./www/ap2-auth-mellon, SAML 2.0 authentication for Apache

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 0.12.0nb5, Package name: ap22-auth-mellon-0.12.0nb5, Maintainer: manu

mod_auth_mellon is a authentication module for apache. It authenticates
the user against a SAML 2.0 IdP, and and grants access to directories
depending on attributes received from the IdP.


Required to run:
[www/apache22] [www/curl] [security/lasso]

Required to build:
[pkgtools/cwrappers]

Master sites:

SHA1: 3d5cd4137154a7c848d8f3121e6497b88dc5f23e
RMD160: 7ef278de6f4d0f0669d99c113706dc63d64f6fbc
Filesize: 133.549 KB

Version history: (Expand)


CVS history: (Expand)


   2017-04-30 03:22:04 by Ryo ONODERA | Files touched by this commit (612) | Package updated
Log message:
Recursive revbump from boost update
   2017-03-23 18:07:02 by Joerg Sonnenberger | Files touched by this commit (219)
Log message:
Extend SHA512 checksums to various files I have on my local distfile
mirror.
   2017-01-01 17:06:40 by Adam Ciarcinski | Files touched by this commit (616) | Package updated
Log message:
Revbump after boost update
   2016-10-27 14:53:13 by Emmanuel Dreyfus | Files touched by this commit (4)
Log message:
Fix pkglint complains
   2016-10-18 17:13:41 by Emmanuel Dreyfus | Files touched by this commit (3)
Log message:
Do not redirect unauthenticated AJAX request to the IdP

When MellonEnable is "auth" and we get an unauthenticated AJAX
request (identified by the X-Request-With: XMLHttpRequest HTTP
header), fail with HTTP code 403 Forbidden instead of redirecting
to the IdP. This saves resources, as the client has no opportunity
to interract with the user to complete authentification.
   2016-10-07 20:26:14 by Adam Ciarcinski | Files touched by this commit (611) | Package updated
Log message:
Revbump post boost update
   2016-09-22 04:44:26 by Makoto Fujiwara | Files touched by this commit (1) | Package updated
Log message:
Update HOMEPAGE, previous was 404
   2016-03-14 10:58:57 by Emmanuel Dreyfus | Files touched by this commit (3) | Package updated
Log message:
Update mod_auth_mellon to 0.12.0

Fixes CVE-2016-2145 and CVE-2016-2146

Changes since 0.10.0 frome NEWS file and patches/patch-0274

patch-0274
---------------------------------------------------------------------------
* Return 500 Internal Server Error if probe discovery fails.

Version 0.12.0
---------------------------------------------------------------------------

Security fixes:

* [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to
  incorrect error handling when reading POST data from client.

* [CVE-2016-2146] Fix DOS attack (Apache worker process crash /
  resource exhaustion) due to missing size checks when reading
  POST data.

In addition this release contains the following new features and fixes:

* Add MellonRedirecDomains option to limit the sites that
  mod_auth_mellon can redirect to. This option is enabled by default.

* Add support for ECP service options in PAOS requests.

* Fix AssertionConsumerService lookup for PAOS requests.

Version 0.11.1
---------------------------------------------------------------------------

Security fixes:

* [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to
  incorrect error handling when reading POST data from client.

* [CVE-2016-2146] Fix DOS attack (Apache worker process crash /
  resource exhaustion) due to missing size checks when reading
  POST data

Version 0.11.0
---------------------------------------------------------------------------

* Add SAML 2.0 ECP support.

* The MellonDecode option has been disabled. It was used to decode
  attributes in a Feide-specific encoding that is no longer used.

* Set max-age=0 in Cache-Control header, to ensure that all browsers
  verifies the data on each request.

* MellonMergeEnvVars On now accepts second optional parameter, the
  separator to be used instead of the default ';'.

* Add option MellonEnvVarsSetCount to specify if the number of values
  for any attribute should also be stored in environment variable
  suffixed _N.

* Add option MellonEnvVarsIndexStart to specify if environment variables
  for multi-valued attributes should start indexing with 0 (default) or
  with 1.

* Bugfixes:

  * Fix error about missing authentication with DirectoryIndex in
    Apache 2.4.