pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/www/ap-auth-openidc
Module Name: pkgsrc
Committed By: markd
Date: Sat Jun 13 10:51:14 UTC 2026
Modified Files:
pkgsrc/www/ap-auth-openidc: Makefile distinfo
pkgsrc/www/ap-auth-openidc/patches: patch-configure
Log Message:
ap-auth-openidc: update to version 2.4.19.3
== 2.4.19.3
The 2.4.19.x versions use a backwards incompatible session format so existing sessions
(created by versions <=2.4.18.x) are invalid.
Security
* code: fix >25 cases of potential string/URL matching attacks, XSS attacks,
buffer overload etc.
* config: fix low-risk - insider admin attack based- security vulnerabilities
* log: do not log refresh tokens at warn/error levels
== 2.4.19
Features
* cookie: support individual SameSite cookie settings on the session cookie, state
cookie and Discovery CSRF cookie by adding 2 more arguments to OIDCCookieSameSite
* id_token: add off option to OIDCPassIDTokenAs so no claims from the ID token will
be passed on
* passphrase: generate a crypto key when OIDCCryptoPassphrase is not set
== 2.4.18
Bugfixes
* fix segmentation faults upon gracefully restarting the same process: use the
server process pool for static variable allocation rather than the pconf pool
* fix setting OIDCMemCacheConnectionsTTL: interpret the value correctly in seconds
instead of microseconds
== 2.4.17
Features
* proto: pass the scope parameter as returned from the token endpoint in the
OIDC_scope header/environment variable and make it available for Require claim
scope: purposes, if not available as a claim returned in the id_token or userinfo
endpoint
Bugfixes
* fix memory leaks when using provider specific client keys and/or signed_jwks_uri_key
in a multi-provider setup
* allow for regular Apache processing (e.g. setting response/security headers) by
deferring HTML/HTTP output generation to the content handler (instead of user id
check handler) for the following use cases:
* OIDCProviderAuthRequestMethod POST
* OIDCPreservePost On (both internal and template-based)
* POST page for the implicit grant type
* Request URI handler
* internally generated POST logout page
* session management RP iframe
* session management logout HTML top-window redirect page
== 2.4.16
Security
* disable support for the RSA PKCS v1.5 JWE/JWT encryption algorithm as it is considered
insecure due to the Marvin attack; it is removed from libcjose >= 0.6.2.3 as well
Features
* add Relying Party support for the FAPI 2.0 Security Profile (OpenID Financial-grade API v2.0)
* add Relying Party support for RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)
* add support for RFC 9126 OAuth 2.0 Pushed Authorization Requests
* add the nbf claim to the Request Object
* store the token_type in the session and make it available on the info hook together with
the access_token
* replace multi-provider .conf issuer_specific_redirect_uri boolean with response_require_iss
boolean to require the Provider to pass the iss value in authorization responses, mitigating
the OP mixup attack
* return HTTP 502 when refreshing acces token or userinfo fails (default: 502_on_error)
* add support for OIDCOAuthIntrospectionEndpointKeyPassword, i.e. to configure a password for
accessing the private key file used for OAuth 2.0 token introspection
* when an expression is configured for OIDCUnAuthAction (i.e. in the 2nd argument), also apply
it to OIDCUnAutzAction so that it can be used to enable step-up authentication for SPAs with
non-conformant browsers (some versions of Safari) and in (potentially insecure) iframes
== 2.4.15
The 2.4.15.x releases change a number of default settings to their more secure and
standards-compliant values. In rare cases this may break existing configurations
New Defaults
* use Proof Key for Code Exchange (PKCE S256) by default
* use SameSite cookies Strict by default; disable by configuring OIDCCookieSameSite Off
* apply ISO-8859-1 (latin1) as default encoding mechanism for claim values passed in headers
and environment variables to comply with https://www.rfc-editor.org/rfc/rfc5987
== 2.4.14
Deprecated
* OIDCHTMLErrorTemplate is now deprecated in favour of standard Apache error handling
capabilities
== 2.4.12
Release 2.4.12 was (re-)certified for all OpenID Connect Relying Party conformance profiles
using the OpenID Foundation's certification suite: https://openid.net/certification/#RPs.
== 2.4.11
Note that as of this release running mod_auth_openidc behind a reverse proxy that sets
X-Forwarded-* headers needs explicit configuration of OIDCXForwardedHeaders for mod_auth_openidc
to interpret those headers, thus this may break existing configurations if unmodified for the
former.
== 2.4.10
This release improves prevention of state cookies piling up (e.g. for Single Page Applications)
by interpreting Sec-Fetc-* headers provided by modern browsers. This also means that - by
default - authentication in an iframe is prevented, which may impact existing deployments.
== 2.4.9
Note that the format of encrypted cache contents have changed and as such existing server
side sessions cannot survive an update to 2.4.9. Clearing the cache contents before restarting
the Apache server with the upgraded module is advised.
