rpms/mod_auth_openidc
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI mod_auth_openidc-2.4.15-4.el10_0.1

Browse Source
This commit is contained in:
eabdullin 2025-05-14 18:11:54 +00:00
parent 2b979650b5
commit c283799b3f
12 changed files with 446 additions and 2149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/v2.4.9.4.tar.gz
mod_auth_openidc-2.4.15.tar.gz

1
.mod_auth_openidc.metadata
View File

@ -1 +0,0 @@
47f8b949552c3d32f019c5cf785c4672dc0f8aae SOURCES/v2.4.9.4.tar.gz

111
0001-CVE-2024-24814.patch Normal file
View File

@ -0,0 +1,111 @@
diff -up mod_auth_openidc-2.4.15/src/metrics.c.orig mod_auth_openidc-2.4.15/src/metrics.c
--- mod_auth_openidc-2.4.15/src/metrics.c.orig 2025-04-11 11:29:39.633387587 +0200
+++ mod_auth_openidc-2.4.15/src/metrics.c 2025-04-11 11:44:45.879336464 +0200
@@ -151,6 +151,7 @@ const oidc_metrics_counter_info_t _oidc_
{ OM_CLASS_CONTENT, "request", "jwks", "JWKs requests to the content handler" },
{ OM_CLASS_CONTENT, "request", "discovery", "discovery requests to the content handler" },
{ OM_CLASS_CONTENT, "request", "post-preserve", "HTTP POST preservation requests to the content handler" },
+ { OM_CLASS_CONTENT, "request", "authn-post", "HTTP POST authentication requests to the content handler" },
{ OM_CLASS_CONTENT, "request", "unknown", "unknown requests to the content handler" },
// KEEP THIS: end-of-counters
diff -up mod_auth_openidc-2.4.15/src/metrics.h.orig mod_auth_openidc-2.4.15/src/metrics.h
--- mod_auth_openidc-2.4.15/src/metrics.h.orig 2025-04-11 11:29:39.635387593 +0200
+++ mod_auth_openidc-2.4.15/src/metrics.h 2025-04-11 11:45:48.802537835 +0200
@@ -174,6 +174,7 @@ typedef enum {
OM_CONTENT_REQUEST_JWKS,
OM_CONTENT_REQUEST_DISCOVERY,
OM_CONTENT_REQUEST_POST_PRESERVE,
+ OM_CONTENT_REQUEST_AUTHN_POST,
OM_CONTENT_REQUEST_UNKNOWN,
} oidc_metrics_counter_type_t;
diff -up mod_auth_openidc-2.4.15/src/mod_auth_openidc.c.orig mod_auth_openidc-2.4.15/src/mod_auth_openidc.c
--- mod_auth_openidc-2.4.15/src/mod_auth_openidc.c.orig 2025-04-11 11:29:39.637387600 +0200
+++ mod_auth_openidc-2.4.15/src/mod_auth_openidc.c 2025-04-11 11:41:36.817731409 +0200
@@ -4638,11 +4638,18 @@ int oidc_content_handler(request_rec *r)
/* discovery may result in a 200 HTML page or a redirect to an external URL */
rc = oidc_discovery(r, c);
- } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN) != NULL) {
+ } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST) != NULL) {
+ /* sending POST authentication request */
+ OIDC_METRICS_COUNTER_INC(r, c, OM_CONTENT_REQUEST_AUTHN_POST);
+
+ rc = OK;
+
+ } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE) != NULL) {
+
+ /* sending POST preserve request */
OIDC_METRICS_COUNTER_INC(r, c, OM_CONTENT_REQUEST_POST_PRESERVE);
- /* sending POST preserve */
rc = OK;
} /* else: an authenticated request for which content is produced downstream */
diff -up mod_auth_openidc-2.4.15/src/mod_auth_openidc.h.orig mod_auth_openidc-2.4.15/src/mod_auth_openidc.h
--- mod_auth_openidc-2.4.15/src/mod_auth_openidc.h.orig 2025-04-11 11:29:39.637387600 +0200
+++ mod_auth_openidc-2.4.15/src/mod_auth_openidc.h 2025-04-11 11:31:41.085068464 +0200
@@ -127,7 +127,8 @@ APLOG_USE_MODULE(auth_openidc);
#define OIDC_REQUEST_STATE_KEY_IDTOKEN "i"
#define OIDC_REQUEST_STATE_KEY_CLAIMS "c"
#define OIDC_REQUEST_STATE_KEY_DISCOVERY "d"
-#define OIDC_REQUEST_STATE_KEY_AUTHN "a"
+#define OIDC_REQUEST_STATE_KEY_AUTHN_POST "a"
+#define OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE "p"
#define OIDC_REQUEST_STATE_KEY_SAVE "s"
#define OIDC_REQUEST_STATE_TRACE_ID "t"
diff -up mod_auth_openidc-2.4.15/src/proto.c.orig mod_auth_openidc-2.4.15/src/proto.c
--- mod_auth_openidc-2.4.15/src/proto.c.orig 2025-04-11 11:29:39.645387627 +0200
+++ mod_auth_openidc-2.4.15/src/proto.c 2025-04-11 12:10:15.546127971 +0200
@@ -493,7 +493,7 @@ static int oidc_proto_add_form_post_para
/*
* make the browser POST parameters through Javascript auto-submit
*/
-static int oidc_proto_html_post(request_rec *r, const char *url, apr_table_t *params) {
+static void oidc_proto_html_post(request_rec *r, const char *url, apr_table_t *params) {
oidc_debug(r, "enter");
@@ -510,7 +510,7 @@ static int oidc_proto_html_post(request_
" </p>\n"
" </form>\n");
- return oidc_util_html_send(r, "Submitting...", NULL, "document.forms[0].submit", html_body, OK);
+ oidc_util_html_send(r, "Submitting...", NULL, "document.forms[0].submit", html_body, OK);
}
void add_auth_request_params(request_rec *r, apr_table_t *params, const char *auth_request_params) {
@@ -637,7 +637,12 @@ int oidc_proto_authorization_request(req
if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_POST) {
/* construct a HTML POST auto-submit page with the authorization request parameters */
- rv = oidc_proto_html_post(r, provider->authorization_endpoint_url, params);
+ oidc_proto_html_post(r, provider->authorization_endpoint_url, params);
+
+ /* signal this to the content handler */
+ oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST, "");
+ r->user = "";
+ rv = OK;
} else if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_GET) {
@@ -645,7 +650,6 @@ int oidc_proto_authorization_request(req
authorization_request =
oidc_util_http_query_encoded_url(r, provider->authorization_endpoint_url, params);
- // TODO: should also enable this when using the POST binding for the auth request
/* see if we need to preserve POST parameters through Javascript/HTML5 storage */
if (oidc_post_preserve_javascript(r, authorization_request, NULL, NULL) == FALSE) {
@@ -658,7 +662,7 @@ int oidc_proto_authorization_request(req
} else {
/* signal this to the content handler */
- oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN, "");
+ oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE, "");
r->user = "";
rv = OK;
}

