--- - branch: MAIN date: Wed Apr 1 14:08:14 UTC 2015 files: - new: '1.3' old: '1.2' path: pkgsrc/www/ap2-auth-mellon/MESSAGE pathrev: pkgsrc/www/ap2-auth-mellon/MESSAGE@1.3 type: modified - new: '1.29' old: '1.28' path: pkgsrc/www/ap2-auth-mellon/Makefile pathrev: pkgsrc/www/ap2-auth-mellon/Makefile@1.29 type: modified - new: '1.13' old: '1.12' path: pkgsrc/www/ap2-auth-mellon/distinfo pathrev: pkgsrc/www/ap2-auth-mellon/distinfo@1.13 type: modified - new: '0' old: '1.1' path: pkgsrc/www/ap2-auth-mellon/patches/patch-aj pathrev: pkgsrc/www/ap2-auth-mellon/patches/patch-aj@0 type: deleted id: 20150401T140814Z.76b6cff106bace037fce68d579f5513ad0b660f7 log: | Update mod_auth_mellon after lasso upgrade. Approved by wiz@ NEWS since last version imported in pkgsrc Version 0.10.0 --------------------------------------------------------------------------- * Make sure that we fail in the unlikely case where OpenSSL is not able to provide us with a secure session id. * Increase the number of key-value pairs in the session to 2048. * Add MellonMergeEnvVars-option to store multi-valued attributes in a single environment variable, separated with ';'. * Bugfixes: * Fix the [MAP] option for MellonCond. * Fix cookie deletion for the session cookie. (Logout is not dependent on the cookie being deleted, so this only fixes the cookie showing up after the session is deleted.) Version 0.9.1 --------------------------------------------------------------------------- * Bugfixes: * Fix session offset calculation that prevented us from having active sessions at once. * Run mod_auth_mellon request handler before most other handlers, so that other handlers cannot block it by accident. Version 0.9.0 --------------------------------------------------------------------------- * Set the AssertionConsumerServiceURL attribute in authentication requests. * Bugfixes: * Fix use of uninitialized data during logout. * Fix session entry overflow leading to segmentation faults. * Fix looking up sessions by NameID, which is used during logout. Version 0.8.1 --------------------------------------------------------------------------- This is a security release with fixes backported from version 0.9.1. It turned out that session overflow bugs fixes in version 0.9.0 and 0.9.1 can lead to information disclosure, where data from one session is leaked to another session. Depending on how this data is used by the web application, this may lead to data from one session being disclosed to an user in a different session. (CVE-2014-8566) In addition to the information disclosure, this release contains some fixes for logout processing, where logout requests would crash the Apache web server. (CVE-2014-8567) Version 0.8.0 --------------------------------------------------------------------------- * Add support for receiving HTTP-Artifact identifiers as POST data. * Simplify caching headers. * Map login errors into more appropriate HTTP error codes than 400 Bad Request. * Add MellonNoSuccessErrorPage option to redirect to a error page on login failure. * Turn session storage into a dynamic pool of memory, which means that attribute values (and other items) can have arbitrary sizes as long as they fit in the session as a whole. * Various bugfixes: * Fix for compatibility with recent versions of CURL. * Fix broken option MellonDoNotVerifyLogoutSignature. * Fix deadlock that could occur during logout processing. * Fix some compile warnings. * Fix some NULL derefernce bugs that may lead to segmentation faults. * Fix a minor memory leak during IdP metadata loading. Version 0.7.0 --------------------------------------------------------------------------- * Add MellonSPentityId to control entityId in autogenerated metadata * Fix compatibility with Apache 2.4. * Handle empty RelayState the same as missing RelayState. * Add MellonSetEvnNoPrefix directive to set environment variables without "MELLON_"-prefix. module: pkgsrc subject: 'CVS commit: pkgsrc/www/ap2-auth-mellon' unixtime: '1427897294' user: manu