mod_auth_openidc/SPECS/mod_auth_openidc.spec

254 lines
9.9 KiB
RPMSpec

%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn || echo 0-0)}}
%{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}}
%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %{_sysconfdir}/httpd/conf.d}}
# Optionally build with hiredis if --with hiredis is passed
%{!?_with_hiredis: %{!?_without_hiredis: %global _without_hiredis --without-hiredis}}
# It is an error if both or neither required options exist.
%{?_with_hiredis: %{?_without_hiredis: %{error: both _with_hiredis and _without_hiredis}}}
%{!?_with_hiredis: %{!?_without_hiredis: %{error: neither _with_hiredis nor _without_hiredis}}}
# /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4
%{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}}
%global httpd_pkg_cache_dir /var/cache/httpd/mod_auth_openidc
Name: mod_auth_openidc
Version: 2.3.7
Release: 11%{?dist}
Summary: OpenID Connect auth module for Apache HTTP Server
Group: System Environment/Daemons
License: ASL 2.0
URL: https://github.com/zmartzone/mod_auth_openidc
Source0: https://github.com/zmartzone/mod_auth_openidc/releases/download/v%{version}/mod_auth_openidc-%{version}.tar.gz
Patch1: test-segfault.patch
Patch2: 0002-Backport-of-improve-validation-of-the-post-logout-UR.patch
Patch3: 0003-Backport-of-Fix-open-redirect-starting-with-a-slash.patch
Patch4: 0004-Backport-of-Fix-open-redirect-starting-with-a-slash-.patch
Patch5: 0005-Fix-the-previous-backports.patch
Patch6: 0006-add-OIDCStateMaxNumberOfCookies-to-limit-nr-of-state.patch
Patch7: 0007-set-boundaries-on-min-and-max-values-on-number-of-pa.patch
Patch8: 0008-make-the-default-max-number-of-state-cookies-7-inste.patch
Patch9: 0009-don-t-return-content-with-503-see-331.patch
Patch10: 0010-improve-auto-detection-of-XMLHttpRequests-via-Accept.patch
Patch11: 0011-oops-document-OIDCStateMaxNumberOfCookies-for-releas.patch
Patch12: 0012-optionally-delete-the-oldest-state-cookie-s-see-399.patch
Patch13: 0013-Allow-configuring-which-header-value-is-used-to-calc.patch
Patch14: 0014-add-value-of-OIDC_SET_COOKIE_APPEND-env-var-to-Set-C.patch
Patch15: 0015-pick-OIDC_SET_COOKIE_APPEND-over-ext-passed-in-to-oi.patch
Patch16: 0016-always-add-a-SameSite-value-to-the-Set-Cookie-header.patch
Patch17: 0017-fix-also-add-SameSite-None-to-by-value-session-cooki.patch
Patch18: 0018-add-note-on-usage-of-OIDC_SET_COOKIE_APPEND-in-the-s.patch
Patch19: 0019-add-SameSite-attribute-on-cookie-clearance-logout.patch
Patch20: 0020-prevent-open-redirect-on-refresh-token-requests-rele.patch
Patch21: 0021-prevent-XSS-and-open-redirect-on-OIDC-session-manage.patch
Patch22: 0022-replace-potentially-harmful-backslashes-with-forward.patch
Patch23: 0023-apply-OIDCRedirectURLsAllowed-setting-to-target_link.patch
Patch24: 0024-use-encrypted-JWTs-for-storing-encrypted-cache-conte.patch
Patch25: 0025-avoid-XSS-vulnerability-when-using-OIDCPreservePost-.patch
Patch26: 0026-Add-a-function-to-escape-Javascript-characters.patch
BuildRequires: gcc
BuildRequires: httpd-devel
BuildRequires: openssl-devel
BuildRequires: curl-devel
BuildRequires: jansson-devel
BuildRequires: pcre-devel
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: cjose-devel
BuildRequires: jq-devel
%{?_with_hiredis:BuildRequires: hiredis-devel}
Requires: httpd-mmn = %{_httpd_mmn}
%description
This module enables an Apache 2.x web server to operate as
an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
%build
# workaround rpm-buildroot-usage
export MODULES_DIR=%{_httpd_moddir}
export APXS2_OPTS='-S LIBEXECDIR=${MODULES_DIR}'
autoreconf
%configure \
--with-jq=/usr/lib64/ \
%{?_with_hiredis} \
%{?_without_hiredis}
make %{?_smp_mflags}
%check
export MODULES_DIR=%{_httpd_moddir}
export APXS2_OPTS='-S LIBEXECDIR=${MODULES_DIR}'
make test
%install
mkdir -p $RPM_BUILD_ROOT%{_httpd_moddir}
make install MODULES_DIR=$RPM_BUILD_ROOT%{_httpd_moddir}
install -m 755 -d $RPM_BUILD_ROOT%{_httpd_modconfdir}
echo 'LoadModule auth_openidc_module modules/mod_auth_openidc.so' > \
$RPM_BUILD_ROOT%{_httpd_modconfdir}/10-auth_openidc.conf
install -m 755 -d $RPM_BUILD_ROOT%{_httpd_confdir}
install -m 644 auth_openidc.conf $RPM_BUILD_ROOT%{_httpd_confdir}
# Adjust httpd cache location in install config file
sed -i 's!/var/cache/apache2/!/var/cache/httpd/!' $RPM_BUILD_ROOT%{_httpd_confdir}/auth_openidc.conf
install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}
install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/metadata
