CVS commit: [pkgsrc-2021Q3] pkgsrc/www/ap2-auth-mellon

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: [pkgsrc-2021Q3] pkgsrc/www/ap2-auth-mellon
From: "Thomas Merkel" <tm%netbsd.org@localhost>
Date: Sat, 20 Nov 2021 22:29:03 +0000

Module Name:    pkgsrc
Committed By:   tm
Date:           Sat Nov 20 22:29:03 UTC 2021

Modified Files:
        pkgsrc/www/ap2-auth-mellon [pkgsrc-2021Q3]: Makefile distinfo

Log Message:
Pullup ticket #6533 - requested by bsiegert
www/ap2-auth-mellon: security fix

Revisions pulled up:
- www/ap2-auth-mellon/Makefile                                  1.66
- www/ap2-auth-mellon/distinfo                                  1.24

---
   Module Name:    pkgsrc
   Committed By:   manu
   Date:           Tue Nov  9 01:50:45 UTC 2021

   Modified Files:
           pkgsrc/doc: CHANGES-2021
           pkgsrc/www/ap2-auth-mellon: Makefile distinfo

   Log Message:
   Updated www/ap2-auth-mellon to 0.18.0

   Change sine 0.17 from NEWS file:

   Version 0.18.0
   ---------------------------------------------------------------------------

   Security fixes:

   * [CVE-2019-13038] Redirect URL validation bypass

     Version 0.17.0 and older of mod_auth_mellon allows the redirect URL
     validation to be bypassed by specifying an URL formatted as
     "///fishing-site.example.com/logout.html". In this case, the browser
     would interpret the URL differently than the APR parsing utility
     mellon uses and redirect to fishing-site.example.com.
     This could be reproduced with:
        https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com
   /logout.html

     This version fixes that issue by rejecting all URLs that start with "///".

   Enhancements:

   * A new option MellonSessionIdleTimeout that represents the amount of time
     a user can be inactive before the user's session times out in seconds.

   Bug fixes:

   * Several build-time fixes

   * The CookieTest SameSite attribute was only set to None if mellon configure
     option MellonCookieSameSite was set to something other than default.
     This is now fixed.


To generate a diff of this commit:
cvs rdiff -u -r1.64 -r1.64.4.1 pkgsrc/www/ap2-auth-mellon/Makefile
cvs rdiff -u -r1.21 -r1.21.4.1 pkgsrc/www/ap2-auth-mellon/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/ap2-auth-mellon/Makefile
diff -u pkgsrc/www/ap2-auth-mellon/Makefile:1.64 pkgsrc/www/ap2-auth-mellon/Makefile:1.64.4.1
--- pkgsrc/www/ap2-auth-mellon/Makefile:1.64    Tue Jun  8 07:26:52 2021
+++ pkgsrc/www/ap2-auth-mellon/Makefile Sat Nov 20 22:29:03 2021
@@ -1,12 +1,13 @@
-# $NetBSD: Makefile,v 1.64 2021/06/08 07:26:52 manu Exp $
+# $NetBSD: Makefile,v 1.64.4.1 2021/11/20 22:29:03 tm Exp $
 
-DISTNAME=      mod_auth_mellon-0.17.0
+DISTNAME=      mod_auth_mellon-0.18.0
 PKGNAME=       ${APACHE_PKG_PREFIX}-${DISTNAME:S/mod_//:S/_/-/g}
 #PKGREVISION=  1
 CATEGORIES=    www security
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=latchset/}
 GITHUB_PROJECT=        mod_auth_mellon
-GITHUB_RELEASE=        v${PKGVERSION_NOREV}
+GITHUB_TAG=    refs/tags/v${PKGVERSION_NOREV}
+WRKSRC=                ${WRKDIR}/${DISTNAME}
 
 MAINTAINER=    manu%NetBSD.org@localhost
 HOMEPAGE=      https://github.com/latchset/mod_auth_mellon
@@ -15,7 +16,7 @@ LICENSE=      gnu-gpl-v2 # or later
 
 GNU_CONFIGURE= YES
 USE_LIBTOOL=   YES
-USE_TOOLS+=    pkg-config
+USE_TOOLS+=    pkg-config autoconf automake
 
 APACHE_MODULE= YES
 .include "../../mk/apache.mk"
@@ -28,6 +29,9 @@ SUBST_NOOP_OK.pthflags=       yes
 
 INSTALLATION_DIRS+=    lib/httpd
 
+pre-configure:
+       cd ${WRKSRC} && ./autogen.sh
+
 do-install:
        cd ${WRKSRC} &&                                                 \
            libexecdir=`${APXS} -q LIBEXECDIR` &&                       \

Index: pkgsrc/www/ap2-auth-mellon/distinfo
diff -u pkgsrc/www/ap2-auth-mellon/distinfo:1.21 pkgsrc/www/ap2-auth-mellon/distinfo:1.21.4.1
--- pkgsrc/www/ap2-auth-mellon/distinfo:1.21    Tue Jun  8 07:26:52 2021
+++ pkgsrc/www/ap2-auth-mellon/distinfo Sat Nov 20 22:29:03 2021
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.21 2021/06/08 07:26:52 manu Exp $
+$NetBSD: distinfo,v 1.21.4.1 2021/11/20 22:29:03 tm Exp $
 
-SHA1 (mod_auth_mellon-0.17.0.tar.gz) = df4039cca9d706b10c49ea3435af0382da2b959a
-RMD160 (mod_auth_mellon-0.17.0.tar.gz) = 80454ec3823ec80af73bd5f58f3a051848f1bb90
-SHA512 (mod_auth_mellon-0.17.0.tar.gz) = 93919b46e5966d16b334f8f633345d8566f6873a68d1e619835a52a12a70fa7068fe036c69a43ca7b46e51b4c49354d51df13ffd64c60b82747eec86fe357d2e
-Size (mod_auth_mellon-0.17.0.tar.gz) = 955298 bytes
+SHA1 (mod_auth_mellon-0.18.0.tar.gz) = 7103c5f2e50bcbba81710c4f26087d8ac98f1e65
+RMD160 (mod_auth_mellon-0.18.0.tar.gz) = 9ef0edbbfd11d326ceb88d3525e9a3b282b45001
+SHA512 (mod_auth_mellon-0.18.0.tar.gz) = 477ac302fda9ed33b2ca51e88379250a41cc85111e71cacc8ba9f16cd8a2b63af6393fb038fc8f5c211b97926ef368c5989c92570c2e3c9eae072c7b4d32d7d5
+Size (mod_auth_mellon-0.18.0.tar.gz) = 918471 bytes

Prev by Date: CVS commit: [pkgsrc-2021Q3] pkgsrc/doc
Next by Date: CVS commit: [pkgsrc-2021Q3] pkgsrc/doc
Previous by Thread: CVS commit: [pkgsrc-2021Q3] pkgsrc/doc
Next by Thread: CVS commit: [pkgsrc-2021Q3] pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index