[pkgsrc/trunk]: pkgsrc Updated www/ap2-auth-mellon to 0.14.0

[manu <manu%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/f980b74373de
branches:  trunk
changeset: 307263:f980b74373de
user:      manu <manu%pkgsrc.org@localhost>
date:      Fri May 04 02:53:38 2018 +0000
description:
Updated www/ap2-auth-mellon to 0.14.0

Changes since 0.12.0 include a fix for CVE-2017-6807

Version 0.14.0
==============

* Backwards incompatible changes

  This version switches the default signature algorithm used when
  signing messages from rsa-sha1 to rsa-sha256. If your IdP does not
  allow messages to be signed with that algorithm, you need to add a
  setting switching back to the old algorithm:

  MellonSignatureMethod rsa-sha1

  Note that this only affects messages sent from mod_auth_mellon to your
  IdP. It does not affect authentication responses or other messages
  sent from your IdP to mod_auth_mellon.

* New features

    Many improvements in what is logged during various errors.

    Diagnostics logging, which creates a detailed log during request
    processing.

    Add support for selecting which signature algorithm is used when
    signing messages, and switch to rsa-sha256 by default.

* Bug fixes

    Fix segmentation fault in POST replay functionality on empty value.

    Fix incorrect error check for many lasso_*-functions.

    Fix case sensitive match on MellonUser attribute name.


Version 0.13.1
==============

* Security fix

  Fix a cross-site session transfer vulnerability. mod_auth_mellon
  version 0.13.0 and older failed to validate that the session
  specified in the user's session cookie was created for the web site
  the user actually accesses.

  If two different web sites are hosted on the same web server, and
  both web sites use mod_auth_mellon for authentication, this
  vulnerability makes it possible for an attacker with access to one
  of the web sites to copy their session cookie to the other web
  site, and then use the same session to get access to the other web
  site.

  Thanks to Fran?ois Kooman for reporting this vulnerability.

  This vulnerability has been assigned CVE-2017-6807.

  Note: The fix for this vunlerability makes mod_auth_mellon validate
  that the cookie parameters used when creating the session match
  the cookie parameters that should be used when accessing the current
  page. If you currently use mod_auth_mellon across multiple subdomains,
  you must make sure that you set the MellonCookie-option to the same
  value on all domains.  Bug fixes

    Fix segmentation fault if a (trusted) identity provider returns
    a SAML 2.0 attribute without a Name.

    Fix segmentation fault if MellonPostReplay is enabled but
    MellonPostDirectory is not set.

Version 0.13.0
==============

* Security fix

  Fix a denial of service attack in the logout handler, which allows
  a remote attacker to crash the Apache worker process with a
  segmentation fault. This is caused by a null-pointer dereference
  when processing a malformed logout message.  New features

    Allow MellonSecureCookie to be configured to enable just one
    of the "httponly" of "secure" flags, instead of always enabling
    both flags.
    Support per-module log level with Apache 2.4.
    Allow disabling the Cache-Control HTTP response header.
    Add support for SameSite cookie parameter.

* Bug fixes

    Fix MellonProbeDiscoveryIdP redirecting to the wrong IdP if no IdPs
    respond to the probe request.
    Fix mod_auth_mellon interfering with other Apache authentication
    modules even when it is disabled for a path.
    Fix wrong HTTP status code being returned in some cases during
    user permission checks.
    Fix default POST size limit to actually be 1 MB.
    Fix error if authentication response is missing the optional
    Conditions-element.
    Fix AJAX requests being redirected to the IdP.
    Fix wrong content type for ECP authentication request responses.