77
SOURCES/0001-CVE-2022-23527.patch
View File

@ -1,77 +0,0 @@
commit 4c494e4a59a15580e3226dcd6c02b24076b73421
Author: Tomas Halman <thalman@redhat.com>
Date: Mon Feb 27 13:18:55 2023 +0100
Backport of fixes for CVE-2022-23527
CVE-2022-23527 prevent open redirect in default setup
This patch is based on 87119f44, f38af0e2, 1a394a86 and
1c808c58 updates.
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
index b36f6c1..099c716 100644
--- a/src/mod_auth_openidc.c
+++ b/src/mod_auth_openidc.c
@@ -2543,6 +2543,20 @@ static apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c,
oidc_error(r, "%s: %s", *err_str, *err_desc);
return FALSE;
}
+ if ( (strstr(url, "/%09") != NULL) || (oidc_util_strcasestr(url, "/%2f") != NULL)
+ || (strstr(url, "/\t") != NULL)
+ || (strstr(url, "/%68") != NULL) || (oidc_util_strcasestr(url, "/http:") != NULL)
+ || (oidc_util_strcasestr(url, "/https:") != NULL) || (oidc_util_strcasestr(url, "/javascript:") != NULL)
+ || (strstr(url, "/〱") != NULL) || (strstr(url, "/〵") != NULL)
+ || (strstr(url, "/ゝ") != NULL) || (strstr(url, "/ー") != NULL)
+ || (strstr(url, "/〱") != NULL) || (strstr(url, "/ー") != NULL)
+ || (strstr(url, "/<") != NULL) || (oidc_util_strcasestr(url, "%01javascript:") != NULL)
+ || (strstr(url, "/%5c") != NULL) || (strstr(url, "/\\") != NULL)) {
+ *err_str = apr_pstrdup(r->pool, "Invalid URL");
+ *err_desc = apr_psprintf(r->pool, "URL value \"%s\" contains illegal character(s)", url);
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
+ }
return TRUE;
}
diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
index 2218d76..8757411 100644
--- a/src/mod_auth_openidc.h
+++ b/src/mod_auth_openidc.h
@@ -800,6 +800,7 @@ char *oidc_util_http_query_encoded_url(request_rec *r, const char *url, const ap
char *oidc_util_get_full_path(apr_pool_t *pool, const char *abs_or_rel_filename);
apr_byte_t oidc_enabled(request_rec *r);
char *oidc_util_http_form_encoded_data(request_rec *r, const apr_table_t *params);
+char* oidc_util_strcasestr(const char *s1, const char *s2);
/* HTTP header constants */
#define OIDC_HTTP_HDR_COOKIE "Cookie"
diff --git a/src/util.c b/src/util.c
index 4c46156..c6453d0 100644
--- a/src/util.c
+++ b/src/util.c
@@ -446,6 +446,24 @@ char* oidc_util_javascript_escape(apr_pool_t *pool, const char *s) {
return output;
}
+char* oidc_util_strcasestr(const char *s1, const char *s2) {
+ const char *s = s1;
+ const char *p = s2;
+ do {
+ if (!*p)
+ return (char*) s1;
+ if ((*p == *s) || (tolower(*p) == tolower(*s))) {
+ ++p;
+ ++s;
+ } else {
+ p = s2;
+ if (!*s)
+ return NULL;
+ s = ++s1;
+ }
+ } while (1);
+ return *p ? NULL : (char*) s1;
+}
/*
* get the URL scheme that is currently being accessed

24
SOURCES/0002-CVE-2023-28625.patch
View File

@ -1,24 +0,0 @@
commit 1a24e08ce506c2c19dd92a1bc9c2b9a1d9354934
Author: Tomas Halman <thalman@redhat.com>
Date: Tue Apr 11 11:39:55 2023 +0200
Backport fixe of CVE-2023-28625
CVE-2023-28625 mod_auth_openidc: NULL pointer dereference when
OIDCStripCookies is set and a crafted Cookie header is supplied
This patch is based on commit c0e1edac3c4c19988ccdc7713d7aebfce6ff916a
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
index 099c716..51eb53e 100644
--- a/src/mod_auth_openidc.c
+++ b/src/mod_auth_openidc.c
@@ -191,6 +191,8 @@ void oidc_strip_cookies(request_rec *r) {
do {
while (cookie != NULL && *cookie == OIDC_CHAR_SPACE)
cookie++;
+ if (cookie == NULL)
+ break;
for (i = 0; i < strip->nelts; i++) {
name = ((const char**) strip->elts)[i];