install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache
%files
%if 0%{?rhel} && 0%{?rhel} < 7
%doc LICENSE.txt
%else
%license LICENSE.txt
%endif
%doc ChangeLog
%doc AUTHORS
%doc README.md
%{_httpd_moddir}/mod_auth_openidc.so
%config(noreplace) %{_httpd_modconfdir}/10-auth_openidc.conf
%config(noreplace) %{_httpd_confdir}/auth_openidc.conf
%dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}
%dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/metadata
%dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache
%changelog
* Fri Jan 28 2022 Tomas Halman <thalman@redhat.com> - 2.3.7-11
- Resolves: rhbz#1987222 - CVE-2021-32792 XSS when using OIDCPreservePost On
* Fri Jan 28 2022 Tomas Halman <thalman@redhat.com> - 2.3.7-10
- Resolves: rhbz#1987216 - CVE-2021-32791 hardcoded static IV and AAD with a
reused key in AES GCM encryption [rhel-8] (edit)
* Fri Oct 29 2021 Tomas Halman <thalman@redhat.com> - 2.3.7-9
- Resolves: rhbz#2001853 - CVE-2021-39191 open redirect by supplying a crafted URL
in the target_link_uri parameter
* Tue Nov 17 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.3.7-8
- Resolves: rhbz#1823756 - Backport SameSite=None cookie from
mod_auth_openidc upstream to support latest browsers
* Tue Nov 17 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.3.7-7
- Resolves: rhbz#1897992 - OIDCStateInputHeaders &
OIDCStateMaxNumberOfCookies in existing
mod_auth_openidc version
- Backport the OIDCStateMaxNumberOfCookies option
- Configure which header value is used to calculate the fingerprint of
the auth state
* Sun May 10 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.3.7-6
- Fix the previous backport
- Related: rhbz#1805749 - CVE-2019-14857 mod_auth_openidc:2.3/mod_auth_openidc:
Open redirect in logout url when using URLs with
leading slashes
- Related: rhbz#1805068 - CVE-2019-20479 mod_auth_openidc:2.3/mod_auth_openidc:
open redirect issue exists in URLs with slash and
backslash
* Sun May 10 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.3.7-5
- Resolves: rhbz#1805749 - CVE-2019-14857 mod_auth_openidc:2.3/mod_auth_openidc:
Open redirect in logout url when using URLs with
leading slashes
- Resolves: rhbz#1805068 - CVE-2019-20479 mod_auth_openidc:2.3/mod_auth_openidc:
open redirect issue exists in URLs with slash and
backslash
* Thu Aug 16 2018 <jdennis@redhat.com> - 2.3.7-3
- Resolves: rhbz# 1614977 - fix unit test segfault,
the problem was not limited exclusively to s390x, but s390x provoked it.
* Fri Aug 10 2018 <jdennis@redhat.com> - 2.3.7-2
- disable running check on s390x
* Wed Aug 1 2018 <jdennis@redhat.com> - 2.3.7-1
- upgrade to upstream 2.3.7
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed May 23 2018 Patrick Uiterwijk <patrick@puiterwijk.org> - 2.3.5-1
- Rebase to 2.3.5
* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.8.10.1-7
- Escape macros in %%changelog
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.10.1-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.10.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.10.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Sat Feb 18 2017 John Dennis <jdennis@redhat.com> - 1.8.10.1-3
- Resolves: #1423956 fails to build with openssl 1.1.x
Also rolls up all fixes to jose library before the change over to cjose
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.10.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Tue Jul 12 2016 John Dennis <jdennis@redhat.com> - 1.8.10.1-1
- Upgrade to new upstream
See /usr/share/doc/mod_auth_openidc/ChangeLog for details
* Tue Mar 29 2016 John Dennis <jdennis@redhat.com> - 1.8.8-4
- Add %%check to run test
* Wed Mar 23 2016 John Dennis <jdennis@redhat.com> - 1.8.8-3
- Make building with redis support optional (defaults to without)
* Mon Mar 21 2016 John Dennis <jdennis@redhat.com> - 1.8.8-2
- Add missing unpackaged files/directories
Add to doc: README.md, DISCLAIMER, AUTHORS
Add to httpd/conf.d: auth_openidc.conf
Add to /var/cache: /var/cache/httpd/mod_auth_openidc/cache
/var/cache/httpd/mod_auth_openidc/metadata
* Thu Mar 10 2016 Jan Pazdziora <jpazdziora@redhat.com> 1.8.8-1
- Update to 1.8.8 (#1316528)
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Sat Jan 09 2016 Fedora Release Monitoring <release-monitoring@fedoraproject.org> - 1.8.7-1
- Update to 1.8.7 (#1297080)
* Sat Nov 07 2015 Jan Pazdziora <jpazdziora@redhat.com> 1.8.6-1
- Initial packaging for Fedora 23.