In addition there are various fixes for errors in the documentation,
as well as internal code changes that do not have any user visible
effects.

diffstat:

 doc/CHANGES-2018                       |   3 +-
 www/ap2-auth-mellon/MESSAGE            |  19 +++++++-
 www/ap2-auth-mellon/Makefile           |   6 +-
 www/ap2-auth-mellon/distinfo           |  12 ++---
 www/ap2-auth-mellon/patches/patch-0274 |  55 ---------------------------
 www/ap2-auth-mellon/patches/patch-0347 |  69 ----------------------------------
 6 files changed, 26 insertions(+), 138 deletions(-)

diffs (216 lines):

diff -r efd3dfa7c6cf -r f980b74373de doc/CHANGES-2018
--- a/doc/CHANGES-2018  Thu May 03 23:02:49 2018 +0000
+++ b/doc/CHANGES-2018  Fri May 04 02:53:38 2018 +0000
@@ -1,4 +1,4 @@
-$NetBSD: CHANGES-2018,v 1.2155 2018/05/03 23:02:49 wiz Exp $
+$NetBSD: CHANGES-2018,v 1.2156 2018/05/04 02:53:38 manu Exp $
 
 Changes to the packages collection and infrastructure in 2018:
 
@@ -3013,3 +3013,4 @@
        Updated lang/nodejs to 10.0.0 [fhajny 2018-05-03]
        Added security/ruby-openssl-ccm version 1.2.1 [minskim 2018-05-03]
        Updated net/wireshark to 2.6.0nb1 [wiz 2018-05-03]
+       Updated www/ap2-auth-mellon to 0.14.0 [manu 2018-05-04]
diff -r efd3dfa7c6cf -r f980b74373de www/ap2-auth-mellon/MESSAGE
--- a/www/ap2-auth-mellon/MESSAGE       Thu May 03 23:02:49 2018 +0000
+++ b/www/ap2-auth-mellon/MESSAGE       Fri May 04 02:53:38 2018 +0000
@@ -1,12 +1,26 @@
 ===========================================================================
-$NetBSD: MESSAGE,v 1.3 2015/04/01 14:08:13 manu Exp $
+$NetBSD: MESSAGE,v 1.4 2018/05/04 02:53:38 manu Exp $
 
 In order to use this module in your Apache installation, you need to
 add the following to your httpd.conf file:
 
   LoadModule auth_mellon_module lib/httpd/mod_auth_mellon.so
 
-If upgrading from version prior 0.6.0, please not the following
+If upgrading from version prior 0.14.0, please note the following
+backward-incompatible change:
+
+* This version switches the default signature algorithm used when
+  signing messages from rsa-sha1 to rsa-sha256. If your IdP does not
+  allow messages to be signed with that algorithm, you need to add a
+  setting switching back to the old algorithm:
+  
+  MellonSignatureMethod rsa-sha1
+  
+  Note that this only affects messages sent from mod_auth_mellon to your
+  IdP. It does not affect authentication responses or other messages
+  sent from your IdP to mod_auth_mellon.
+
+If upgrading from version prior 0.6.0, please note the following
 backward-incompatible changes:
 
 * The POST replay functionality has been disabled by default, and the
@@ -29,5 +43,4 @@
   startup. (Apache can normally create files in that directory
   during startup.)
 
-
 ===========================================================================
diff -r efd3dfa7c6cf -r f980b74373de www/ap2-auth-mellon/Makefile
--- a/www/ap2-auth-mellon/Makefile      Thu May 03 23:02:49 2018 +0000
+++ b/www/ap2-auth-mellon/Makefile      Fri May 04 02:53:38 2018 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.43 2018/04/29 21:32:07 adam Exp $
+# $NetBSD: Makefile,v 1.44 2018/05/04 02:53:38 manu Exp $
 
