe request.
    Fix mod_auth_mellon interfering with other Apache authentication
    modules even when it is disabled for a path.
    Fix wrong HTTP status code being returned in some cases during
    user permission checks.
    Fix default POST size limit to actually be 1 MB.
    Fix error if authentication response is missing the optional
    Conditions-element.
    Fix AJAX requests being redirected to the IdP.
    Fix wrong content type for ECP authentication request responses.

In addition there are various fixes for errors in the documentation,
as well as internal code changes that do not have any user visible
effects.

Revision 1.43 / (download) - annotate - [select for diffs], Sun Apr 29 21:32:07 2018 UTC (4 years, 9 months ago) by adam
Branch: MAIN
Changes since 1.42: +2 -2 lines
Diff to previous 1.42 (colored)

revbump for boost-libs update

Revision 1.42 / (download) - annotate - [select for diffs], Mon Jan 1 21:18:55 2018 UTC (5 years, 1 month ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2018Q1-base, pkgsrc-2018Q1
Changes since 1.41: +2 -2 lines
Diff to previous 1.41 (colored)

Revbump after boost update

Revision 1.41 / (download) - annotate - [select for diffs], Mon Jan 1 10:23:06 2018 UTC (5 years, 1 month ago) by wiz
Branch: MAIN
Changes since 1.40: +1 -4 lines
Diff to previous 1.40 (colored)

apache22: remove, it was eol'd in June 2017

Remove packages that only work with apache22.
Remove apache22 references.

Revision 1.40 / (download) - annotate - [select for diffs], Thu Aug 24 20:03:41 2017 UTC (5 years, 5 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2017Q4-base, pkgsrc-2017Q4, pkgsrc-2017Q3-base, pkgsrc-2017Q3
Changes since 1.39: +2 -2 lines
Diff to previous 1.39 (colored)

Revbump for boost update

Revision 1.39 / (download) - annotate - [select for diffs], Sun Apr 30 01:22:02 2017 UTC (5 years, 9 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2017Q2-base, pkgsrc-2017Q2
Changes since 1.38: +2 -2 lines
Diff to previous 1.38 (colored)

Recursive revbump from boost update

Revision 1.38 / (download) - annotate - [select for diffs], Sun Jan 1 16:06:38 2017 UTC (6 years, 1 month ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2017Q1-base, pkgsrc-2017Q1
Changes since 1.37: +2 -2 lines
Diff to previous 1.37 (colored)

Revbump after boost update

Revision 1.37 / (download) - annotate - [select for diffs], Thu Oct 27 12:53:13 2016 UTC (6 years, 3 months ago) by manu
Branch: MAIN
CVS Tags: pkgsrc-2016Q4-base, pkgsrc-2016Q4
Changes since 1.36: +2 -2 lines
Diff to previous 1.36 (colored)

Fix pkglint complains

Revision 1.36 / (download) - annotate - [select for diffs], Tue Oct 18 15:13:41 2016 UTC (6 years, 3 months ago) by manu
Branch: MAIN
Changes since 1.35: +2 -2 lines
Diff to previous 1.35 (colored)

Do not redirect unauthenticated AJAX request to the IdP

When MellonEnable is "auth" and we get an unauthenticated AJAX
request (identified by the X-Request-With: XMLHttpRequest HTTP
header), fail with HTTP code 403 Forbidden instead of redirecting
to the IdP. This saves resources, as the client has no opportunity
to interract with the user to complete authentification.