46
SOURCES/0003-CVE-2024-24814.patch
View File

@ -1,46 +0,0 @@
diff -up mod_auth_openidc-2.4.9.4/src/util.c.orig mod_auth_openidc-2.4.9.4/src/util.c
--- mod_auth_openidc-2.4.9.4/src/util.c.orig 2024-02-29 17:54:55.939797412 +0100
+++ mod_auth_openidc-2.4.9.4/src/util.c 2024-02-29 18:01:12.042842605 +0100
@@ -1270,25 +1270,24 @@ static char* oidc_util_get_chunk_cookie_
*/
char* oidc_util_get_chunked_cookie(request_rec *r, const char *cookieName,
int chunkSize) {
- char *cookieValue = NULL;
- char *chunkValue = NULL;
- int i = 0;
- if (chunkSize == 0) {
- cookieValue = oidc_util_get_cookie(r, cookieName);
- } else {
- int chunkCount = oidc_util_get_chunked_count(r, cookieName);
- if (chunkCount > 0) {
- cookieValue = "";
- for (i = 0; i < chunkCount; i++) {
- chunkValue = oidc_util_get_cookie(r,
- oidc_util_get_chunk_cookie_name(r, cookieName, i));
- if (chunkValue != NULL)
- cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue,
- chunkValue);
- }
- } else {
- cookieValue = oidc_util_get_cookie(r, cookieName);
+ char *cookieValue = NULL, *chunkValue = NULL;
+ int chunkCount = 0, i = 0;
+ if (chunkSize == 0)
+ return oidc_util_get_cookie(r, cookieName);
+ chunkCount = oidc_util_get_chunked_count(r, cookieName);
+ if (chunkCount == 0)
+ return oidc_util_get_cookie(r, cookieName);
+ if ((chunkCount < 0) || (chunkCount > 99)) {
+ oidc_warn(r, "chunk count out of bounds: %d", chunkCount);
+ return NULL;
+ }
+ for (i = 0; i < chunkCount; i++) {
+ chunkValue = oidc_util_get_cookie(r, oidc_util_get_chunk_cookie_name(r, cookieName, i));
+ if (chunkValue == NULL) {
+ oidc_warn(r, "could not find chunk %d; aborting", i);
+ break;
}
+ cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue ? cookieValue : "", chunkValue);
}
return cookieValue;
}

95
SOURCES/0004-race-condition.patch
View File

@ -1,95 +0,0 @@
diff -up mod_auth_openidc-2.4.10/src/cache/file.c.orig mod_auth_openidc-2.4.10/src/cache/file.c
--- mod_auth_openidc-2.4.10/src/cache/file.c.orig 2024-04-16 11:12:38.942552103 +0200
+++ mod_auth_openidc-2.4.10/src/cache/file.c 2024-04-16 11:13:09.890588209 +0200
@@ -329,8 +329,10 @@ static apr_status_t oidc_cache_file_clea
}
/* read the header with cache metadata info */
+ apr_file_lock(fd, APR_FLOCK_EXCLUSIVE);
rc = oidc_cache_file_read(r, path, fd, &info,
sizeof(oidc_cache_file_info_t));
+ apr_file_unlock(fd);
apr_file_close(fd);
if (rc == APR_SUCCESS) {
@@ -372,14 +374,15 @@ static apr_status_t oidc_cache_file_clea
/*
* write a value for the specified key to the cache
*/
-static apr_byte_t oidc_cache_file_set(request_rec *r, const char *section,
- const char *key, const char *value, apr_time_t expiry) {
+static apr_byte_t oidc_cache_file_set(request_rec *r, const char *section, const char *key,
+ const char *value, apr_time_t expiry) {
apr_file_t *fd = NULL;
apr_status_t rc = APR_SUCCESS;
char s_err[128];
/* get the fully qualified path to the cache file based on the key name */
- const char *path = oidc_cache_file_path(r, section, key);
+ const char *target = oidc_cache_file_path(r, section, key);
+ const char *path = apr_psprintf(r->pool, "%s.tmp", target);
/* only on writes (not on reads) we clean the cache first (if not done recently) */
oidc_cache_file_clean(r);
@@ -387,24 +390,22 @@ static apr_byte_t oidc_cache_file_set(re
/* just remove cache file if value is NULL */
if (value == NULL) {
if ((rc = apr_file_remove(path, r->pool)) != APR_SUCCESS) {
- oidc_error(r, "could not delete cache file \"%s\" (%s)", path,
- apr_strerror(rc, s_err, sizeof(s_err)));
+ oidc_error(r, "could not delete cache file \"%s\" (%s)", path, apr_strerror(rc, s_err, sizeof(s_err)));
}
return TRUE;
}
/* try to open the cache file for writing, creating it if it does not exist */
- if ((rc = apr_file_open(&fd, path,
- (APR_FOPEN_WRITE | APR_FOPEN_CREATE | APR_FOPEN_TRUNCATE),
- APR_OS_DEFAULT, r->pool)) != APR_SUCCESS) {
- oidc_error(r, "cache file \"%s\" could not be opened (%s)", path,
- apr_strerror(rc, s_err, sizeof(s_err)));
+ if ((rc = apr_file_open(&fd, path, (APR_FOPEN_WRITE | APR_FOPEN_CREATE),
+ APR_OS_DEFAULT, r->pool)) != APR_SUCCESS) {
+ oidc_error(r, "cache file \"%s\" could not be opened (%s)", path, apr_strerror(rc, s_err, sizeof(s_err)));
return FALSE;
}
/* lock the file and move the write pointer to the start of it */
apr_file_lock(fd, APR_FLOCK_EXCLUSIVE);
apr_off_t begin = 0;
+ apr_file_trunc(fd, begin);
apr_file_seek(fd, APR_SET, &begin);
/* construct the metadata for this cache entry in the header info */
@@ -413,22 +414,24 @@ static apr_byte_t oidc_cache_file_set(re
info.len = strlen(value) + 1;
/* write the header */
- if ((rc = oidc_cache_file_write(r, path, fd, &info,
- sizeof(oidc_cache_file_info_t))) != APR_SUCCESS)
+ if ((rc = oidc_cache_file_write(r, path, fd, &info, sizeof(oidc_cache_file_info_t)))
+ != APR_SUCCESS)
return FALSE;
/* next write the value */
- rc = oidc_cache_file_write(r, path, fd, (void *) value, info.len);
+ rc = oidc_cache_file_write(r, path, fd, (void*) value, info.len);
/* unlock and close the written file */
apr_file_unlock(fd);
apr_file_close(fd);
+ if (rename(path, target) != 0) {
+ oidc_error(r, "cache file: %s could not be renamed to: %s", path, target);
+ return FALSE;
+ }
+
/* log our success/failure */
- oidc_debug(r,
- "%s entry for key \"%s\" in file of %" APR_SIZE_T_FMT " bytes",
- (rc == APR_SUCCESS) ? "successfully stored" : "could not store",
- key, info.len);
+ oidc_debug(r, "%s entry for key \"%s\" in file of %" APR_SIZE_T_FMT " bytes", (rc == APR_SUCCESS) ? "successfully stored" : "could not store", key, info.len);
return (rc == APR_SUCCESS);
}

