Compare commits

...

No commits in common. "c8" and "c10s" have entirely different histories.
c8 ... c10s

19 changed files with 1 additions and 8186 deletions

1
.gitignore vendored
View File

@ -1 +0,0 @@
SOURCES/mod_auth_mellon-0.14.0.tar.gz

View File

@ -1 +0,0 @@
4a93f8b093e1dea20e8a286931693c614903f2d9 SOURCES/mod_auth_mellon-0.14.0.tar.gz

View File

@ -1,80 +0,0 @@
From e09a28a30e13e5c22b481010f26b4a7743a09280 Mon Sep 17 00:00:00 2001
From: John Dennis <jdennis@redhat.com>
Date: Tue, 5 Mar 2019 10:15:48 +0100
Subject: [PATCH] Modify am_handler setup to run before mod_proxy
The way the ECP flow works is that when a client initiates the flow, the
SP's response is HTTP 200, but not the requested content, but a signed XML
document that contains the "samlp:AuthnRequest" element. The idea is that
the ECP client would then determine the IDP and send the document to the
IDP, get a samlp:Response and convey that to the SP to get access to the
protected resource.
Internally, the auth check which is normally done with am_check_uid() set to
apache's ap_hook_check_user_id() hook, just responds with OK, so it pretends
to authenticate the user. Then in the usual flow, the request reaches the
ap_hook_handler which handles the request. There in the pipeline, mellon
registers functions am_handler() which should run first (APR_HOOK_FIRST),
determine that this request is an ECP one and return the ECP AuthnRequest
document. But in case the proxy module is also in the picture, the proxy
module "races" for who gets to be the first to handle the request in the
pipeline and wins. Therefore, the request reaches the protected resource
via mod_proxy and returns it.
This fix modifies the ap_hook_handler() call to explicitly run before
handlers from mod_proxy.c
To reproduce the bug:
0) Have a SP with mellon connected to a Keycloak IDP (or any other IDP I
guess). In the example below, my SAML SP is saml.federation.test
1) Set a Location protected by mellon that proxies requests to another
URL. For example:
ProxyPass /sp-proxy http://app.federation.test/example_app/
<Location /sp-proxy>
AuthType Mellon
MellonEnable auth
Require valid-user
</Location>
2) call:
curl -L -H "Accept: application/vnd.paos+xml" \
-H 'PAOS: ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"' \
http://saml.federation.test/sp-proxy
Before the patch, you would see whatever is served from the proxied
page. With the patch, you should get back a XML document with a
samlp:AuthnRequest.
---
mod_auth_mellon.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/mod_auth_mellon.c b/mod_auth_mellon.c
index 74bd328..5330f48 100644
--- a/mod_auth_mellon.c
+++ b/mod_auth_mellon.c
@@ -207,6 +207,12 @@ static int am_create_request(request_rec *r)
static void register_hooks(apr_pool_t *p)
{
+ /* Our handler needs to run before mod_proxy so that it can properly
+ * return ECP AuthnRequest messages when running as a reverse proxy.
+ * See: https://github.com/Uninett/mod_auth_mellon/pull/196
+ */
+ static const char * const run_handler_before[]={ "mod_proxy.c", NULL };
+
ap_hook_access_checker(am_auth_mellon_user, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_check_user_id(am_check_uid, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_post_config(am_global_init, NULL, NULL, APR_HOOK_MIDDLE);
@@ -222,7 +228,7 @@ static void register_hooks(apr_pool_t *p)
* Therefore this hook must run before any handler that may check
* r->handler and decide that it is the only handler for this URL.
*/
- ap_hook_handler(am_handler, NULL, NULL, APR_HOOK_FIRST);
+ ap_hook_handler(am_handler, NULL, run_handler_before, APR_HOOK_FIRST);
#ifdef ENABLE_DIAGNOSTICS
ap_hook_open_logs(am_diag_log_init,NULL,NULL,APR_HOOK_MIDDLE);
--
2.19.2

View File

@ -1,44 +0,0 @@
From 62041428a32de402e0be6ba45fe12df6a83bedb8 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Tue, 19 Mar 2019 13:42:22 +0100
Subject: [PATCH] Fix redirect URL validation bypass
It turns out that browsers silently convert backslash characters into
forward slashes, while apr_uri_parse() does not.
This mismatch allows an attacker to bypass the redirect URL validation
by using an URL like:
https://sp.example.org/mellon/logout?ReturnTo=https:%5c%5cmalicious.example.org/
mod_auth_mellon will assume that it is a relative URL and allow the
request to pass through, while the browsers will use it as an absolute
url and redirect to https://malicious.example.org/ .
This patch fixes this issue by rejecting all redirect URLs with
backslashes.
---
auth_mellon_util.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
index 0fab309..fd442f9 100644
--- a/auth_mellon_util.c
+++ b/auth_mellon_util.c
@@ -927,6 +927,13 @@ int am_check_url(request_rec *r, const char *url)
"Control character detected in URL.");
return HTTP_BAD_REQUEST;
}
+ if (*i == '\\') {
+ /* Reject backslash character, as it can be used to bypass
+ * redirect URL validation. */
+ AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
+ "Backslash character detected in URL.");
+ return HTTP_BAD_REQUEST;
+ }
}
return OK;
--
2.19.2

