Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (not verified)) by mollari.NetBSD.org (Postfix) with ESMTPS id DE892A65B7 for ; Wed, 1 Apr 2015 14:08:23 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 605) id 864DF14A193; Wed, 1 Apr 2015 14:08:23 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id DB17314A16D for ; Wed, 1 Apr 2015 14:08:14 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id LoNWS7B4SDVB for ; Wed, 1 Apr 2015 14:08:14 +0000 (UTC) Received: from cvs.netbsd.org (cvs.NetBSD.org [IPv6:2001:4f8:3:7:2e0:81ff:fe30:95bd]) by mail.netbsd.org (Postfix) with ESMTP id 1CDDE14A162 for ; Wed, 1 Apr 2015 14:08:14 +0000 (UTC) Received: by cvs.netbsd.org (Postfix, from userid 500) id 10D9998; Wed, 1 Apr 2015 14:08:14 +0000 (UTC) Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" MIME-Version: 1.0 Date: Wed, 1 Apr 2015 14:08:14 +0000 From: "Emmanuel Dreyfus" Subject: CVS commit: pkgsrc/www/ap2-auth-mellon To: pkgsrc-changes@NetBSD.org Reply-To: manu@netbsd.org X-Mailer: log_accum Message-Id: <20150401140814.10D9998@cvs.netbsd.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk Module Name: pkgsrc Committed By: manu Date: Wed Apr 1 14:08:14 UTC 2015 Modified Files: pkgsrc/www/ap2-auth-mellon: MESSAGE Makefile distinfo Removed Files: pkgsrc/www/ap2-auth-mellon/patches: patch-aj Log Message: Update mod_auth_mellon after lasso upgrade. Approved by wiz@ NEWS since last version imported in pkgsrc Version 0.10.0 --------------------------------------------------------------------------- * Make sure that we fail in the unlikely case where OpenSSL is not able to provide us with a secure session id. * Increase the number of key-value pairs in the session to 2048. * Add MellonMergeEnvVars-option to store multi-valued attributes in a single environment variable, separated with ';'. * Bugfixes: * Fix the [MAP] option for MellonCond. * Fix cookie deletion for the session cookie. (Logout is not dependent on the cookie being deleted, so this only fixes the cookie showing up after the session is deleted.) Version 0.9.1 --------------------------------------------------------------------------- * Bugfixes: * Fix session offset calculation that prevented us from having active sessions at once. * Run mod_auth_mellon request handler before most other handlers, so that other handlers cannot block it by accident. Version 0.9.0 --------------------------------------------------------------------------- * Set the AssertionConsumerServiceURL attribute in authentication requests. * Bugfixes: * Fix use of uninitialized data during logout. * Fix session entry overflow leading to segmentation faults. * Fix looking up sessions by NameID, which is used during logout. Version 0.8.1 --------------------------------------------------------------------------- This is a security release with fixes backported from version 0.9.1. It turned out that session overflow bugs fixes in version 0.9.0 and 0.9.1 can lead to information disclosure, where data from one session is leaked to another session. Depending on how this data is used by the web application, this may lead to data from one session being disclosed to an user in a different session. (CVE-2014-8566) In addition to the information disclosure, this release contains some fixes for logout processing, where logout requests would crash the Apache web server. (CVE-2014-8567) Version 0.8.0 --------------------------------------------------------------------------- * Add support for receiving HTTP-Artifact identifiers as POST data. * Simplify caching headers. * Map login errors into more appropriate HTTP error codes than 400 Bad Request. * Add MellonNoSuccessErrorPage option to redirect to a error page on login failure. * Turn session storage into a dynamic pool of memory, which means that attribute values (and other items) can have arbitrary sizes as long as they fit in the session as a whole. * Various bugfixes: * Fix for compatibility with recent versions of CURL. * Fix broken option MellonDoNotVerifyLogoutSignature. * Fix deadlock that could occur during logout processing. * Fix some compile warnings. * Fix some NULL derefernce bugs that may lead to segmentation faults. * Fix a minor memory leak during IdP metadata loading. Version 0.7.0 --------------------------------------------------------------------------- * Add MellonSPentityId to control entityId in autogenerated metadata * Fix compatibility with Apache 2.4. * Handle empty RelayState the same as missing RelayState. * Add MellonSetEvnNoPrefix directive to set environment variables without "MELLON_"-prefix. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 pkgsrc/www/ap2-auth-mellon/MESSAGE cvs rdiff -u -r1.28 -r1.29 pkgsrc/www/ap2-auth-mellon/Makefile cvs rdiff -u -r1.12 -r1.13 pkgsrc/www/ap2-auth-mellon/distinfo cvs rdiff -u -r1.1 -r0 pkgsrc/www/ap2-auth-mellon/patches/patch-aj Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.