Revision 1.35 / (download) - annotate - [select for diffs], Fri Oct 7 18:26:12 2016 UTC (6 years, 3 months ago) by adam
Branch: MAIN
Changes since 1.34: +2 -2 lines
Diff to previous 1.34 (colored)

Revbump post boost update

Revision 1.34 / (download) - annotate - [select for diffs], Thu Sep 22 02:44:26 2016 UTC (6 years, 4 months ago) by mef
Branch: MAIN
CVS Tags: pkgsrc-2016Q3-base, pkgsrc-2016Q3
Changes since 1.33: +2 -2 lines
Diff to previous 1.33 (colored)

Update HOMEPAGE, previous was 404

Revision 1.33 / (download) - annotate - [select for diffs], Mon Mar 14 09:58:57 2016 UTC (6 years, 10 months ago) by manu
Branch: MAIN
CVS Tags: pkgsrc-2016Q2-base, pkgsrc-2016Q2, pkgsrc-2016Q1-base, pkgsrc-2016Q1
Changes since 1.32: +3 -3 lines
Diff to previous 1.32 (colored)

Update mod_auth_mellon to 0.12.0

Fixes CVE-2016-2145 and CVE-2016-2146

Changes since 0.10.0 frome NEWS file and patches/patch-0274

patch-0274
---------------------------------------------------------------------------
* Return 500 Internal Server Error if probe discovery fails.

Version 0.12.0
---------------------------------------------------------------------------

Security fixes:

* [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to
  incorrect error handling when reading POST data from client.

* [CVE-2016-2146] Fix DOS attack (Apache worker process crash /
  resource exhaustion) due to missing size checks when reading
  POST data.

In addition this release contains the following new features and fixes:

* Add MellonRedirecDomains option to limit the sites that
  mod_auth_mellon can redirect to. This option is enabled by default.

* Add support for ECP service options in PAOS requests.

* Fix AssertionConsumerService lookup for PAOS requests.

Version 0.11.1
---------------------------------------------------------------------------

Security fixes:

* [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to
  incorrect error handling when reading POST data from client.

* [CVE-2016-2146] Fix DOS attack (Apache worker process crash /
  resource exhaustion) due to missing size checks when reading
  POST data

Version 0.11.0
---------------------------------------------------------------------------

* Add SAML 2.0 ECP support.

* The MellonDecode option has been disabled. It was used to decode
  attributes in a Feide-specific encoding that is no longer used.

* Set max-age=0 in Cache-Control header, to ensure that all browsers
  verifies the data on each request.

* MellonMergeEnvVars On now accepts second optional parameter, the
  separator to be used instead of the default ';'.

* Add option MellonEnvVarsSetCount to specify if the number of values
  for any attribute should also be stored in environment variable
  suffixed _N.

* Add option MellonEnvVarsIndexStart to specify if environment variables
  for multi-valued attributes should start indexing with 0 (default) or
  with 1.

* Bugfixes:

  * Fix error about missing authentication with DirectoryIndex in
    Apache 2.4.

Revision 1.32 / (download) - annotate - [select for diffs], Sat Mar 5 11:29:34 2016 UTC (6 years, 10 months ago) by jperkin
Branch: MAIN
Changes since 1.31: +2 -1 lines
Diff to previous 1.31 (colored)

Bump PKGREVISION for security/openssl ABI bump.

Revision 1.29.2.1 / (download) - annotate - [select for diffs], Sat Apr 18 14:52:51 2015 UTC (7 years, 9 months ago) by bsiegert
Branch: pkgsrc-2015Q1
Changes since 1.29: +2 -2 lines
Diff to previous 1.29 (colored) next main 1.30 (colored)

Pullup ticket #4668 - requested by manu
www/ap2-auth-mellon - apache24 support

Revisions pulled up:
- www/ap2-auth-mellon/Makefile                                  1.31

---
   Module Name:    pkgsrc
   Committed By:   manu
   Date:           Mon Apr 13 08:10:29 UTC 2015

   Modified Files:
           pkgsrc/www/ap2-auth-mellon: Makefile

   Log Message:
   Allow apache 2.4 ito be used with ap2-auth-mellon.

Revision 1.31 / (download) - annotate - [select for diffs], Mon Apr 13 08:10:29 2015 UTC (7 years, 9 months ago) by manu
Branch: MAIN
CVS Tags: pkgsrc-2015Q4-base, pkgsrc-2015Q4, pkgsrc-2015Q3-base, pkgsrc-2015Q3, pkgsrc-2015Q2-base, pkgsrc-2015Q2
Changes since 1.30: +2 -2 lines
Diff to previous 1.30 (colored)

Allow apache 2.4 ito be used with ap2-auth-mellon.