83
SOURCES/0005-CVE-2025-31492.patch
View File

@ -1,83 +0,0 @@
diff -up mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.c.orig mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.c
--- mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.c.orig 2025-04-11 10:49:32.095915197 +0200
+++ mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.c 2025-04-11 10:51:12.493949688 +0200
@@ -4258,7 +4258,11 @@ int oidc_content_handler(request_rec *r)
rc = oidc_discovery(r, c);
- } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN) != NULL) {
+ } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST) != NULL) {
+
+ rc = OK;
+
+ } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE) != NULL) {
rc = OK;
diff -up mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.h.orig mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.h
--- mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.h.orig 2025-04-11 10:49:32.081518446 +0200
+++ mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.h 2025-04-11 10:51:12.495521138 +0200
@@ -88,7 +88,8 @@ APLOG_USE_MODULE(auth_openidc);
#define OIDC_REQUEST_STATE_KEY_IDTOKEN "i"
#define OIDC_REQUEST_STATE_KEY_CLAIMS "c"
#define OIDC_REQUEST_STATE_KEY_DISCOVERY "d"
-#define OIDC_REQUEST_STATE_KEY_AUTHN "a"
+#define OIDC_REQUEST_STATE_KEY_AUTHN_POST "a"
+#define OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE "p"
/* parameter name of the callback URL in the discovery response */
#define OIDC_DISC_CB_PARAM "oidc_callback"
diff -up mod_auth_openidc-2.4.9.4/src/proto.c.orig mod_auth_openidc-2.4.9.4/src/proto.c
--- mod_auth_openidc-2.4.9.4/src/proto.c.orig 2021-09-03 10:41:21.000000000 +0200
+++ mod_auth_openidc-2.4.9.4/src/proto.c 2025-04-11 10:51:12.495927318 +0200
@@ -591,7 +591,7 @@ static int oidc_proto_add_form_post_para
/*
* make the browser POST parameters through Javascript auto-submit
*/
-static int oidc_proto_html_post(request_rec *r, const char *url,
+static void oidc_proto_html_post(request_rec *r, const char *url,
apr_table_t *params) {
oidc_debug(r, "enter");
@@ -607,8 +607,7 @@ static int oidc_proto_html_post(request_
html_body = apr_psprintf(r->pool, "%s%s", data.html_body, " </p>\n"
" </form>\n");
- return oidc_util_html_send(r, "Submitting...", NULL,
- "document.forms[0].submit", html_body, OK);
+ oidc_util_html_send(r, "Submitting...", NULL, "document.forms[0].submit", html_body, OK);
}
void add_auth_request_params(request_rec *r, apr_table_t *params,
@@ -739,8 +738,12 @@ int oidc_proto_authorization_request(req
if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_POST) {
/* construct a HTML POST auto-submit page with the authorization request parameters */
- rv = oidc_proto_html_post(r, provider->authorization_endpoint_url,
- params);
+ oidc_proto_html_post(r, provider->authorization_endpoint_url, params);
+
+ /* signal this to the content handler */
+ oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST, "");
+ r->user = "";
+ rv = OK;
} else if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_GET) {
@@ -748,7 +751,6 @@ int oidc_proto_authorization_request(req
authorization_request = oidc_util_http_query_encoded_url(r,
provider->authorization_endpoint_url, params);
- // TODO: should also enable this when using the POST binding for the auth request
/* see if we need to preserve POST parameters through Javascript/HTML5 storage */
if (oidc_post_preserve_javascript(r, authorization_request, NULL,
NULL) == FALSE) {
@@ -762,7 +764,7 @@ int oidc_proto_authorization_request(req
} else {
/* signal this to the content handler */
- oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN, "");
+ oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE, "");
r->user = "";
rv = OK;

