Revisions of apache2-mod_auth_mellon
buildservice-autocommit
accepted
request 1166661
from
Danilo Spinella (dspinella)
(revision 12)
Danilo Spinella (dspinella)
(revision 12)
baserev update by copy to link target
Danilo Spinella (dspinella)
accepted
request 1161425
from
Petr Gajdos (pgajdos)
(revision 11)
- version update to 0.19.0
Enhancements:
* Support for HTTP-POST binding on Singe Logout endpoint.
* Update documentation.
Cleanup:
* Raise minimum Lasso version to 2.4, cleaning up legacy code for
compatibility with older versions, including the obsolete
`MellonIdPPublicKeyFile` setting which was not working with recent
Lasso versions.
Danilo Spinella (dspinella)
accepted
request 1101582
from
Matthias Eliasson (elimat)
(revision 10)
- Update to 0.18.1
* Logout endpoint should handle idP POST response
* mellon_create_metadata.sh: Fix compatibility with OpenSSL 3
* Add some clarification to the documentation
* Add encryption certificate to generated metadata
- Changes in 0.18.0
* CVE-2021-3639 Redirect URL validation bypass - Version 0.17.0 and
older of mod_auth_mellon allows the redirect URL validation to be
bypassed by specifying an URL formatted as ///fishing-site.example.com/logout.html.
In this case, the browser would interpret the URL differently
than the APR parsing utility mellon uses and redirect to
fishing-site.example.com. This could be reproduced with:
https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html
This version fixes that issue by rejecting all URLs that start with "///".
* A new option MellonSessionIdleTimeout that represents the amount of
time a user can be inactive before the user's session times out in seconds.
* Several build-time fixes
* The CookieTest SameSite attribute was only set to None if mellon configure option
MellonCookieSameSite was set to something other than default. This is now fixed.
- add libtool and xmlsec1-openssl-devel as new dependencies
- set Buildarch to noarch for docs sub-package
buildservice-autocommit
accepted
request 975328
from
Petr Gajdos (pgajdos)
(revision 9)
Petr Gajdos (pgajdos)
(revision 9)
baserev update by copy to link target
Petr Gajdos (pgajdos)
accepted
request 975249
from
Archie Cobbs (archie172)
(revision 8)
- Wrap default config in <IfModule> to avoid reload error
buildservice-autocommit
accepted
request 833494
from
Kristyna Streitova (kstreitova)
(revision 7)
Kristyna Streitova (kstreitova)
(revision 7)
baserev update by copy to link target
Kristyna Streitova (kstreitova)
accepted
request 833493
from
Kristyna Streitova (kstreitova)
(revision 6)
- Update to 0.17.0
* New option MellonSendExpectHeader (default On) which allows to
disable sending the Expect header in the HTTP-Artifact binding to
improve performance when the remote party does not support this
header.
* Set SameSite attribute to None on on the cookietest cookie.
* Bump default generated keysize to 3072 bits in
mellon_create_metadata
* Validate if the assertion ID has not been used earlier before
creating a new session.
* Release session cache after calling invalidate endpoint.
* In MellonCond directives, fix a bug that setting the NC option
would also activate substring match and that REG would activate
REF.
* Fix MellonCond substring match to actually match the substring on
the attribute value
buildservice-autocommit
accepted
request 811402
from
Kristyna Streitova (kstreitova)
(revision 5)
Kristyna Streitova (kstreitova)
(revision 5)
baserev update by copy to link target
Kristyna Streitova (kstreitova)
accepted
request 811401
from
Kristyna Streitova (kstreitova)
(revision 4)
- update mod_auth_mellon-0.16.0-env-script-interpreter.patch use /bin/bash instead of /usr/bin/bash
Dominique Leuenberger (dimstar_suse)
accepted
request 802733
from
Kristyna Streitova (kstreitova)
(revision 3)
initialized devel package after accepting 802733
Kristyna Streitova (kstreitova)
accepted
request 802704
from
Kristyna Streitova (kstreitova)
(revision 1)
A SAML 2.0 authentication module for the Apache Server
Displaying all 12 revisions