Revision 1.30 / (download) - annotate - [select for diffs], Fri Apr 3 15:53:34 2015 UTC (7 years, 10 months ago) by manu
Branch: MAIN
Changes since 1.29: +1 -3 lines
Diff to previous 1.29 (colored)

Remove obsolete PKG_DESTDIR_SUPPORT

Revision 1.29 / (download) - annotate - [select for diffs], Wed Apr 1 14:08:13 2015 UTC (7 years, 10 months ago) by manu
Branch: MAIN
CVS Tags: pkgsrc-2015Q1-base
Branch point for: pkgsrc-2015Q1
Changes since 1.28: +5 -8 lines
Diff to previous 1.28 (colored)

Update mod_auth_mellon after lasso upgrade. Approved by wiz@

NEWS since last version imported in pkgsrc

Version 0.10.0
---------------------------------------------------------------------------

* Make sure that we fail in the unlikely case where OpenSSL is not able
  to provide us with a secure session id.

* Increase the number of key-value pairs in the session to 2048.

* Add MellonMergeEnvVars-option to store multi-valued attributes in
  a single environment variable, separated with ';'.

* Bugfixes:

  * Fix the [MAP] option for MellonCond.

  * Fix cookie deletion for the session cookie. (Logout is not dependent
    on the cookie being deleted, so this only fixes the cookie showing
    up after the session is deleted.)

Version 0.9.1
---------------------------------------------------------------------------

* Bugfixes:

  * Fix session offset calculation that prevented us from having
    active sessions at once.

  * Run mod_auth_mellon request handler before most other handlers,
    so that other handlers cannot block it by accident.


Version 0.9.0
---------------------------------------------------------------------------

* Set the AssertionConsumerServiceURL attribute in authentication
  requests.

* Bugfixes:

  * Fix use of uninitialized data during logout.

  * Fix session entry overflow leading to segmentation faults.

  * Fix looking up sessions by NameID, which is used during logout.


Version 0.8.1
---------------------------------------------------------------------------

This is a security release with fixes backported from version 0.9.1.

It turned out that session overflow bugs fixes in version 0.9.0 and
0.9.1 can lead to information disclosure, where data from one session
is leaked to another session. Depending on how this data is used by the
web application, this may lead to data from one session being disclosed
to an user in a different session. (CVE-2014-8566)

In addition to the information disclosure, this release contains some
fixes for logout processing, where logout requests would crash the
Apache web server. (CVE-2014-8567)


Version 0.8.0
---------------------------------------------------------------------------

* Add support for receiving HTTP-Artifact identifiers as POST data.

* Simplify caching headers.

* Map login errors into more appropriate HTTP error codes than
  400 Bad Request.

* Add MellonNoSuccessErrorPage option to redirect to a error page on login
  failure.

* Turn session storage into a dynamic pool of memory, which means that
  attribute values (and other items) can have arbitrary sizes as long as
  they fit in the session as a whole.

* Various bugfixes:

  * Fix for compatibility with recent versions of CURL.

  * Fix broken option MellonDoNotVerifyLogoutSignature.

  * Fix deadlock that could occur during logout processing.

  * Fix some compile warnings.

  * Fix some NULL derefernce bugs that may lead to segmentation faults.

  * Fix a minor memory leak during IdP metadata loading.


Version 0.7.0
---------------------------------------------------------------------------

* Add MellonSPentityId to control entityId in autogenerated metadata

* Fix compatibility with Apache 2.4.

* Handle empty RelayState the same as missing RelayState.

* Add MellonSetEvnNoPrefix directive to set environment variables
  without "MELLON_"-prefix.