1584
SOURCES/0006-string-compare.patch
View File

File diff suppressed because it is too large Load Diff

238
SPECS/mod_auth_openidc.spec
View File

@ -1,238 +0,0 @@
%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo 0-0)}}
%{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}}
%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %{_sysconfdir}/httpd/conf.d}}
# Optionally build with hiredis if --with hiredis is passed
%{!?_with_hiredis: %{!?_without_hiredis: %global _without_hiredis --without-hiredis}}
# It is an error if both or neither required options exist.
%{?_with_hiredis: %{?_without_hiredis: %{error: both _with_hiredis and _without_hiredis}}}
%{!?_with_hiredis: %{!?_without_hiredis: %{error: neither _with_hiredis nor _without_hiredis}}}
# /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4
%{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}}
%global httpd_pkg_cache_dir /var/cache/httpd/mod_auth_openidc
Name: mod_auth_openidc
Version: 2.4.9.4
Release: 8%{?dist}
Summary: OpenID Connect auth module for Apache HTTP Server
License: ASL 2.0
URL: https://github.com/zmartzone/mod_auth_openidc
Source0: https://github.com/zmartzone/mod_auth_openidc/archive/v%{version}.tar.gz
Patch1: 0001-CVE-2022-23527.patch
Patch2: 0002-CVE-2023-28625.patch
Patch3: 0003-CVE-2024-24814.patch
Patch4: 0004-race-condition.patch
Patch5: 0005-CVE-2025-31492.patch
Patch6: 0006-string-compare.patch
BuildRequires: gcc
BuildRequires: httpd-devel
BuildRequires: openssl-devel
BuildRequires: curl-devel
BuildRequires: jansson-devel
BuildRequires: pcre-devel
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: cjose-devel
BuildRequires: jq-devel
%{?_with_hiredis:BuildRequires: hiredis-devel}
Requires: httpd-mmn = %{_httpd_mmn}
Requires: cjose >= 0.6.1
%description
This module enables an Apache 2.x web server to operate as
an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
%prep
%autosetup -p1
%build
# workaround rpm-buildroot-usage
export MODULES_DIR=%{_httpd_moddir}
export APXS2_OPTS='-S LIBEXECDIR=${MODULES_DIR}'
autoreconf
%configure \
--with-jq=/usr/lib64/ \
%{?_with_hiredis} \
%{?_without_hiredis} \
--with-apxs2=%{_httpd_apxs}
%{make_build}
%check
export MODULES_DIR=%{_httpd_moddir}
export APXS2_OPTS='-S LIBEXECDIR=${MODULES_DIR}'
make test
%install
mkdir -p $RPM_BUILD_ROOT%{_httpd_moddir}
make install MODULES_DIR=$RPM_BUILD_ROOT%{_httpd_moddir}
install -m 755 -d $RPM_BUILD_ROOT%{_httpd_modconfdir}
echo 'LoadModule auth_openidc_module modules/mod_auth_openidc.so' > \
$RPM_BUILD_ROOT%{_httpd_modconfdir}/10-auth_openidc.conf
install -m 755 -d $RPM_BUILD_ROOT%{_httpd_confdir}
install -m 644 auth_openidc.conf $RPM_BUILD_ROOT%{_httpd_confdir}
# Adjust httpd cache location in install config file
sed -i 's!/var/cache/apache2/!/var/cache/httpd/!' $RPM_BUILD_ROOT%{_httpd_confdir}/auth_openidc.conf
install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}
install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/metadata
install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache
%files
%if 0%{?rhel} && 0%{?rhel} < 7
%doc LICENSE.txt
%else
%license LICENSE.txt
%endif
%doc ChangeLog
%doc AUTHORS
%doc README.md
%{_httpd_moddir}/mod_auth_openidc.so
%config(noreplace) %{_httpd_modconfdir}/10-auth_openidc.conf
%config(noreplace) %attr(0640, root, apache) %{_httpd_confdir}/auth_openidc.conf
%dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}
%dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/metadata
%dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache
%changelog
* Fri Apr 25 2025 Tomas Halman <thalman@redhat.com> - 2.4.9.4-8
- Resolves: RHEL-87759 - Empty POST causes crash with OIDCPreservePost
* Fri Apr 11 2025 Tomas Halman <thalman@redhat.com> - 2.4.9.4-7
- Resolves: RHEL-86218 - mod_auth_openidc allows OIDCProviderAuthRequestMethod
POSTs to leak protected data (CVE-2025-31492)
* Fri Apr 12 2024 Tomas Halman <thalman@redhat.com> - 2.4.9.4-6
- Resolves: RHEL-36492 Race condition in mod_auth_openidc filecache
- Resolves: RHEL-25421 mod_auth_openidc: DoS when using
`OIDCSessionType client-cookie` and manipulating cookies
(CVE-2024-24814)
* Tue Apr 25 2023 Tomas Halman <thalman@redhat.com> - 2.4.9.4-5
Related: rhbz#2141850 - fix cjose version dependency
* Mon Apr 24 2023 Tomas Halman <thalman@redhat.com> - 2.4.9.4-4
Resolves: rhbz#2141850 - auth_openidc.conf mode 0640 by default
