Revisions of apache2-mod_auth_mellon
buildservice-autocommit
accepted
request 1166661
from
Danilo Spinella (dspinella)
(revision 12)
baserev update by copy to link target
Danilo Spinella (dspinella)
accepted
request 1161425
from
Petr Gajdos (pgajdos)
(revision 11)
- version update to 0.19.0 Enhancements: * Support for HTTP-POST binding on Singe Logout endpoint. * Update documentation. Cleanup: * Raise minimum Lasso version to 2.4, cleaning up legacy code for compatibility with older versions, including the obsolete `MellonIdPPublicKeyFile` setting which was not working with recent Lasso versions.
Danilo Spinella (dspinella)
accepted
request 1101582
from
Matthias Eliasson (elimat)
(revision 10)
- Update to 0.18.1 * Logout endpoint should handle idP POST response * mellon_create_metadata.sh: Fix compatibility with OpenSSL 3 * Add some clarification to the documentation * Add encryption certificate to generated metadata - Changes in 0.18.0 * CVE-2021-3639 Redirect URL validation bypass - Version 0.17.0 and older of mod_auth_mellon allows the redirect URL validation to be bypassed by specifying an URL formatted as ///fishing-site.example.com/logout.html. In this case, the browser would interpret the URL differently than the APR parsing utility mellon uses and redirect to fishing-site.example.com. This could be reproduced with: https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html This version fixes that issue by rejecting all URLs that start with "///". * A new option MellonSessionIdleTimeout that represents the amount of time a user can be inactive before the user's session times out in seconds. * Several build-time fixes * The CookieTest SameSite attribute was only set to None if mellon configure option MellonCookieSameSite was set to something other than default. This is now fixed. - add libtool and xmlsec1-openssl-devel as new dependencies - set Buildarch to noarch for docs sub-package
buildservice-autocommit
accepted
request 975328
from
Petr Gajdos (pgajdos)
(revision 9)
baserev update by copy to link target
Petr Gajdos (pgajdos)
accepted
request 975249
from
Archie Cobbs (archie172)
(revision 8)
- Wrap default config in <IfModule> to avoid reload error
buildservice-autocommit
accepted
request 833494
from
Kristyna Streitova (kstreitova)
(revision 7)
baserev update by copy to link target
Kristyna Streitova (kstreitova)
accepted
request 833493
from
Kristyna Streitova (kstreitova)
(revision 6)
- Update to 0.17.0 * New option MellonSendExpectHeader (default On) which allows to disable sending the Expect header in the HTTP-Artifact binding to improve performance when the remote party does not support this header. * Set SameSite attribute to None on on the cookietest cookie. * Bump default generated keysize to 3072 bits in mellon_create_metadata * Validate if the assertion ID has not been used earlier before creating a new session. * Release session cache after calling invalidate endpoint. * In MellonCond directives, fix a bug that setting the NC option would also activate substring match and that REG would activate REF. * Fix MellonCond substring match to actually match the substring on the attribute value
buildservice-autocommit
accepted
request 811402
from
Kristyna Streitova (kstreitova)
(revision 5)
baserev update by copy to link target
Kristyna Streitova (kstreitova)
accepted
request 811401
from
Kristyna Streitova (kstreitova)
(revision 4)
- update mod_auth_mellon-0.16.0-env-script-interpreter.patch use /bin/bash instead of /usr/bin/bash
Dominique Leuenberger (dimstar_suse)
accepted
request 802733
from
Kristyna Streitova (kstreitova)
(revision 3)
initialized devel package after accepting 802733
Kristyna Streitova (kstreitova)
committed
(revision 2)
- replace version_path with the fixed value
Kristyna Streitova (kstreitova)
accepted
request 802704
from
Kristyna Streitova (kstreitova)
(revision 1)
A SAML 2.0 authentication module for the Apache Server
Displaying all 12 revisions