Revision 1.28 / (download) - annotate - [select for diffs], Wed Feb 12 23:18:43 2014 UTC (8 years, 11 months ago) by tron
Branch: MAIN
CVS Tags: pkgsrc-2014Q4-base, pkgsrc-2014Q4, pkgsrc-2014Q3-base, pkgsrc-2014Q3, pkgsrc-2014Q2-base, pkgsrc-2014Q2, pkgsrc-2014Q1-base, pkgsrc-2014Q1
Changes since 1.27: +2 -2 lines
Diff to previous 1.27 (colored)

Recursive PKGREVISION bump for OpenSSL API version bump.

Revision 1.27 / (download) - annotate - [select for diffs], Wed Jan 1 11:52:37 2014 UTC (9 years, 1 month ago) by wiz
Branch: MAIN
Changes since 1.26: +2 -1 lines
Diff to previous 1.26 (colored)

Recursive PKGREVISION bump for libgcrypt-1.6.0 shlib major bump.

Revision 1.26 / (download) - annotate - [select for diffs], Mon Apr 15 15:35:01 2013 UTC (9 years, 9 months ago) by manu
Branch: MAIN
CVS Tags: pkgsrc-2013Q4-base, pkgsrc-2013Q4, pkgsrc-2013Q3-base, pkgsrc-2013Q3, pkgsrc-2013Q2-base, pkgsrc-2013Q2
Changes since 1.25: +5 -3 lines
Diff to previous 1.25 (colored)

Upgrade ap2-auth-mellon to 0.6.1 plus a patch from upstream

Changes since 0.4.0, from NEWS file:

* Add MellonSPentityId to control entityId in autogenerated metadata

Version 0.6.1
---------------------------------------------------------------------------

* Fix the POST replay functionality when multiple users logging in
  at once.

* Add a fallback for the case where the POST replay data has expired
  before the user logs in.

Version 0.6.0
---------------------------------------------------------------------------

Backwards-incompatible changes:

* The POST replay functionality has been disabled by default, and the
  automatic creation of the MellonPostDirectory target directory has been
  removed. If you want to use the POST replay functionality, take a
  look at the README file for instructions for how to enable this.

* Start discovery service when accessing the login endpoint. We used
  to bypass the discovery service in this case, and just pick the first
  IdP. This has been changed to send a request to the discovery service
  instead, if one is configured.

* The MellonLockFile default path has been changed to:
    /var/run/mod_auth_mellon.lock
  This only affects platforms where a lock file is required and
  where Apache doesn't have write access to that directory during
  startup. (Apache can normally create files in that directory
  during startup.)

Other changes:

* Fix support for SOAP logout.

* Local logout when IdP does not support SAML 2.0 Single Logout.

* MellonDoNotVerifyLogoutSignature option to disable logout signature
  validation.

* Support for relative file paths in configuration.

* The debian build-directory has been removed from the repository.

* Various cleanups and bugfixes:

  * Fix cookie parsing header parsing for some HTTP libraries.

  * Fix inheritance of MellonAuthnContextClassRef option.

  * Use ap_set_content_type() instead of accessing request->content_type.

  * README indentation cleanups.

  * Support for even older versions of GLib.

  * Fixes for error handling during session initialization.

  * Directly link with GLib rather than relying on the Lasso library
    linking to it for us.

  * Some code cleanups.

Version 0.5.0
---------------------------------------------------------------------------

* Honour MellonProbeDiscoveryIdP order when sending probes.

* MellonAuthnContextClassRef configuration directive, to limit
  authentication to specific authentication methods.

* Support for the HTTP-POST binding when sending authentication
  requests to the IdP.

* MellonSubjectConfirmationDataAddressCheck option to disable received
  address checking.

* Various cleanups and bugfixes:

  * Support for older versions of GLib and APR.

  * Send the correct SP entityID to the discovery service.

  * Do not set response headers twice.

  * Several cleanups in the code that starts authentication.

Revision 1.25 / (download) - annotate - [select for diffs], Wed Feb 6 23:23:57 2013 UTC (9 years, 11 months ago) by jperkin
Branch: MAIN
CVS Tags: pkgsrc-2013Q1-base, pkgsrc-2013Q1
Changes since 1.24: +2 -2 lines
Diff to previous 1.24 (colored)

PKGREVISION bumps for the security/openssl 1.0.1d update.