View File

@ -1,172 +0,0 @@
diff -up mod_auth_mellon-0.14.0/auth_mellon_cache.c.env_prefix mod_auth_mellon-0.14.0/auth_mellon_cache.c
--- mod_auth_mellon-0.14.0/auth_mellon_cache.c.env_prefix 2017-10-02 11:44:08.000000000 +0200
+++ mod_auth_mellon-0.14.0/auth_mellon_cache.c 2019-06-10 09:46:36.806014513 +0200
@@ -589,7 +589,7 @@ void am_cache_env_populate(request_rec *
*/
for(i = 0; i < t->size; ++i) {
varname = am_cache_entry_get_string(t, &t->env[i].varname);
- varname_prefix = "MELLON_";
+ varname_prefix = d->env_prefix;
/* Check if we should map this name into another name. */
env_varname_conf = (am_envattr_conf_t *)apr_hash_get(
diff -up mod_auth_mellon-0.14.0/auth_mellon_config.c.env_prefix mod_auth_mellon-0.14.0/auth_mellon_config.c
--- mod_auth_mellon-0.14.0/auth_mellon_config.c.env_prefix 2018-03-16 08:14:54.000000000 +0100
+++ mod_auth_mellon-0.14.0/auth_mellon_config.c 2019-06-10 09:46:36.807014516 +0200
@@ -36,6 +36,11 @@ static const char *default_endpoint_path
*/
static const char *default_user_attribute = "NAME_ID";
+/* This is the default prefix to use for attributes received from the
+ * server. Customizable using the MellonEnvPrefix option
+ */
+static const char *default_env_prefix = "MELLON_";
+
/* This is the default name of the cookie which mod_auth_mellon will set.
* If you change this, then you should also update the description of the
* MellonVar configuration directive.
@@ -1372,8 +1377,10 @@ const command_rec auth_mellon_commands[]
am_set_setenv_slot,
NULL,
OR_AUTHCFG,
- "Renames attributes received from the server while retaining prefix MELLON_. The format is"
- " MellonSetEnv <old name> <new name>."
+ "Renames attributes received from the server while retaining the"
+ " prefix. The prefix defaults to MELLON_ but can be changed with"
+ " MellonEnvPrefix."
+ " The format is MellonSetEnv <old name> <new name>."
),
AP_INIT_TAKE2(
"MellonSetEnvNoPrefix",
@@ -1383,6 +1390,13 @@ const command_rec auth_mellon_commands[]
"Renames attributes received from the server without adding prefix. The format is"
" MellonSetEnvNoPrefix <old name> <new name>."
),
+ AP_INIT_TAKE1(
+ "MellonEnvPrefix",
+ ap_set_string_slot,
+ (void *)APR_OFFSETOF(am_dir_cfg_rec, env_prefix),
+ OR_AUTHCFG,
+ "The prefix to use for attributes received from the server."
+ ),
AP_INIT_FLAG(
"MellonSessionDump",
ap_set_flag_slot,
@@ -1714,6 +1728,7 @@ void *auth_mellon_dir_config(apr_pool_t
dir->cookie_path = NULL;
dir->cookie_samesite = am_samesite_default;
dir->envattr = apr_hash_make(p);
+ dir->env_prefix = default_env_prefix;
dir->userattr = default_user_attribute;
dir->idpattr = NULL;
dir->signature_method = inherit_signature_method;
@@ -1868,6 +1883,10 @@ void *auth_mellon_dir_merge(apr_pool_t *
add_cfg->envattr :
base_cfg->envattr);
+ new_cfg->env_prefix = (add_cfg->env_prefix != default_env_prefix ?
+ add_cfg->env_prefix :
+ base_cfg->env_prefix);
+
new_cfg->userattr = (add_cfg->userattr != default_user_attribute ?
add_cfg->userattr :
base_cfg->userattr);
diff -up mod_auth_mellon-0.14.0/auth_mellon_diagnostics.c.env_prefix mod_auth_mellon-0.14.0/auth_mellon_diagnostics.c
--- mod_auth_mellon-0.14.0/auth_mellon_diagnostics.c.env_prefix 2018-03-16 08:14:54.000000000 +0100
+++ mod_auth_mellon-0.14.0/auth_mellon_diagnostics.c 2019-06-10 09:46:36.808014518 +0200
@@ -442,6 +442,9 @@ am_diag_log_dir_cfg(request_rec *r, int
"%sMellonCookieSameSite (cookie_samesite): %s\n",
indent(level+1),
am_diag_samesite_str(r, cfg->cookie_samesite));
+ apr_file_printf(diag_cfg->fd,
+ "%sMellonEnvPrefix (env_prefix): %s\n",
+ indent(level+1), cfg->env_prefix);
apr_file_printf(diag_cfg->fd,
"%sMellonCond (cond): %d items\n",
@@ -466,7 +469,7 @@ am_diag_log_dir_cfg(request_rec *r, int
apr_hash_this(hash_item, (void *)&key, NULL, (void *)&envattr_conf);
if (envattr_conf->prefixed) {
- name = apr_pstrcat(r->pool, "MELLON_",
+ name = apr_pstrcat(r->pool, cfg->env_prefix,
envattr_conf->name, NULL);
} else {
name = envattr_conf->name;
diff -up mod_auth_mellon-0.14.0/auth_mellon.h.env_prefix mod_auth_mellon-0.14.0/auth_mellon.h
--- mod_auth_mellon-0.14.0/auth_mellon.h.env_prefix 2018-03-16 08:14:54.000000000 +0100
+++ mod_auth_mellon-0.14.0/auth_mellon.h 2019-06-10 09:46:36.805014510 +0200
@@ -237,6 +237,7 @@ typedef struct am_dir_cfg_rec {
am_samesite_t cookie_samesite;
apr_array_header_t *cond;
apr_hash_t *envattr;
+ const char *env_prefix;
const char *userattr;
const char *idpattr;
LassoSignatureMethod signature_method;
diff -up mod_auth_mellon-0.14.0/doc/user_guide/mellon_user_guide.adoc.env_prefix mod_auth_mellon-0.14.0/doc/user_guide/mellon_user_guide.adoc
--- mod_auth_mellon-0.14.0/doc/user_guide/mellon_user_guide.adoc.env_prefix 2018-03-16 08:14:54.000000000 +0100
+++ mod_auth_mellon-0.14.0/doc/user_guide/mellon_user_guide.adoc 2019-06-10 09:48:08.422237471 +0200
@@ -2007,11 +2007,13 @@ attributes.
assertion to a name of your choosing when it is placed in the Apache
environment. This is controlled by `MellonSetEnv` and
`MellonSetEnvNoPrefix` directives. The distinction
- is `MellonSetEnv` always prepends the `MELLON_` prefix to the
+ is `MellonSetEnv` always prepends a prefix to the
environment variable name to help to prevent name collisions. The
+ prefix defaults to `MELLON_` and can be configured using the
+ `MellonEnvPrefix` configuration option. The
`MellonSetEnvNoPrefix` directive also remaps the assertion name to a
name of your choosing but it omits prepending the environment
- variable name with `MELLON_`. See <<map_assertion_attr_name>>
+ variable name with the prefix. See <<map_assertion_attr_name>>
Using the <<assertion_response,assertion example>> Mellon places these
environment variables in the Apache environment. See
@@ -2096,10 +2098,12 @@ and `MellonSetEnvNoPrefix` directives. T
assertion attribute to a name of your choosing. The `MellonSetEnv`
directive follows the same convention as all other assertion
attributes added by Mellon in that it always prefixes the environment
-variable name with `MELLON_` to help avoid name collisions in the
+variable name with a configurable prefix, which defaults to `MELLON_` to help avoid name collisions in the
Apache environment. However sometimes you do not want the `MELLON_`
-prefix added and instead you want to use exactly the environment
-variable name as specified., `MellonSetEnvNoPrefix` serves this role.
+prefix added. In case you simply want the variables prefixed with
+a different string, use the `MellonEnvPrefix` configuration option. If,
+instead you want to use exactly the environment variable name as specified.,
+`MellonSetEnvNoPrefix` serves this role.
To illustrate let's look at an example. Suppose your web app is
expecting an attribute which is the user's last name, specifically it
@@ -2117,6 +2121,15 @@ MellonSetEnvNoPrefix REMOTE_USER_LASTNAM
Also see <<set_remote_user>> for an example of setting the `REMOTE_USER`
environment variable using `MellonSetEnvNoPrefix`.
+The `MellonEnvPrefix` variable might be useful e.g. if you
+are migrating from a different SP which used its own prefix
+for the variables passed by the IdP. For example, to prefix
+all variables with `NOLLEM_` you would use:
+
+----
+MellonEnvPrefix NOLLEM_
+----
+
=== Using Mellon to apply constraints [[assertion_constraints]]
SAML attributes can be used for more than exporting those values to a
diff -up mod_auth_mellon-0.14.0/README.md.env_prefix mod_auth_mellon-0.14.0/README.md
--- mod_auth_mellon-0.14.0/README.md.env_prefix 2018-03-16 08:14:54.000000000 +0100
+++ mod_auth_mellon-0.14.0/README.md 2019-06-10 09:46:36.805014510 +0200
@@ -253,6 +253,11 @@ MellonDiagnosticsEnable Off
# Default. None set.
MellonSetEnvNoPrefix "DISPLAY_NAME" "displayName"
+ # MellonEnvPrefix changes the string the variables passed from the
+ # IdP are prefixed with.
+ # Default: MELLON_
+ MellonEnvPrefix "NOLLEM_"
+
# MellonMergeEnvVars merges multiple values of environment variables
# set using MellonSetEnv into single variable:
# ie: MYENV_VAR => val1;val2;val3 instead of default behaviour of:

