Compare commits
10 Commits
a021070469
...
04e86bee53
Author | SHA1 | Date |
---|---|---|
Tomas Halman | 04e86bee53 | |
Tomas Halman | c806712339 | |
Jakub Hrozek | 14ff788096 | |
Mohan Boddu | b5c37f85fa | |
Scott Poore | 47cb7d3098 | |
Scott Poore | 19ad228592 | |
Scott Poore | 2cf525413f | |
Mohan Boddu | 4bfdc6b4e6 | |
Mohan Boddu | 252d229889 | |
DistroBaker | b5ef6d96cd |
|
@ -0,0 +1 @@
|
||||||
|
df4039cca9d706b10c49ea3435af0382da2b959a mod_auth_mellon-0.17.0.tar.gz
|
|
@ -0,0 +1,47 @@
|
||||||
|
From 42a11261b9dad2e48d70bdff7c53dd57a12db6f5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: AIMOTO Norihito <aimoto@osstech.co.jp>
|
||||||
|
Date: Tue, 6 Jul 2021 22:57:24 +0200
|
||||||
|
Subject: [PATCH] Prevent redirect to URLs that begin with '///'
|
||||||
|
|
||||||
|
Visiting a logout URL like this:
|
||||||
|
https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html
|
||||||
|
would have redirected the user to fishing-site.example.com
|
||||||
|
|
||||||
|
With the patch, this URL would be rejected.
|
||||||
|
|
||||||
|
Fixes: CVE-2021-3639
|
||||||
|
---
|
||||||
|
auth_mellon_util.c | 10 ++++++++++
|
||||||
|
1 file changed, 10 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
|
||||||
|
index 2f8c9c3..6a686db 100644
|
||||||
|
--- a/auth_mellon_util.c
|
||||||
|
+++ b/auth_mellon_util.c
|
||||||
|
@@ -927,6 +927,10 @@ int am_check_url(request_rec *r, const char *url)
|
||||||
|
{
|
||||||
|
const char *i;
|
||||||
|
|
||||||
|
+ if (url == NULL) {
|
||||||
|
+ return HTTP_BAD_REQUEST;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
for (i = url; *i; i++) {
|
||||||
|
if (*i >= 0 && *i < ' ') {
|
||||||
|
/* Deny all control-characters. */
|
||||||
|
@@ -943,6 +947,12 @@ int am_check_url(request_rec *r, const char *url)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (strstr(url, "///") == url) {
|
||||||
|
+ AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
|
||||||
|
+ "URL starts with '///'");
|
||||||
|
+ return HTTP_BAD_REQUEST;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
return OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
--- !Policy
|
||||||
|
product_versions:
|
||||||
|
- rhel-9
|
||||||
|
decision_context: osci_compose_gate
|
||||||
|
rules:
|
||||||
|
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
|
|
@ -1,7 +1,7 @@
|
||||||
Summary: A SAML 2.0 authentication module for the Apache Httpd Server
|
Summary: A SAML 2.0 authentication module for the Apache Httpd Server
|
||||||
Name: mod_auth_mellon
|
Name: mod_auth_mellon
|
||||||
Version: 0.17.0
|
Version: 0.17.0
|
||||||
Release: 1%{?dist}
|
Release: 8%{?dist}
|
||||||
Source0: https://github.com/latchset/mod_auth_mellon/releases/download/v0.17.0/mod_auth_mellon-0.17.0.tar.gz
|
Source0: https://github.com/latchset/mod_auth_mellon/releases/download/v0.17.0/mod_auth_mellon-0.17.0.tar.gz
|
||||||
Source1: auth_mellon.conf
|
Source1: auth_mellon.conf
|
||||||
Source2: 10-auth_mellon.conf
|
Source2: 10-auth_mellon.conf
|
||||||
|
@ -9,6 +9,7 @@ Source3: mod_auth_mellon.conf
|
||||||
Source4: mellon_create_metadata.sh
|
Source4: mellon_create_metadata.sh
|
||||||
Source5: README.redhat.rst
|
Source5: README.redhat.rst
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
|
BuildRequires: make
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: curl-devel
|
BuildRequires: curl-devel
|
||||||
BuildRequires: glib2-devel
|
BuildRequires: glib2-devel
|
||||||
|
@ -21,6 +22,7 @@ Requires: httpd-mmn = %{_httpd_mmn}
|
||||||
Requires: lasso >= 2.5.1-13
|
Requires: lasso >= 2.5.1-13
|
||||||
Url: https://github.com/latchset/mod_auth_mellon
|
Url: https://github.com/latchset/mod_auth_mellon
|
||||||
|
|
||||||
|
Patch0001: 0001-Prevent-redirect-to-URLs-that-begin-with.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
The mod_auth_mellon module is an authentication service that implements the
|
The mod_auth_mellon module is an authentication service that implements the
|
||||||
|
@ -28,7 +30,7 @@ SAML 2.0 federation protocol. It grants access based on the attributes
|
||||||
received in assertions generated by a IdP server.