* Tue Apr 11 2023 Tomas Halman <thalman@redhat.com> - 2.4.9.4-3
- Resolves: rhbz#2184144 - CVE-2023-28625 NULL pointer dereference
when OIDCStripCookies is set and a crafted Cookie header is supplied
* Tue Feb 21 2023 Tomas Halman <thalman@redhat.com> - 2.4.9.4-2
- Resolves: rhbz#2153659 - CVE-2022-23527 - Open Redirect in
oidc_validate_redirect_url() using tab character
* Fri Apr 8 2022 Tomas Halman <thalman@redhat.com> - 2.4.9.4-1
- Resolves: rhbz#2025368 - Rebase to new version
* Fri Jan 28 2022 Tomas Halman <thalman@redhat.com> - 2.3.7-11
- Resolves: rhbz#1987222 - CVE-2021-32792 XSS when using OIDCPreservePost On
* Fri Jan 28 2022 Tomas Halman <thalman@redhat.com> - 2.3.7-10
- Resolves: rhbz#1987216 - CVE-2021-32791 hardcoded static IV and AAD with a
reused key in AES GCM encryption [rhel-8] (edit)
* Fri Oct 29 2021 Tomas Halman <thalman@redhat.com> - 2.3.7-9
- Resolves: rhbz#2001853 - CVE-2021-39191 open redirect by supplying a crafted URL
in the target_link_uri parameter
* Tue Nov 17 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.3.7-8
- Resolves: rhbz#1823756 - Backport SameSite=None cookie from
mod_auth_openidc upstream to support latest browsers
* Tue Nov 17 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.3.7-7
- Resolves: rhbz#1897992 - OIDCStateInputHeaders &
OIDCStateMaxNumberOfCookies in existing
mod_auth_openidc version
- Backport the OIDCStateMaxNumberOfCookies option
- Configure which header value is used to calculate the fingerprint of
the auth state
* Sun May 10 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.3.7-6
- Fix the previous backport
- Related: rhbz#1805749 - CVE-2019-14857 mod_auth_openidc:2.3/mod_auth_openidc:
Open redirect in logout url when using URLs with
leading slashes
- Related: rhbz#1805068 - CVE-2019-20479 mod_auth_openidc:2.3/mod_auth_openidc:
open redirect issue exists in URLs with slash and
backslash
* Sun May 10 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.3.7-5
- Resolves: rhbz#1805749 - CVE-2019-14857 mod_auth_openidc:2.3/mod_auth_openidc:
Open redirect in logout url when using URLs with
leading slashes
- Resolves: rhbz#1805068 - CVE-2019-20479 mod_auth_openidc:2.3/mod_auth_openidc:
open redirect issue exists in URLs with slash and
backslash
* Thu Aug 16 2018 <jdennis@redhat.com> - 2.3.7-3
- Resolves: rhbz# 1614977 - fix unit test segfault,
the problem was not limited exclusively to s390x, but s390x provoked it.
* Fri Aug 10 2018 <jdennis@redhat.com> - 2.3.7-2
- disable running check on s390x
* Wed Aug 1 2018 <jdennis@redhat.com> - 2.3.7-1
- upgrade to upstream 2.3.7
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed May 23 2018 Patrick Uiterwijk <patrick@puiterwijk.org> - 2.3.5-1
- Rebase to 2.3.5
* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.8.10.1-7
- Escape macros in %%changelog
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.10.1-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.10.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.10.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Sat Feb 18 2017 John Dennis <jdennis@redhat.com> - 1.8.10.1-3
- Resolves: #1423956 fails to build with openssl 1.1.x
Also rolls up all fixes to jose library before the change over to cjose
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.10.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Tue Jul 12 2016 John Dennis <jdennis@redhat.com> - 1.8.10.1-1
- Upgrade to new upstream
See /usr/share/doc/mod_auth_openidc/ChangeLog for details
* Tue Mar 29 2016 John Dennis <jdennis@redhat.com> - 1.8.8-4
- Add %%check to run test
* Wed Mar 23 2016 John Dennis <jdennis@redhat.com> - 1.8.8-3
- Make building with redis support optional (defaults to without)
* Mon Mar 21 2016 John Dennis <jdennis@redhat.com> - 1.8.8-2
- Add missing unpackaged files/directories
Add to doc: README.md, DISCLAIMER, AUTHORS
Add to httpd/conf.d: auth_openidc.conf
Add to /var/cache: /var/cache/httpd/mod_auth_openidc/cache
/var/cache/httpd/mod_auth_openidc/metadata
* Thu Mar 10 2016 Jan Pazdziora <jpazdziora@redhat.com> 1.8.8-1
- Update to 1.8.8 (#1316528)
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Sat Jan 09 2016 Fedora Release Monitoring <release-monitoring@fedoraproject.org> - 1.8.7-1
- Update to 1.8.7 (#1297080)
* Sat Nov 07 2015 Jan Pazdziora <jpazdziora@redhat.com> 1.8.6-1
- Initial packaging for Fedora 23.