Revision 1.24 / (download) - annotate - [select for diffs], Sun Dec 16 01:52:36 2012 UTC (10 years, 1 month ago) by obache
Branch: MAIN
CVS Tags: pkgsrc-2012Q4-base, pkgsrc-2012Q4
Changes since 1.23: +2 -2 lines
Diff to previous 1.23 (colored)

recursive bump from cyrus-sasl libsasl2 shlib major bump.

Revision 1.23 / (download) - annotate - [select for diffs], Sun Oct 28 06:30:06 2012 UTC (10 years, 3 months ago) by asau
Branch: MAIN
Changes since 1.22: +1 -3 lines
Diff to previous 1.22 (colored)

Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days.

Revision 1.22 / (download) - annotate - [select for diffs], Sat Sep 15 10:06:44 2012 UTC (10 years, 4 months ago) by obache
Branch: MAIN
CVS Tags: pkgsrc-2012Q3-base, pkgsrc-2012Q3
Changes since 1.21: +2 -2 lines
Diff to previous 1.21 (colored)

recursive bump from libffi shlib major bump
(additionaly, reset PKGREVISION of qt4-* sub packages from base qt4 update)

Revision 1.21 / (download) - annotate - [select for diffs], Thu Jun 14 07:44:54 2012 UTC (10 years, 7 months ago) by sbd
Branch: MAIN
CVS Tags: pkgsrc-2012Q2-base, pkgsrc-2012Q2
Changes since 1.20: +2 -2 lines
Diff to previous 1.20 (colored)

Recursive PKGREVISION bump for libxml2 buildlink addition.

Revision 1.20 / (download) - annotate - [select for diffs], Sat Mar 3 00:14:04 2012 UTC (10 years, 11 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2012Q1-base, pkgsrc-2012Q1
Changes since 1.19: +2 -2 lines
Diff to previous 1.19 (colored)

Recursive bump for pcre-8.30* (shlib major change)

Revision 1.19 / (download) - annotate - [select for diffs], Mon Feb 6 12:41:51 2012 UTC (10 years, 11 months ago) by wiz
Branch: MAIN
Changes since 1.18: +2 -2 lines
Diff to previous 1.18 (colored)

Revbump for
a) tiff update to 4.0 (shlib major change)
b) glib2 update 2.30.2 (adds libffi dependency to buildlink3.mk)

Enjoy.

Revision 1.18 / (download) - annotate - [select for diffs], Tue Dec 6 09:58:01 2011 UTC (11 years, 1 month ago) by manu
Branch: MAIN
CVS Tags: pkgsrc-2011Q4-base, pkgsrc-2011Q4
Changes since 1.17: +7 -5 lines
Diff to previous 1.17 (colored)

Update to mod_auth_mellon 0.4.0 plus upstream patch:

* Honour MellonProbeDiscoveryIdP order when sending probes
* Allow MellonUser variable to be translated through MellonSetEnv
* A /mellon/probeDisco endpoint replaces the builtin:get-metadata
  IdP dicovery URL scheme
* New MellonCond directive to enable attribute filtering beyond
  MellonRequire functionalities.
* New MellonIdPMetadataGlob directive to load mulitple IdP metadata
  using a glob(3) pattern.
* Support for running behind reverse proxy.
* MellonCookieDomain and MellonCookiePath options to configure cookie
  settings.
* Support for loading federation metadata files.
* Several bugfixes.

Revision 1.17 / (download) - annotate - [select for diffs], Sat May 7 05:15:21 2011 UTC (11 years, 8 months ago) by manu
Branch: MAIN
CVS Tags: pkgsrc-2011Q3-base, pkgsrc-2011Q3, pkgsrc-2011Q2-base, pkgsrc-2011Q2
Changes since 1.16: +2 -2 lines
Diff to previous 1.16 (colored)

Unbreak SP initiated SLO with lasso >= 2.3.5 (patch backported from upstream)

Revision 1.16 / (download) - annotate - [select for diffs], Fri Apr 22 13:44:57 2011 UTC (11 years, 9 months ago) by obache
Branch: MAIN
Changes since 1.15: +2 -2 lines
Diff to previous 1.15 (colored)

recursive bump from gettext-lib shlib bump.

