Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK)) by mollari.NetBSD.org (Postfix) with ESMTPS id 549187ABDA for ; Mon, 14 Mar 2016 09:58:59 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 605) id 04BAE85EAE; Mon, 14 Mar 2016 09:58:59 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 8527285E77 for ; Mon, 14 Mar 2016 09:58:58 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id I54-gFaYSmKk for ; Mon, 14 Mar 2016 09:58:58 +0000 (UTC) Received: from cvs.NetBSD.org (unknown [IPv6:2001:470:a085:999:28c:faff:fe03:5984]) by mail.netbsd.org (Postfix) with ESMTP id 0B59885E81 for ; Mon, 14 Mar 2016 09:58:58 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id 028B7FBB7; Mon, 14 Mar 2016 09:58:58 +0000 (UTC) Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" MIME-Version: 1.0 Date: Mon, 14 Mar 2016 09:58:57 +0000 From: "Emmanuel Dreyfus" Subject: CVS commit: pkgsrc/www/ap2-auth-mellon To: pkgsrc-changes@NetBSD.org Reply-To: manu@netbsd.org X-Mailer: log_accum Message-Id: <20160314095858.028B7FBB7@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk Module Name: pkgsrc Committed By: manu Date: Mon Mar 14 09:58:57 UTC 2016 Modified Files: pkgsrc/www/ap2-auth-mellon: Makefile distinfo Added Files: pkgsrc/www/ap2-auth-mellon/patches: patch-0274 Log Message: Update mod_auth_mellon to 0.12.0 Fixes CVE-2016-2145 and CVE-2016-2146 Changes since 0.10.0 frome NEWS file and patches/patch-0274 patch-0274 --------------------------------------------------------------------------- * Return 500 Internal Server Error if probe discovery fails. Version 0.12.0 --------------------------------------------------------------------------- Security fixes: * [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to incorrect error handling when reading POST data from client. * [CVE-2016-2146] Fix DOS attack (Apache worker process crash / resource exhaustion) due to missing size checks when reading POST data. In addition this release contains the following new features and fixes: * Add MellonRedirecDomains option to limit the sites that mod_auth_mellon can redirect to. This option is enabled by default. * Add support for ECP service options in PAOS requests. * Fix AssertionConsumerService lookup for PAOS requests. Version 0.11.1 --------------------------------------------------------------------------- Security fixes: * [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to incorrect error handling when reading POST data from client. * [CVE-2016-2146] Fix DOS attack (Apache worker process crash / resource exhaustion) due to missing size checks when reading POST data Version 0.11.0 --------------------------------------------------------------------------- * Add SAML 2.0 ECP support. * The MellonDecode option has been disabled. It was used to decode attributes in a Feide-specific encoding that is no longer used. * Set max-age=0 in Cache-Control header, to ensure that all browsers verifies the data on each request. * MellonMergeEnvVars On now accepts second optional parameter, the separator to be used instead of the default ';'. * Add option MellonEnvVarsSetCount to specify if the number of values for any attribute should also be stored in environment variable suffixed _N. * Add option MellonEnvVarsIndexStart to specify if environment variables for multi-valued attributes should start indexing with 0 (default) or with 1. * Bugfixes: * Fix error about missing authentication with DirectoryIndex in Apache 2.4. To generate a diff of this commit: cvs rdiff -u -r1.32 -r1.33 pkgsrc/www/ap2-auth-mellon/Makefile cvs rdiff -u -r1.14 -r1.15 pkgsrc/www/ap2-auth-mellon/distinfo cvs rdiff -u -r0 -r1.1 pkgsrc/www/ap2-auth-mellon/patches/patch-0274 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.