-DISTNAME=      mod_auth_mellon-0.12.0
+DISTNAME=      mod_auth_mellon-0.14.0
 PKGNAME=       ${APACHE_PKG_PREFIX}-${DISTNAME:S/mod_//:S/_/-/g}
-PKGREVISION=   8
+#PKGREVISION=  1
 CATEGORIES=    www security
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=UNINETT/}/mod_auth_mellon/releases/download/v${DISTNAME:C/.*-//}/
 
diff -r efd3dfa7c6cf -r f980b74373de www/ap2-auth-mellon/distinfo
--- a/www/ap2-auth-mellon/distinfo      Thu May 03 23:02:49 2018 +0000
+++ b/www/ap2-auth-mellon/distinfo      Fri May 04 02:53:38 2018 +0000
@@ -1,8 +1,6 @@
-$NetBSD: distinfo,v 1.18 2017/03/23 17:07:01 joerg Exp $
+$NetBSD: distinfo,v 1.19 2018/05/04 02:53:38 manu Exp $
 
-SHA1 (mod_auth_mellon-0.12.0.tar.gz) = 3d5cd4137154a7c848d8f3121e6497b88dc5f23e
-RMD160 (mod_auth_mellon-0.12.0.tar.gz) = 7ef278de6f4d0f0669d99c113706dc63d64f6fbc
-SHA512 (mod_auth_mellon-0.12.0.tar.gz) = 91e47509cfab9c6b472226aea79ff0120e71f80262d3b17a31ac691af4aacf58016741255409ec3272e54849efcde7c04f76dcc9670ee921503c8589656e8244
-Size (mod_auth_mellon-0.12.0.tar.gz) = 136754 bytes
-SHA1 (patch-0274) = b5dfdd4b944c3d2c3bf47cfb97869aa57c32ea68
-SHA1 (patch-0347) = d14d5a20d05fae3962e5168a0b23ab55835452ca
+SHA1 (mod_auth_mellon-0.14.0.tar.gz) = 4a93f8b093e1dea20e8a286931693c614903f2d9
+RMD160 (mod_auth_mellon-0.14.0.tar.gz) = 71a25b4fb1e9a6183a51225b588b10d330d84903
+SHA512 (mod_auth_mellon-0.14.0.tar.gz) = db1bf70c234fe89914b1bb34fc6afb5b901193a8c8c7e9946485a3e20a7d129c36427717eab53764edf5a5cff5c45dfe412e400cb1f50c49ef24dbbfd6ecbf25
+Size (mod_auth_mellon-0.14.0.tar.gz) = 948785 bytes
diff -r efd3dfa7c6cf -r f980b74373de www/ap2-auth-mellon/patches/patch-0274
--- a/www/ap2-auth-mellon/patches/patch-0274    Thu May 03 23:02:49 2018 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,55 +0,0 @@
-$NetBSD: patch-0274,v 1.2 2016/10/27 12:53:13 manu Exp $
-
-From fe0eb56e29f89513b2dcf3c222fa3a2e8a09383f Mon Sep 17 00:00:00 2001
-From: Olav Morken <olav.morken%uninett.no@localhost>
-Date: Mon, 14 Mar 2016 09:47:48 +0100
-Subject: [PATCH 274/274] Return 500 Internal Server Error if probe discovery
- fails.
-
-If we don't, we can end up sending an authentication request to an IdP
-that is not in the MellonProbeDiscoveryIdP list, which is probably not
-what the user wants.
-
-Patch by Emmanuel Dreyfus.
----
- README                |  3 +++
- auth_mellon_handler.c | 10 +++++++++-
- 2 files changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/README b/README
-index 638329c..4e4f229 100644
---- README
-+++ README
-@@ -471,6 +471,9 @@ MellonPostCount 100
- 
-         # MellonProbeDiscoveryIdP can be used to restrict the 
-         # list of IdP queried by the IdP probe discovery service.
-+        # If probe discovery fails and this is provided, an
-+        # HTTP error 500 is returned, instead of proceeding
-+        # with first available IdP.
-         #
-         # Default unset, which means that all configured IdP are 
-         # queried.
-diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
-index 7f4b73a..a72e1ca 100644
---- auth_mellon_handler.c
-+++ auth_mellon_handler.c
-@@ -3316,9 +3316,17 @@ static int am_handle_probe_discovery(request_rec *r) {
-     }
- 
-     /* 
--     * On failure, try default
-+     * On failure, fail if a MellonProbeDiscoveryIdP
-+     * list was provided, otherwise try first IdP.
-      */
-     if (disco_idp == NULL) {
-+        if (!apr_is_empty_table(cfg->probe_discovery_idp)) {