Revision 1.15 / (download) - annotate - [select for diffs], Mon Apr 4 08:45:43 2011 UTC (11 years, 10 months ago) by manu
Branch: MAIN
Changes since 1.14: +3 -2 lines
Diff to previous 1.14 (colored)

Update ap2-auth-mellon to 2.3.5, plus patches pulled from upstream:

Pulled from upcoming 0.3.1
---------------------------------------------------------------------------

* Allow MellonUser variable to be translated through MellonSetEnv

* A /mellon/probeDisco endpoint replaces the builtin:get-metadata
  IdP dicovery URL scheme

* New MellonCond directive to enable attribute filtering beyond
  MellonRequire functionalities.

* New MellonIdPMetadataGlob directive to load mulitple IdP metadata
  using a glob(3) pattern.

Version 0.3.0
---------------------------------------------------------------------------

* New login-endpoint, which allows easier manual initiation of login
  requests, and specifying parameters such as IsPassive.

* Validation of Conditions and SubjectConfirmation data in the assertion
  we receive from the IdP.

* Various bugfixes.

Revision 1.14 / (download) - annotate - [select for diffs], Fri Mar 18 09:48:54 2011 UTC (11 years, 10 months ago) by obache
Branch: MAIN
CVS Tags: pkgsrc-2011Q1-base, pkgsrc-2011Q1
Changes since 1.13: +19 -12 lines
Diff to previous 1.13 (colored)

* LICENSE=gnu-gpl-v2
* remove unwanted CONFIGURE_ENV and CONFIGURE_ARGS items.
* add a trick to convert `-pthread' flags to apxs style.
* add user-destdir installation support

Revision 1.13 / (download) - annotate - [select for diffs], Mon May 31 16:46:30 2010 UTC (12 years, 8 months ago) by manu
Branch: MAIN
CVS Tags: pkgsrc-2010Q4-base, pkgsrc-2010Q4, pkgsrc-2010Q3-base, pkgsrc-2010Q3, pkgsrc-2010Q2-base, pkgsrc-2010Q2
Changes since 1.12: +2 -3 lines
Diff to previous 1.12 (colored)

Update to 0.2.7. From the NEWS file:
Version 0.2.7
---------------------------------------------------------------------------

* Optionaly ave the remote IdP entityId in the environment

* Shibboleth 2 interoperability

Version 0.2.6
---------------------------------------------------------------------------

* Fix XSS/DOS vulnerability in repost handler.

Revision 1.12 / (download) - annotate - [select for diffs], Sun Jan 17 12:02:48 2010 UTC (13 years ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2010Q1-base, pkgsrc-2010Q1
Changes since 1.11: +2 -2 lines
Diff to previous 1.11 (colored)

Recursive PKGREVISION bump for jpeg update to 8.

Revision 1.11 / (download) - annotate - [select for diffs], Mon Jan 4 15:43:17 2010 UTC (13 years ago) by joerg
Branch: MAIN
CVS Tags: pkgsrc-2009Q4-base, pkgsrc-2009Q4
Changes since 1.10: +7 -6 lines
Diff to previous 1.10 (colored)

Installation doesn't work with destdir. Make sure to pull include/openssl
into the include path. Mark as only for Apache 2.2.

Revision 1.10 / (download) - annotate - [select for diffs], Sun Dec 20 11:31:30 2009 UTC (13 years, 1 month ago) by manu
Branch: MAIN
Changes since 1.9: +9 -1 lines
Diff to previous 1.9 (colored)

Fix a XSS vulnerability

Revision 1.9 / (download) - annotate - [select for diffs], Fri Dec 11 14:45:38 2009 UTC (13 years, 1 month ago) by obache
Branch: MAIN
Changes since 1.8: +1 -4 lines
Diff to previous 1.8 (colored)

Remove additions to CONFIGURE_ENV.
They are automatically handled automatically by pkgsrc with more
sufficient variables.