View File

@ -1,49 +0,0 @@
From 6358a5169762ef7b89d8b6d0f1a99b006f0fdd2f Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Wed, 25 Jul 2018 12:19:39 +0200
Subject: [PATCH] Fix incorrect header used for detecting AJAX requests
The code was looking for "X-Request-With", but the header is actually
"X-Requested-With". As far as I can tell, it has always been the
latter, at least in the jQuery source code.
Fixes issue #174.
---
README.md | 2 +-
auth_mellon_handler.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/README.md b/README.md
index 0a91dc5..8d85b43 100644
--- a/README.md
+++ b/README.md
@@ -180,7 +180,7 @@ MellonDiagnosticsEnable Off
# then we will redirect him to the login page of the IdP.
#
# There is a special handling of AJAX requests, that are
- # identified by the "X-Request-With: XMLHttpRequest" HTTP
+ # identified by the "X-Requested-With: XMLHttpRequest" HTTP
# header. Since no user interaction can happen there,
# we always fail unauthenticated (not logged in) requests
# with a 403 Forbidden error without redirecting to the IdP.
diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
index b16dc45..e33e6e9 100644
--- a/auth_mellon_handler.c
+++ b/auth_mellon_handler.c
@@ -3658,11 +3658,11 @@ int am_auth_mellon_user(request_rec *r)
* If this is an AJAX request, we cannot proceed to the IdP,
* Just fail early to save our resources
*/
- ajax_header = apr_table_get(r->headers_in, "X-Request-With");
+ ajax_header = apr_table_get(r->headers_in, "X-Requested-With");
if (ajax_header != NULL &&
strcmp(ajax_header, "XMLHttpRequest") == 0) {
AM_LOG_RERROR(APLOG_MARK, APLOG_INFO, 0, r,
- "Deny unauthenticated X-Request-With XMLHttpRequest "
+ "Deny unauthenticated X-Requested-With XMLHttpRequest "
"(AJAX) request");
return HTTP_FORBIDDEN;
}
--
2.20.1