-+            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+                          "probeDiscovery failed and non empty "
-+                          "MellonProbeDiscoveryIdP was provided.");
-+            return HTTP_INTERNAL_SERVER_ERROR;
-+        }
-+
-         disco_idp = am_first_idp(r);
-         if (disco_idp == NULL) {
-             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 
diff -r efd3dfa7c6cf -r f980b74373de www/ap2-auth-mellon/patches/patch-0347
--- a/www/ap2-auth-mellon/patches/patch-0347    Thu May 03 23:02:49 2018 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,69 +0,0 @@
-$NetBSD: patch-0347,v 1.2 2016/10/27 12:53:13 manu Exp $
-
-From 78fe67641918016a6108e325be351156999109c9 Mon Sep 17 00:00:00 2001
-From: Emmanuel Dreyfus <manu%netbsd.org@localhost>
-Date: Tue, 18 Oct 2016 01:42:53 +0200
-Subject: [PATCH] Do not redirect unauthenticated AJAX request to the IdP
-
-When MellonEnable is "auth" and we get an unauthenticated AJAX
-request (identified by the X-Request-With: XMLHttpRequest HTTP
-header), fail with HTTP code 403 Forbidden instead of redirecting
-to the IdP. This saves resources, as the client has no opportunity
-to interract with the user to complete authentification.
----
- README                |  6 ++++++
- auth_mellon_handler.c | 14 ++++++++++++++
- 2 files changed, 20 insertions(+)
-
-diff --git README README
-index ec323ab..5960cc8 100644
---- README
-+++ README
-@@ -166,6 +166,12 @@ MellonPostCount 100
-         #           return a 403 Forbidden error. If he isn't authenticated
-         #           then we will redirect him to the login page of the IdP.
-         #
-+        #           There is a special handling of AJAX requests, that are
-+        #           identified by the "X-Request-With: XMLHttpRequest" HTTP
-+        #           header. Since no user interaction can happen there,
-+        #           we always fail unauthenticated (not logged in) requests
-+        #           with a 403 Forbidden error without redirecting to the IdP.
-+        #
-         # Default: MellonEnable "off"
-         MellonEnable "auth"
- 
-diff --git auth_mellon_handler.c auth_mellon_handler.c
-index 0457189..a55828a 100644
---- auth_mellon_handler.c
-+++ auth_mellon_handler.c
-@@ -3491,6 +3491,7 @@ int am_auth_mellon_user(request_rec *r)
-     am_dir_cfg_rec *dir = am_get_dir_cfg(r);
-     int return_code = HTTP_UNAUTHORIZED;
-     am_cache_entry_t *session;
-+    const char *ajax_header;
- 
-     if (r->main) {
-         /* We are a subrequest. Trust the main request to have
-@@ -3534,6 +3535,19 @@ int am_auth_mellon_user(request_rec *r)
-                 am_release_request_session(r, session);
-             }
- 
-+            /*
-+             * If this is an AJAX request, we cannot proceed to the IdP,
-+             * Just fail early to save our resources
-+             */
-+            ajax_header = apr_table_get(r->headers_in, "X-Request-With");
-+            if (ajax_header != NULL &&
-+                strcmp(ajax_header, "XMLHttpRequest") == 0) {
-+                    ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-+                      "Deny unauthenticated X-Request-With XMLHttpRequest "
-+                      "(AJAX) request");
-+                    return HTTP_FORBIDDEN;
-+            }
-+
- #ifdef HAVE_ECP
-             /*
-              * If PAOS set a flag on the request indicating we're
--- 
-2.3.2
-