Revision 1.8 / (download) - annotate - [select for diffs], Fri Dec 11 11:43:37 2009 UTC (13 years, 1 month ago) by obache
Branch: MAIN
Changes since 1.7: +1 -3 lines
Diff to previous 1.7 (colored)

apxs does not support DESTDIR installation.

Revision 1.7 / (download) - annotate - [select for diffs], Fri Dec 11 11:38:20 2009 UTC (13 years, 1 month ago) by obache
Branch: MAIN
Changes since 1.6: +1 -3 lines
Diff to previous 1.6 (colored)

Remove comments from url2pkg.

Revision 1.6 / (download) - annotate - [select for diffs], Mon Nov 16 09:48:28 2009 UTC (13 years, 2 months ago) by manu
Branch: MAIN
Changes since 1.5: +2 -2 lines
Diff to previous 1.5 (colored)

Update to mod_auth_mellon 0.2.5. From the NEWS file:
* Replay POST requests after been sent to the IdP
* Fix HTTP response splitting vulnerability.

Revision 1.5 / (download) - annotate - [select for diffs], Tue Aug 11 15:53:41 2009 UTC (13 years, 5 months ago) by manu
Branch: MAIN
CVS Tags: pkgsrc-2009Q3-base, pkgsrc-2009Q3
Changes since 1.4: +2 -2 lines
Diff to previous 1.4 (colored)

Change since 0.2.4:

* Fix for downloads of files with Internet Explorer with SSL enabled.

* Mark session as disabled as soon as logout starts, in case the IdP
  doesn't respond.

* Bugfix for session lifetime. Take the session lifetime from the
  SessionNotOnOrAfter attribute if it is present.

Revision 1.4 / (download) - annotate - [select for diffs], Mon Jun 15 19:45:14 2009 UTC (13 years, 7 months ago) by manu
Branch: MAIN
CVS Tags: pkgsrc-2009Q2-base, pkgsrc-2009Q2
Changes since 1.3: +2 -2 lines
Diff to previous 1.3 (colored)

Update to 0.2.2. From NEWS:
* Improve metadata autogeneration: cleanup certificate, allow Organizarion
  element data to be supplied from Apache configuration

Revision 1.3 / (download) - annotate - [select for diffs], Sat Jun 6 10:27:30 2009 UTC (13 years, 7 months ago) by manu
Branch: MAIN
Changes since 1.2: +3 -3 lines
Diff to previous 1.2 (colored)

Update to 0.2.1:
* Make SAML authentication assertion and Lasso session available in the
  environement.
* Autogeneration of SP metadata. (Requires Lasso 2.2.2 or newer.)
* Multiple IdP support, with discovery service.
* Built in discovery service which tests the availability of each IdP,
  and uses the first available IdP.
* Fix a mutex leak.
* MellonSecureCookie option, which enables Secure + HttpOnly flags on
  session cookies.
* Better handling of logout request when the user is already logged out.

Revision 1.2 / (download) - annotate - [select for diffs], Tue Mar 3 10:53:15 2009 UTC (13 years, 11 months ago) by manu
Branch: MAIN
CVS Tags: pkgsrc-2009Q1-base, pkgsrc-2009Q1
Changes since 1.1: +2 -2 lines
Diff to previous 1.1 (colored)

Add missing version in package names

Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Mon Mar 2 16:47:42 2009 UTC (13 years, 11 months ago) by manu
Branch: TNF
CVS Tags: pkgsrc-base
Changes since 1.1: +0 -0 lines
Diff to previous 1.1 (colored)

mod_auth_mellon is a authentication module for apache. It authenticates
the user against a SAML 2.0 IdP, and and grants access to directories
depending on attributes received from the IdP.

Revision 1.1 / (download) - annotate - [select for diffs], Mon Mar 2 16:47:42 2009 UTC (13 years, 11 months ago) by manu
Branch: MAIN

Initial revision

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>