View File

@ -1,28 +0,0 @@
From 297093e6a48a4c0fd307c2206c59a8c8eb84fb53 Mon Sep 17 00:00:00 2001
From: Valentin <awakenine@users.noreply.github.com>
Date: Fri, 6 Sep 2019 13:30:36 +0300
Subject: [PATCH] Update auth_mellon_mode.c
Fix open redirect CVE-2019-13038
---
auth_mellon_util.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
index fd442f9..7dff61e 100644
--- a/auth_mellon_util.c
+++ b/auth_mellon_util.c
@@ -116,6 +116,10 @@ int am_validate_redirect_url(request_rec *r, const char *url)
/* Sanity check of the scheme of the domain. We only allow http and https. */
if (uri.scheme) {
+ /* http and https schemes without hostname are invalid. */
+ if (!uri.hostname) {
+ return HTTP_BAD_REQUEST;
+ }
if (strcasecmp(uri.scheme, "http")
&& strcasecmp(uri.scheme, "https")) {
AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r,
--
2.21.0

View File

@ -1,95 +0,0 @@
From fb5ad7bf997946df4472cb94d7875ee70281d59c Mon Sep 17 00:00:00 2001
From: Anthony Critelli <acritelli@datto.com>
Date: Tue, 7 Jan 2020 11:14:24 -0500
Subject: [PATCH] Add none option for samesite
---
README.md | 7 +++++--
auth_mellon.h | 3 ++-
auth_mellon_config.c | 2 ++
auth_mellon_cookie.c | 4 +++-
auth_mellon_diagnostics.c | 1 +
5 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/README.md b/README.md
index be374bc..82a88fc 100644
--- a/README.md
+++ b/README.md
@@ -218,8 +218,11 @@ MellonDiagnosticsEnable Off
# MellonCookieSameSite allows control over the SameSite value used
# for the authentication cookie.
- # The setting accepts values of "Strict" or "Lax"
- # If not set, the SameSite attribute is not set on the cookie.
+ # The setting accepts values of "Strict", "Lax", or "None".
+ # When using none, you should set "MellonSecureCookie On" to prevent
+ # compatibility issues with newer browsers.
+ # If not set, the SameSite attribute is not set on the cookie. In newer
+ # browsers, this may cause SameSite to default to "Lax"
# Default: not set
# MellonCookieSameSite lax
diff --git a/auth_mellon.h b/auth_mellon.h
index 9ef2d8a..5f5a20b 100644
--- a/auth_mellon.h
+++ b/auth_mellon.h
@@ -164,7 +164,8 @@ typedef enum {
typedef enum {
am_samesite_default,
am_samesite_lax,
- am_samesite_strict
+ am_samesite_strict,
+ am_samesite_none,
} am_samesite_t;
typedef enum {
diff --git a/auth_mellon_config.c b/auth_mellon_config.c
index 7932e2d..f1a9d12 100644
--- a/auth_mellon_config.c
+++ b/auth_mellon_config.c
@@ -583,6 +583,8 @@ static const char *am_set_samesite_slot(cmd_parms *cmd,
d->cookie_samesite = am_samesite_lax;
} else if(!strcasecmp(arg, "strict")) {
d->cookie_samesite = am_samesite_strict;
+ } else if(!strcasecmp(arg, "none")) {
+ d->cookie_samesite = am_samesite_none;
} else {
return "The MellonCookieSameSite parameter must be 'lax' or 'strict'";
}
diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
index 8394c18..b2c8535 100644
--- a/auth_mellon_cookie.c
+++ b/auth_mellon_cookie.c
@@ -1,7 +1,7 @@
/*
*
* auth_mellon_cookie.c: an authentication apache module
- * Copyright © 2003-2007 UNINETT (http://www.uninett.no/)
+ * Copyright © 2003-2007 UNINETT (http://www.uninett.no/)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -73,6 +73,8 @@ static const char *am_cookie_params(request_rec *r)
cookie_samesite = "; SameSite=Lax";
} else if (cfg->cookie_samesite == am_samesite_strict) {
cookie_samesite = "; SameSite=Strict";
+ } else if (cfg->cookie_samesite == am_samesite_none) {
+ cookie_samesite = "; SameSite=None";
}
secure_cookie = cfg->secure;
diff --git a/auth_mellon_diagnostics.c b/auth_mellon_diagnostics.c
index 792e894..912814b 100644
--- a/auth_mellon_diagnostics.c
+++ b/auth_mellon_diagnostics.c
@@ -214,6 +214,7 @@ am_diag_samesite_str(request_rec *r, am_samesite_t samesite)
case am_samesite_default: return "default";
case am_samesite_lax: return "lax";
case am_samesite_strict: return "strict";
+ case am_samesite_none: return "none";
default:
return apr_psprintf(r->pool, "unknown (%d)", samesite);
}
--
2.21.0