333
mod_auth_openidc.spec Normal file
View File

@ -0,0 +1,333 @@
%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo 0-0)}}
%{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}}
%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %{_sysconfdir}/httpd/conf.d}}
# Optionally build with hiredis if --with hiredis is passed
%{!?_with_hiredis: %{!?_without_hiredis: %global _without_hiredis --without-hiredis}}
# It is an error if both or neither required options exist.
%{?_with_hiredis: %{?_without_hiredis: %{error: both _with_hiredis and _without_hiredis}}}
%{!?_with_hiredis: %{!?_without_hiredis: %{error: neither _with_hiredis nor _without_hiredis}}}
# /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4
%{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}}
%global httpd_pkg_cache_dir /var/cache/httpd/mod_auth_openidc
Name: mod_auth_openidc
Version: 2.4.15
Release: 4%{?dist}.1
Summary: OpenID Connect auth module for Apache HTTP Server
License: Apache-2.0
URL: https://github.com/OpenIDC/mod_auth_openidc
Source0: https://github.com/OpenIDC/mod_auth_openidc/releases/download/v%{version}/mod_auth_openidc-%{version}.tar.gz
Patch0: 0001-CVE-2024-24814.patch
BuildRequires: make
BuildRequires: gcc
BuildRequires: httpd-devel
BuildRequires: openssl-devel
BuildRequires: curl-devel
BuildRequires: jansson-devel
BuildRequires: pcre2-devel
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: cjose-devel
BuildRequires: jq-devel
%{?_with_hiredis:BuildRequires: hiredis-devel}
Requires: httpd-mmn = %{_httpd_mmn}
%description
This module enables an Apache 2.x web server to operate as
an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
%prep
%autosetup -p1
%build
# workaround rpm-buildroot-usage
export MODULES_DIR=%{_httpd_moddir}
export APXS2_OPTS='-S LIBEXECDIR=${MODULES_DIR}'
autoreconf -vfi
%configure \
--with-jq=/usr/lib64/ \
%{?_with_hiredis} \
%{?_without_hiredis} \
--with-apxs2=%{_httpd_apxs}
%{make_build}
# (jhrozek): temporarily disable make check to work around a FTBFS issue
%check
export MODULES_DIR=%{_httpd_moddir}
export APXS2_OPTS='-S LIBEXECDIR=${MODULES_DIR}'
%{make_build} test
%install
mkdir -p $RPM_BUILD_ROOT%{_httpd_moddir}
make install DESTDIR=$RPM_BUILD_ROOT MODULES_DIR=$RPM_BUILD_ROOT%{_httpd_moddir}
install -m 755 -d $RPM_BUILD_ROOT%{_httpd_modconfdir}
echo 'LoadModule auth_openidc_module modules/mod_auth_openidc.so' > \
$RPM_BUILD_ROOT%{_httpd_modconfdir}/10-auth_openidc.conf
install -m 755 -d $RPM_BUILD_ROOT%{_httpd_confdir}
install -m 644 auth_openidc.conf $RPM_BUILD_ROOT%{_httpd_confdir}
# Adjust httpd cache location in install config file
sed -i 's!/var/cache/apache2/!/var/cache/httpd/!' $RPM_BUILD_ROOT%{_httpd_confdir}/auth_openidc.conf
install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}
install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/metadata
install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache
%files
%if 0%{?rhel} && 0%{?rhel} < 7
%doc LICENSE.txt
%else
%license LICENSE.txt
%endif
%doc ChangeLog
%doc AUTHORS
%doc README.md
%{_httpd_moddir}/mod_auth_openidc.so
%config(noreplace) %{_httpd_modconfdir}/10-auth_openidc.conf
%config(noreplace) %{_httpd_confdir}/auth_openidc.conf
%dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}
%dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/metadata
%dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache
%changelog
* Fri Apr 11 2025 Tomas Halman <thalman@redhat.com> - 2.4.15-4%{?dist}.1
Resolves: RHEL-86212 - mod_auth_openidc allows OIDCProviderAuthRequestMethod
POSTs to leak protected data (CVE-2025-31492)
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2.4.15-4
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Tue Jun 25 2024 Tomas Halman <thalman@redhat.com> - 2.4.15-3
Add gating tests
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.4.15-2
- Bump release for June 2024 mass rebuild
* Thu Jan 25 2024 Tomas Halman <thalman@redhat.com> - 2.4.15-1
Rebase to version 2.4.15
- Resolves: rhbz#2244098 - mod_auth_openidc-2.4.15 is available
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.14.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.14.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Oct 5 2023 Tomas Halman <thalman@redhat.com> - 2.4.14.3-1
Rebase to 2.4.14.3 version
- Resolves: rhbz#2204524 - mod_auth_openidc-2.4.14.3 is available
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.13.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Wed Apr 5 2023 Tomas Halman <thalman@redhat.com> - 2.4.13.2-1
Rebase to 2.4.13.2 version
- Resolves: rhbz#2184157 - mod_auth_openidc-2.4.13.2 is available
* Tue Mar 21 2023 Tomas Halman <thalman@redhat.com> - 2.4.13.1-1
Rebase to 2.4.13.1 version
- Resolves: rhbz#2177413 - mod_auth_openidc-2.4.13.1 is available
* Tue Mar 7 2023 Tomas Halman <thalman@redhat.com> - 2.4.12.3-2
migrated to SPDX license
* Tue Feb 28 2023 Tomas Halman <thalman@redhat.com> - 2.4.12.3-1
Rebase to 2.4.12.3 version
- Resolves: rhbz#2164064 - mod_auth_openidc-2.4.12.3 is available
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.12.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Fri Dec 16 2022 Tomas Halman <thalman@redhat.com> - 2.4.12.2-1
Rebase to 2.4.12.2 version
- Resolves: rhbz#2153658 - CVE-2022-23527 mod_auth_openidc: Open Redirect in
oidc_validate_redirect_url() using tab character
* Thu Sep 22 2022 Tomas Halman <thalman@redhat.com> - 2.4.11.2-3
- Resolves: rhbz#2128328 - Port pcre dependency to pcre2
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.11.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Jun 23 2022 Tomas Halman <thalman@redhat.com> - 2.4.11.2-1
- Resolves: rhbz#2082376 - New version 2.4.11.2 available
* Mon Apr 11 2022 Tomas Halman <thalman@redhat.com> - 2.4.11.1-1
- Resolves: rhbz#1996926 - New version 2.4.11.1 available
* Thu Mar 31 2022 Tomas Halman <thalman@redhat.com> - 2.4.9.4-1
- Resolves: rhbz#2001647 - CVE-2021-39191 mod_auth_openidc: open redirect