|
received in assertions generated by a IdP server.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n %{name}-%{version}
|
%autosetup -n %{name}-%{version}
|
||||||
|
|
||||||
%build
|
%build
|
||||||
export APXS=%{_httpd_apxs}
|
export APXS=%{_httpd_apxs}
|
||||||
|
@ -98,9 +100,35 @@ in the doc directory for instructions on using the diagnostics build.
|
||||||
%{_httpd_moddir}/mod_auth_mellon.so
|
%{_httpd_moddir}/mod_auth_mellon.so
|
||||||
%{_tmpfilesdir}/mod_auth_mellon.conf
|
%{_tmpfilesdir}/mod_auth_mellon.conf
|
||||||
%{_libexecdir}/%{name}
|
%{_libexecdir}/%{name}
|
||||||
%dir /run/%{name}/
|
%dir %attr(-, apache, apache) /run/%{name}/
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Apr 5 2023 Tomas Halman <thalman@redhat.com> - 0.17.0-8
|
||||||
|
- Fixing gating issue - rebuild
|
||||||
|
Resolves: rhbz#2184763
|
||||||
|
|
||||||
|
* Tue Jul 26 2022 Tomas Halman <thalman@redhat.com> - 0.17.0-7
|
||||||
|
- bad user/group ownership for /run/mod_auth_mellon
|
||||||
|
Resolves: rhbz#2047948
|
||||||
|
|
||||||
|
* Fri Jul 30 2021 Jakub Hrozek <jhrozek@redhat.com> - 0.17.0-6
|
||||||
|
- Related: rhbz#1986806 - CVE-2021-3639 mod_auth_mellon: Open Redirect
|
||||||
|
vulnerability in logout URLs
|
||||||
|
|
||||||
|
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.17.0-5
|
||||||
|
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||||
|
Related: rhbz#1991688
|
||||||
|
|
||||||
|
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.17.0-4
|
||||||
|
- Rebuilt for RHEL 9 BETA for openssl 3.0
|
||||||
|
Related: rhbz#1971065
|
||||||
|
|
||||||
|
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.17.0-3
|
||||||
|
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||||
|
|
||||||
|
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.17.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||||
|
|
||||||
* Wed Sep 16 2020 Jakub Hrozek <jhrozek@redhat.com> - 0.17.0-1
|
* Wed Sep 16 2020 Jakub Hrozek <jhrozek@redhat.com> - 0.17.0-1
|
||||||
- New upstream version 0.17.0
|
- New upstream version 0.17.0
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
1
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
standard-inventory-qcow2:
|
||||||
|
qemu:
|
||||||
|
m: 3G
|
||||||
|
smp: 2
|
|
@ -0,0 +1,12 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
export GIT_SSL_NO_VERIFY=true
|
||||||
|
git clone https://github.com/latchset/federation_testing.git
|
||||||
|
|
||||||
|
cd federation_testing
|
||||||
|
if [ ! -d /tmp/artifacts ]; then
|
||||||
|
mkdir -p /tmp/artifacts
|
||||||
|
fi
|
||||||
|
|
||||||
|
./setup.sh
|
||||||
|
./test_mellon.sh
|
|
@ -0,0 +1,12 @@
|
||||||
|
- hosts: localhost
|
||||||
|
roles:
|
||||||
|
- role: standard-test-basic
|
||||||
|
tags:
|
||||||
|
- classic
|
||||||
|
tests:
|
||||||
|
- mod_auth_mellon:
|
||||||
|
dir: scripts
|
||||||
|
run: ./run_tests.sh
|
||||||
|
required_packages:
|
||||||
|
- git
|
||||||
|
|
Loading…
Reference in New Issue