View File

@ -1,69 +0,0 @@
From b9d87e0deb528817689f1648999a95645b1b19ad Mon Sep 17 00:00:00 2001
From: Keita SUZUKI <keita@osstech.co.jp>
Date: Mon, 20 Jan 2020 11:03:14 +0900
Subject: [PATCH] avoid always set SameSite cookie
---
auth_mellon.h | 5 +++++
auth_mellon_cookie.c | 22 ++++++++++++++++------
2 files changed, 21 insertions(+), 6 deletions(-)
diff --git a/auth_mellon.h b/auth_mellon.h
index 5f5a20b..8bb8023 100644
--- a/auth_mellon.h
+++ b/auth_mellon.h
@@ -96,6 +96,11 @@ typedef enum {
} am_diag_flags_t;
#endif
+
+/* Disable SameSite Environment Value */
+#define AM_DISABLE_SAMESITE_ENV_VAR "MELLON_DISABLE_SAMESITE"
+
+
/* This is the length of the id we use (for session IDs and
* replaying POST data).
*/
diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
index b2c8535..55f77a5 100644
--- a/auth_mellon_cookie.c
+++ b/auth_mellon_cookie.c
@@ -59,6 +59,7 @@ static const char *am_cookie_params(request_rec *r)
const char *cookie_domain = ap_get_server_name(r);
const char *cookie_path = "/";
const char *cookie_samesite = "";
+ const char *env_var_value = NULL;
am_dir_cfg_rec *cfg = am_get_dir_cfg(r);
if (cfg->cookie_domain) {
@@ -69,12 +70,21 @@ static const char *am_cookie_params(request_rec *r)
cookie_path = cfg->cookie_path;
}
- if (cfg->cookie_samesite == am_samesite_lax) {
- cookie_samesite = "; SameSite=Lax";
- } else if (cfg->cookie_samesite == am_samesite_strict) {
- cookie_samesite = "; SameSite=Strict";
- } else if (cfg->cookie_samesite == am_samesite_none) {
- cookie_samesite = "; SameSite=None";
+ if (r->subprocess_env != NULL){
+ env_var_value = apr_table_get(r->subprocess_env,
+ AM_DISABLE_SAMESITE_ENV_VAR);
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "%s : %s", AM_DISABLE_SAMESITE_ENV_VAR, env_var_value);
+ }
+
+ if (env_var_value == NULL){
+ if (cfg->cookie_samesite == am_samesite_lax) {
+ cookie_samesite = "; SameSite=Lax";
+ } else if (cfg->cookie_samesite == am_samesite_strict) {
+ cookie_samesite = "; SameSite=Strict";
+ } else if (cfg->cookie_samesite == am_samesite_none) {
+ cookie_samesite = "; SameSite=None";
+ }
}
secure_cookie = cfg->secure;
--
2.21.0

View File

@ -1,78 +0,0 @@
From 7ef4ae72a8578475064eb66e3ed5703ccf6ee078 Mon Sep 17 00:00:00 2001
From: Ruediger Pluem <r.pluem@gmx.de>
Date: Thu, 30 Apr 2020 07:56:01 +0200
Subject: [PATCH] Set SameSite to None on test cookie
If the SameSite cookie attribute is to be set because
MellonCookieSameSite is configured and MELLON_DISABLE_SAMESITE not set
for this particular request set it to None for the test cookie.
This ensures that the test cookie with the static test content does not
get lost in the HTTP-POST binding request issued by the autosubmit form
returned by the IDP.
Addresses #20
* auth_mellon.h: Add AM_FORCE_SAMESITE_NONE_NOTE
* auth_mellon_handler.c (am_send_login_authn_request): Set request note
to set SameSite to None if appropriate.
* auth_mellon_cookie.c (am_cookie_params): Set SameSite to None if
requested via request note.
---
auth_mellon.h | 3 +++
auth_mellon_cookie.c | 6 +++++-
auth_mellon_handler.c | 5 +++++
3 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/auth_mellon.h b/auth_mellon.h
index fd39b28..401ed9c 100644
--- a/auth_mellon.h
+++ b/auth_mellon.h
@@ -100,6 +100,9 @@ typedef enum {
/* Disable SameSite Environment Value */
#define AM_DISABLE_SAMESITE_ENV_VAR "MELLON_DISABLE_SAMESITE"
+/* Force setting SameSite to None */
+#define AM_FORCE_SAMESITE_NONE_NOTE "MELLON_FORCE_SAMESITE_NONE"
+
/* This is the length of the id we use (for session IDs and
* replaying POST data).
diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
index 55f77a5..6bff81e 100644
--- a/auth_mellon_cookie.c
+++ b/auth_mellon_cookie.c
@@ -78,7 +78,11 @@ static const char *am_cookie_params(request_rec *r)
}
if (env_var_value == NULL){
- if (cfg->cookie_samesite == am_samesite_lax) {
+ if ((cfg->cookie_samesite != am_samesite_default) &&
+ (apr_table_get(r->notes, AM_FORCE_SAMESITE_NONE_NOTE) != NULL)) {
+ cookie_samesite = "; SameSite=None";
+ }
+ else if (cfg->cookie_samesite == am_samesite_lax) {
cookie_samesite = "; SameSite=Lax";
} else if (cfg->cookie_samesite == am_samesite_strict) {
cookie_samesite = "; SameSite=Strict";
diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
index 395ee1d..40c9bcd 100644
--- a/auth_mellon_handler.c
+++ b/auth_mellon_handler.c
@@ -3261,8 +3261,13 @@ static int am_send_login_authn_request(request_rec *r, const char *idp,
/* Add cookie for cookie test. We know that we should have
* a valid cookie when we return from the IdP after SP-initiated
* login.
+ * Ensure that SameSite is set to None for this cookie if SameSite
+ * is allowed to be set as the cookie otherwise gets lost on
+ * HTTP-POST binding messages.
*/
+ apr_table_setn(r->notes, AM_FORCE_SAMESITE_NONE_NOTE, "1");
am_cookie_set(r, "cookietest");
+ apr_table_unset(r->notes, AM_FORCE_SAMESITE_NONE_NOTE);
server = am_get_lasso_server(r);
if(server == NULL) {
--
2.26.2

View File

@ -1,47 +0,0 @@
From 42a11261b9dad2e48d70bdff7c53dd57a12db6f5 Mon Sep 17 00:00:00 2001
From: AIMOTO Norihito <aimoto@osstech.co.jp>
Date: Tue, 6 Jul 2021 22:57:24 +0200
Subject: [PATCH] Prevent redirect to URLs that begin with '///'
Visiting a logout URL like this:
https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html
would have redirected the user to fishing-site.example.com
With the patch, this URL would be rejected.
Fixes: CVE-2021-3639
---
auth_mellon_util.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
index 2f8c9c3..6a686db 100644
--- a/auth_mellon_util.c
+++ b/auth_mellon_util.c
@@ -927,6 +927,10 @@ int am_check_url(request_rec *r, const char *url)
{
const char *i;
+ if (url == NULL) {
+ return HTTP_BAD_REQUEST;
+ }
+
for (i = url; *i; i++) {
if (*i >= 0 && *i < ' ') {
/* Deny all control-characters. */
@@ -943,6 +947,12 @@ int am_check_url(request_rec *r, const char *url)
}
}
+ if (strstr(url, "///") == url) {
+ AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
+ "URL starts with '///'");
+ return HTTP_BAD_REQUEST;
+ }
+
return OK;
}
--
2.26.3