by supplying a crafted URL in the target_link_uri
parameter
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.9.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 2.4.9.1-2
- Rebuilt with OpenSSL 3.0.0
* Wed Aug 18 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.4.9.1-1
- New upstream release
- Resolves: rhbz#1993566 - mod_auth_openidc-2.4.9.1 is available
* Fri Jul 30 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.4.9-1
- Resolves: rhbz#1985153 - mod_auth_openidc-2.4.9 is available
- Resolves: rhbz#1986103 - CVE-2021-32786 mod_auth_openidc: open redirect
in oidc_validate_redirect_url()
- Resolves: rhbz#1986396 - CVE-2021-32791 mod_auth_openidc: hardcoded
static IV and AAD with a reused key in AES GCM
encryption
- Resolves: rhbz#1986398 - CVE-2021-32792 mod_auth_openidc: XSS when using
OIDCPreservePost On
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.8.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Wed Jun 2 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.4.8.3-1
- New upstream release
- Resolves: rhbz#1966756 - mod_auth_openidc-2.4.8.3 is available
* Mon May 10 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.4.8.2-1
- New upstream release
- Resolves: rhbz#1958466 - mod_auth_openidc-2.4.8.2 is available
* Thu May 6 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.4.7.2-1
- New upstream release
- Resolves: rhbz#1900913 - mod_auth_openidc-2.4.7.2 is available
* Fri Apr 30 2021 Tomas Halman <thalman@redhat.com> - 2.4.4.1-3
- Remove unnecessary LTO patch
* Fri Feb 26 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.4.4.1-1
- Temporarily disable check to get around a FTBFS issue (#1923374)
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.4.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Sep 4 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.4.4.1-1
- New upstream version 2.4.4.1
* Tue Sep 1 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.4.4-1
- New upstream version 2.4.4
* Thu Aug 27 2020 Joe Orton <jorton@redhat.com> - 2.4.3-5
- update to use correct apxs via _httpd_apxs macro
* Thu Aug 27 2020 Joe Orton <jorton@redhat.com> - 2.4.3-4
- work around LTO build failure
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-3
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 14 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.4.3
- New upstream version 2.4.3
* Sun May 10 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.4.2.1-1
- New upstream version 2.4.2.1
- Resolves: rhbz#1805104 - CVE-2019-20479 mod_auth_openidc: open redirect
issue exists in URLs with slash and backslash
[fedora-all]
- Resolves: rhbz#1816883 - mod_auth_openidc-2.4.2.1 is available
* Thu Feb 13 2020 Tom Stellard <tstellar@redhat.com> - 2.4.1-2
- Use make_build macro instead of just make
- https://docs.fedoraproject.org/en-US/packaging-guidelines/#_parallel_make
* Mon Feb 3 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.4.1-1
- New upstream version 2.4.1
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.0.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Nov 21 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.4.0.4-1
- New upstream version 2.4.0.4
* Fri Oct 4 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.4.0.3-1
- New upstream version 2.4.0.3
* Fri Aug 23 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.4.0
- New upstream version 2.4.0
- Resolves: rhbz#1374884 - mod_auth_openidc-2.4.0 is available
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.7-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.7-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Aug 16 2018 <jdennis@redhat.com> - 2.3.7-3
- update test-segfault.patch to match upstream
* Tue Aug 14 2018 <jdennis@redhat.com> - 2.3.7-2
- Resolves: rhbz# 1614977 - fix unit test segfault,
the problem was not limited exclusively to s390x, but s390x provoked it.
* Wed Aug 1 2018 <jdennis@redhat.com> - 2.3.7-1
- upgrade to upstream 2.3.7
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed May 23 2018 Patrick Uiterwijk <patrick@puiterwijk.org> - 2.3.5-1
- Rebase to 2.3.5
* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.8.10.1-7
- Escape macros in %%changelog
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.10.1-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.10.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.10.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Sat Feb 18 2017 John Dennis <jdennis@redhat.com> - 1.8.10.1-3
- Resolves: #1423956 fails to build with openssl 1.1.x
Also rolls up all fixes to jose library before the change over to cjose
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.10.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Tue Jul 12 2016 John Dennis <jdennis@redhat.com> - 1.8.10.1-1
- Upgrade to new upstream
See /usr/share/doc/mod_auth_openidc/ChangeLog for details
* Tue Mar 29 2016 John Dennis <jdennis@redhat.com> - 1.8.8-4
- Add %%check to run test
* Wed Mar 23 2016 John Dennis <jdennis@redhat.com> - 1.8.8-3
- Make building with redis support optional (defaults to without)
* Mon Mar 21 2016 John Dennis <jdennis@redhat.com> - 1.8.8-2
- Add missing unpackaged files/directories
Add to doc: README.md, DISCLAIMER, AUTHORS
Add to httpd/conf.d: auth_openidc.conf
Add to /var/cache: /var/cache/httpd/mod_auth_openidc/cache
/var/cache/httpd/mod_auth_openidc/metadata
* Thu Mar 10 2016 Jan Pazdziora <jpazdziora@redhat.com> 1.8.8-1
- Update to 1.8.8 (#1316528)
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Sat Jan 09 2016 Fedora Release Monitoring <release-monitoring@fedoraproject.org> - 1.8.7-1
- Update to 1.8.7 (#1297080)
* Sat Nov 07 2015 Jan Pazdziora <jpazdziora@redhat.com> 1.8.6-1
- Initial packaging for Fedora 23.

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (mod_auth_openidc-2.4.15.tar.gz) = d29f5d04b5e1ce38d346803efedddfcebdb4b6b634a8e48a33331f009065ea887d9972ba9383c8719da7797c4f7f1d8adc7802dfef65715c84eb84813a18964e