View File

@ -1 +0,0 @@
LoadModule auth_mellon_module modules/mod_auth_mellon.so

View File

@ -1,83 +0,0 @@
Red Hat Specific mod_auth_mellon Information
============================================
This README contains information specific to Red Hat's distribution of
``mod_auth_mellon``.
Diagnostic Logging
------------------
Diagnostic logging can be used to collect run time information to help
diagnose problems with your ``mod_auth_mellon`` deployment. Please see
the "Mellon Diagnostics" section in the Mellon User Guide for more
details.
How to enable diagnostic logging on Red Hat systems
```````````````````````````````````````````````````
Diagnostic logging adds overhead to the execution of
``mod_auth_mellon``. The code to emit diagnostic logging must be
compiled into ``mod_auth_mellon`` at build time. In addition the
diagnostic log file may contain security sensitive information which
should not normally be written to a log file. If you have a
version of ``mod_auth_mellon`` which was built with diagnostics you
can disable diagnostic logging via the ``MellonDiagnosticsEnable``
configuration directive. However given human nature the potential to
enable diagnostic logging while resolving a problem and then forget to
disable it is not a situation that should exist by default. Therefore
given the overhead consideration and the desire to avoid enabling
diagnostic logging by mistake the Red Hat ``mod_auth_mellon`` RPM's
ship with two versions of the ``mod_auth_mellon`` Apache module.
1. The ``mod_auth_mellon`` RPM contains the normal Apache module
``/usr/lib*/httpd/modules/mod_auth_mellon.so``
2. The ``mod_auth_mellon-diagnostics`` RPM contains the diagnostic
version of the Apache module
``/usr/lib*/httpd/modules/mod_auth_mellon-diagnostics.so``
Because each version of the module has a different name both the
normal and diagnostic modules can be installed simultaneously without
conflict. But Apache will only load one of the two modules. Which
module is loaded is controlled by the
``/etc/httpd/conf.modules.d/10-auth_mellon.conf`` config file which
has a line in it which looks like this::
LoadModule auth_mellon_module modules/mod_auth_mellon.so
To load the diagnostics version of the module you need to change the
module name so it looks like this::
LoadModule auth_mellon_module modules/mod_auth_mellon-diagnostics.so
**Don't forget to change it back again when you're done debugging.**
You'll also need to enable the collection of diagnostic information,
do this by adding this directive at the top of your Mellon conf.d
config file or inside your virtual host config (diagnostics are per
server instance)::
MellonDiagnosticsEnable On
.. NOTE::
Some versions of the Mellon User Guide have a typo in the name of
this directive, it incorrectly uses ``MellonDiagnosticEnable``
instead of ``MellonDiagnosticsEnable``. The difference is
Diagnostics is plural.
The Apache ``error_log`` will contain a message indicating how it
processed the ``MellonDiagnosticsEnable`` directive. If you loaded the
standard module without diagnostics you'll see a message like this::
MellonDiagnosticsEnable has no effect because Mellon was not
compiled with diagnostics enabled, use
./configure --enable-diagnostics at build time to turn this
feature on.
If you've loaded the diagnostics version of the module you'll see a
message in the ``error_log`` like this::
mellon diagnostics enabled for virtual server *:443
(/etc/httpd/conf.d/my_server.conf:7)
ServerName=https://my_server.example.com:443, diagnostics
filename=logs/mellon_diagnostics

View File

@ -1,2 +0,0 @@
MellonCacheSize 100
MellonLockFile "/run/mod_auth_mellon/lock"

View File

@ -1,126 +0,0 @@
#!/usr/bin/env bash
set -e
PROG="$(basename "$0")"
printUsage() {
echo "Usage: $PROG ENTITY-ID ENDPOINT-URL"
echo ""
echo "Example:"
echo " $PROG urn:someservice https://sp.example.org/mellon"
echo ""
}
if [ "$#" -lt 2 ]; then
printUsage
exit 1
fi
ENTITYID="$1"
if [ -z "$ENTITYID" ]; then
echo "$PROG: An entity ID is required." >&2
exit 1
fi
BASEURL="$2"
if [ -z "$BASEURL" ]; then
echo "$PROG: The URL to the MellonEndpointPath is required." >&2
exit 1
fi
if ! echo "$BASEURL" | grep -q '^https\?://'; then
echo "$PROG: The URL must start with \"http://\" or \"https://\"." >&2
exit 1
fi
HOST="$(echo "$BASEURL" | sed 's#^[a-z]*://\([^/]*\).*#\1#')"
BASEURL="$(echo "$BASEURL" | sed 's#/$##')"
OUTFILE="$(echo "$ENTITYID" | sed 's/[^0-9A-Za-z.]/_/g' | sed 's/__*/_/g')"
echo "Output files:"
echo "Private key: $OUTFILE.key"
echo "Certificate: $OUTFILE.cert"
echo "Metadata: $OUTFILE.xml"
echo "Host: $HOST"
echo
echo "Endpoints:"
echo "SingleLogoutService (SOAP): $BASEURL/logout"
echo "SingleLogoutService (HTTP-Redirect): $BASEURL/logout"
echo "AssertionConsumerService (HTTP-POST): $BASEURL/postResponse"
echo "AssertionConsumerService (HTTP-Artifact): $BASEURL/artifactResponse"
echo "AssertionConsumerService (PAOS): $BASEURL/paosResponse"
echo
# No files should not be readable by the rest of the world.
umask 0077
TEMPLATEFILE="$(mktemp -t mellon_create_sp.XXXXXXXXXX)"
cat >"$TEMPLATEFILE" <<EOF
RANDFILE = /dev/urandom
[req]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
prompt = no
policy = policy_anything
[req_distinguished_name]
commonName = $HOST
EOF
openssl req -utf8 -batch -config "$TEMPLATEFILE" -new -x509 -days 3652 -nodes -out "$OUTFILE.cert" -keyout "$OUTFILE.key" 2>/dev/null
rm -f "$TEMPLATEFILE"
CERT="$(grep -v '^-----' "$OUTFILE.cert")"
cat >"$OUTFILE.xml" <<EOF
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor
entityID="$ENTITYID"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor
AuthnRequestsSigned="true"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>$CERT</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>$CERT</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="$BASEURL/logout" />
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="$BASEURL/logout" />
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<AssertionConsumerService
index="0"
isDefault="true"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="$BASEURL/postResponse" />
<AssertionConsumerService
index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="$BASEURL/artifactResponse" />
<AssertionConsumerService
index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
Location="$BASEURL/paosResponse" />
</SPSSODescriptor>
</EntityDescriptor>
EOF
umask 0777
chmod go+r "$OUTFILE.xml"
chmod go+r "$OUTFILE.cert"

File diff suppressed because one or more lines are too long

View File

@ -1,2 +0,0 @@
# mod_auth_mellon lock file is created in this directory
d /run/mod_auth_mellon 0755 apache apache

View File

@ -1,275 +0,0 @@
Summary: A SAML 2.0 authentication module for the Apache Httpd Server
Name: mod_auth_mellon
Version: 0.14.0
Release: 12%{?dist}.1
Group: System Environment/Daemons
Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
Source1: auth_mellon.conf
Source2: 10-auth_mellon.conf
Source3: mod_auth_mellon.conf
Source4: mellon_create_metadata.sh
Source5: README.redhat.rst
Source6: mellon_user_guide.html
License: GPLv2+
BuildRequires: gcc
BuildRequires: curl-devel
BuildRequires: glib2-devel
BuildRequires: httpd-devel
BuildRequires: lasso-devel >= 2.5.1
BuildRequires: openssl-devel
BuildRequires: xmlsec1-devel
Requires: httpd-mmn = %{_httpd_mmn}
Requires: lasso >= 2.5.1
Url: https://github.com/UNINETT/mod_auth_mellon
Patch0001: 0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch
Patch0002: 0002-Fix-redirect-URL-validation-bypass.patch
Patch0003: 0003-backport-Make-the-environment-variable-prefix-configurable.patch
Patch0004: 0004-Fix-incorrect-header-used-for-detecting-AJAX-request.patch
Patch0005: 0005-CVE_2019_13038.patch
Patch0006: 0006-Add-none-option-for-samesite.patch
Patch0007: 0007-avoid-always-set-SameSite-cookie.patch
Patch0008: 0008-Set-SameSite-to-None-on-test-cookie.patch
Patch0009: 0009-Prevent-redirect-to-URLs-that-begin-with.patch
# FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However,
# I could not get asciidoc to render properly so instead I generated
# mellon_user_guide.html on Fedora using asciidoctor and included
# mellon_user_guide.html as a SOURCE. If the user guide source is updated
# the mellon_user_guide.html will need to be regenerated.
%description
The mod_auth_mellon module is an authentication service that implements the
SAML 2.0 federation protocol. It grants access based on the attributes
received in assertions generated by a IdP server.
%prep
%setup -q -n %{name}-%{version}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%build
export APXS=%{_httpd_apxs}
%configure --enable-diagnostics
make clean
make %{?_smp_mflags}
cp .libs/%{name}.so %{name}-diagnostics.so
%configure
make clean
make %{?_smp_mflags}
%install
# install module
mkdir -p %{buildroot}%{_httpd_moddir}
install -m 755 .libs/%{name}.so %{buildroot}%{_httpd_moddir}
install -m 755 %{name}-diagnostics.so %{buildroot}%{_httpd_moddir}
# install module configuration
mkdir -p %{buildroot}%{_httpd_confdir}
install -m 644 %{SOURCE1} %{buildroot}%{_httpd_confdir}
mkdir -p %{buildroot}%{_httpd_modconfdir}
install -m 644 %{SOURCE2} %{buildroot}%{_httpd_modconfdir}
mkdir -p %{buildroot}%{_tmpfilesdir}
install -m 644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}
mkdir -p %{buildroot}/run/%{name}
# install script to generate metadata
mkdir -p %{buildroot}/%{_libexecdir}/%{name}
install -m 755 %{SOURCE4} %{buildroot}/%{_libexecdir}/%{name}
#install documentation
mkdir -p %{buildroot}/%{_pkgdocdir}
# install Red Hat README
install -m 644 %{SOURCE5} %{buildroot}/%{_pkgdocdir}
# install user guide
cp -r doc/user_guide %{buildroot}/%{_pkgdocdir}
install -m 644 %{SOURCE6} %{buildroot}/%{_pkgdocdir}/user_guide
%package diagnostics
Summary: Build of mod_auth_mellon with diagnostic logging
Requires: %{name} = %{version}-%{release}
%description diagnostics
Build of mod_auth_mellon with diagnostic logging. See README.redhat.rst
in the doc directory for instructions on using the diagnostics build.
%files diagnostics
%{_httpd_moddir}/%{name}-diagnostics.so
%files
%if 0%{?rhel} && 0%{?rhel} < 7
%doc COPYING
%else
%license COPYING
%endif
%doc README.md NEWS ECP.rst
%doc %{_pkgdocdir}/README.redhat.rst
%doc %{_pkgdocdir}/user_guide
%config(noreplace) %{_httpd_modconfdir}/10-auth_mellon.conf
%config(noreplace) %{_httpd_confdir}/auth_mellon.conf
%{_httpd_moddir}/mod_auth_mellon.so
%{_tmpfilesdir}/mod_auth_mellon.conf
%{_libexecdir}/%{name}
%attr(0755,apache,apache) %dir /run/%{name}/
%changelog
* Wed Dec 15 2021 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-12.1
- Resolves: rhbz#1986805 - CVE-2021-3639 mod_auth_mellon: Open Redirect
vulnerability in logout URLs [rhel-8]
* Mon Jan 25 2021 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-12
- Resolves: rhbz#1791262 - Backport SameSite=None cookie from upstream to
support latest browsers
* Fri Oct 18 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-11
- Resolves: rhbz#1731053 - CVE-2019-13038 mod_auth_mellon: an Open Redirect
via the login?ReturnTo= substring which could
facilitate information theft [rhel-8]
* Fri Oct 18 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-10
- Resolves: rhbz#1761774 - mod_auth_mellon fix for AJAX header name
X-Requested-With
* Thu Jun 13 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-9
- Just bump the release number
- Related: rhbz#1718238 - mod_auth_mellon-diagnostics RPM not in product
listings
* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-8
- Resolves: rhbz#1691894 - [RFE] Config option to change mod_auth_mellon prefix
* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-7
- Apply the patch from the previous commit
- Resolves: rhbz#1692471 - CVE-2019-3877 appstream/mod_auth_mellon: open
redirect in logout url when using URLs with
backslashes [rhel-8]
* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-6
- Resolves: rhbz#1692471 - CVE-2019-3877 appstream/mod_auth_mellon: open
redirect in logout url when using URLs with
backslashes [rhel-8]
* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-5
- Resolves: rhbz#1692457 - CVE-2019-3878 mod_auth_mellon: authentication
bypass in ECP flow [rhel-8.1.0]
* Wed Apr 24 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-4
- Resolves: rhbz#1702695 - fresh install of mod_auth_mellon shows rpm
verification warnings
* Mon Jul 30 2018 Florian Weimer <fweimer@redhat.com> - 0.14.0-3
- Rebuild with fixed binutils
* Fri Jun 1 2018 <jdennis@redhat.com> - 0.14.0-2
- Resolves: rhbz#1553885
- fix file permissions on doc files
* Fri Jun 1 2018 <jdennis@redhat.com> - 0.14.0-1
- Resolves: rhbz#1553885
- Rebase to current upstream release
* Thu Mar 29 2018 John Dennis <jdennis@redhat.com> - 0.13.1-2
- Resolves: rhbz#1481330 Add diagnostic logging
- Resolves: rhbz#1295472 Add MellonSignatureMethod config option to set
signature method used to sign SAML messages sent by Mellon.
Defaults to original sha1.
* Sun Oct 1 2017 John Dennis <jdennis@redhat.com> - 0.13.1-1
- upgrade to new upstream release
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Tue Jan 17 2017 John Dennis <jdennis@redhat.com> - 0.12.0-4
- Resolves: bug #1414019 Incorrect PAOS Content-Type header
* Mon Jan 9 2017 John Dennis <jdennis@redhat.com> - 0.12.0-3
- bump release for rebuild
* Tue May 3 2016 John Dennis <jdennis@redhat.com> - 0.12.0-2
- Resolves: bug #1332729, mellon conflicts with mod_auth_openidc
- am_check_uid() should be no-op if mellon not enabled
* Wed Mar 9 2016 John Dennis <jdennis@redhat.com> - 0.12.0-1
- Update to new upstream 0.12.0
- [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to
incorrect error handling when reading POST data from client.
- [CVE-2016-2146] Fix DOS attack (Apache worker process crash /
resource exhaustion) due to missing size checks when reading
POST data.
In addition this release contains the following new features and fixes:
- Add MellonRedirectDomains option to limit the sites that
mod_auth_mellon can redirect to. This option is enabled by default.
- Add support for ECP service options in PAOS requests.
- Fix AssertionConsumerService lookup for PAOS requests.
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Wed Dec 23 2015 John Dennis <jdennis@redhat.com> - 0.11.0-3
- Fix the following warning that appears in the Apache log
lasso-CRITICAL **: lasso_provider_get_metadata_list_for_role: assertion '_lasso_provider_get_role_index(role)' failed
* Fri Sep 18 2015 John Dennis <jdennis@redhat.com> - 0.11.0-2
- Add lasso 2.5.0 version dependency
* Fri Sep 18 2015 John Dennis <jdennis@redhat.com> - 0.11.0-1
- Upgrade to upstream 0.11.0 release.
- Includes ECP support, see NEWS for all changes.
- Update mellon_create_metadata.sh to match internally generated metadata,
includes AssertionConsumerService for postResponse, artifactResponse &
paosResponse.
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.10.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Wed Jan 7 2015 Simo Sorce <simo@redhat.com> 0.10.0-1
- New upstream release
* Tue Sep 2 2014 Simo Sorce <simo@redhat.com> 0.9.1-1
- New upstream release
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Tue Jun 24 2014 Simo Sorce <simo@redhat.com> 0.8.0-1
- New upstream realease version 0.8.0
- Upstream moved to github
- Drops patches as they have been all included upstream
* Fri Jun 20 2014 Simo Sorce <simo@redhat.com> 0.7.0-3
- Backport of useful patches from upstream
- Better handling of IDP reported errors
- Better handling of session data storage size
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Tue Dec 10 2013 Simo Sorce <simo@redhat.com> 0.7.0-1
- Fix ownership of /run files
* Wed Nov 27 2013 Simo Sorce <simo@redhat.com> 0.7.0-0
- Initial Fedora release based on version 0.7.0
- Based on an old spec file by Jean-Marc Liger <jmliger@siris.sorbonne.fr>

1
dead.package Normal file
View File

@ -0,0 +1 @@
mod_auth_mellon was removed due to minimization efforts prior to public launch