To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.20 pkgsrc/www/ap-auth-openidc/Makefile
cvs rdiff -u -r1.3 -r1.4 pkgsrc/www/ap-auth-openidc/distinfo
cvs rdiff -u -r1.1 -r1.2 pkgsrc/www/ap-auth-openidc/patches/patch-configure
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/www/ap-auth-openidc/Makefile
diff -u pkgsrc/www/ap-auth-openidc/Makefile:1.19 pkgsrc/www/ap-auth-openidc/Makefile:1.20
--- pkgsrc/www/ap-auth-openidc/Makefile:1.19 Thu May 14 16:42:18 2026
+++ pkgsrc/www/ap-auth-openidc/Makefile Sat Jun 13 10:51:14 2026
@@ -1,14 +1,13 @@
-# $NetBSD: Makefile,v 1.19 2026/05/14 16:42:18 ryoon Exp $
+# $NetBSD: Makefile,v 1.20 2026/06/13 10:51:14 markd Exp $
-GITHUB_PROJECT= mod_auth_openidc
-DISTNAME= ${GITHUB_PROJECT}-2.4.8.4
+DISTNAME= ${GITHUB_PROJECT}-2.4.19.3
PKGNAME= ${DISTNAME:S/mod/${APACHE_PKG_PREFIX}/:S/_/-/g}
-PKGREVISION= 17
CATEGORIES= www
-MASTER_SITES= ${MASTER_SITE_GITHUB:=zmartzone/}
+MASTER_SITES= ${MASTER_SITE_GITHUB:=OpenIDC/}
+GITHUB_PROJECT= mod_auth_openidc
GITHUB_RELEASE= v${PKGVERSION_NOREV}
-HOMEPAGE= https://github.com/zmartzone/mod_auth_openidc
+HOMEPAGE= https://github.com/OpenIDC/mod_auth_openidc
COMMENT= OpenID Connect Relying Party implementation for Apache HTTP Server 2.x
LICENSE= apache-2.0
Index: pkgsrc/www/ap-auth-openidc/distinfo
diff -u pkgsrc/www/ap-auth-openidc/distinfo:1.3 pkgsrc/www/ap-auth-openidc/distinfo:1.4
--- pkgsrc/www/ap-auth-openidc/distinfo:1.3 Tue Oct 26 11:29:17 2021
+++ pkgsrc/www/ap-auth-openidc/distinfo Sat Jun 13 10:51:14 2026
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.3 2021/10/26 11:29:17 nia Exp $
+$NetBSD: distinfo,v 1.4 2026/06/13 10:51:14 markd Exp $
-BLAKE2s (mod_auth_openidc-2.4.8.4.tar.gz) = 9ed561386c2d2f39eca0ccf9fe301f5ec0755427c2f37b6fdc5c3c3a04cb3760
-SHA512 (mod_auth_openidc-2.4.8.4.tar.gz) = fcba4a26944d4173b4ab33f9171441046ad106b707fc6e296a9abddf582bc97573c7aab2a2d74317be05a10156b87e24f82bd665c2961aa2d896f3ab317f2834
-Size (mod_auth_openidc-2.4.8.4.tar.gz) = 287237 bytes
-SHA1 (patch-configure) = 98afe179c3f8f6126f5a8c70d36337953573eb26
+BLAKE2s (mod_auth_openidc-2.4.19.3.tar.gz) = 4c409c3d3d186e41a9fae5c42b0c8c265a18e68c170485a3ce82a74887255f59
+SHA512 (mod_auth_openidc-2.4.19.3.tar.gz) = 4e61941055c4d04a294eb29856a1b11fd38c61669250311f4941b300654e58d36380c77475de36f6c150ada4017d41350edf109d0a2d9101d6e8203e1a8bb1e0
+Size (mod_auth_openidc-2.4.19.3.tar.gz) = 855838 bytes
+SHA1 (patch-configure) = ed00826cc407c4fcb98c13ef24ce230f27002349
Index: pkgsrc/www/ap-auth-openidc/patches/patch-configure
diff -u pkgsrc/www/ap-auth-openidc/patches/patch-configure:1.1 pkgsrc/www/ap-auth-openidc/patches/patch-configure:1.2
--- pkgsrc/www/ap-auth-openidc/patches/patch-configure:1.1 Thu Jul 22 15:58:49 2021
+++ pkgsrc/www/ap-auth-openidc/patches/patch-configure Sat Jun 13 10:51:14 2026
@@ -1,15 +1,44 @@
-$NetBSD: patch-configure,v 1.1 2021/07/22 15:58:49 jperkin Exp $
+$NetBSD: patch-configure,v 1.2 2026/06/13 10:51:14 markd Exp $
Shell portability.
---- configure.orig 2021-06-02 06:20:17.000000000 +0000
+--- configure.orig 2026-06-01 10:24:45.000000000 +0000
+++ configure
-@@ -4181,7 +4181,7 @@ fi
-
+@@ -15705,7 +15705,7 @@ printf "%s\n" "yes" >&6; }
+ with_libbrotlidec=yes
+ fi
+ fi
+- if test "${with_libbrotlienc}" == "yes" && test "${with_libbrotlidec}" == "yes"; then
++ if test "${with_libbrotlienc}" = "yes" && test "${with_libbrotlidec}" = "yes"; then
+ HAVE_LIBBROTLI_TRUE=
+ HAVE_LIBBROTLI_FALSE='#'
+ else
+@@ -15816,7 +15816,7 @@ fi
case "$with_hiredis" in #(
yes) :
-- if test "$HIREDIS_LIBS" == ""; then
-+ if test "$HIREDIS_LIBS" = ""; then
+
+- if test "$HIREDIS_LIBS" == ""; then
++ if test "$HIREDIS_LIBS" = ""; then
pkg_failed=no
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for hiredis" >&5
printf %s "checking for hiredis... " >&6; }
+@@ -15987,15 +15987,15 @@ fi
+
+ if test -n "$with_jq"
+ then
+- if test "$JQ_CFLAGS" == ""; then
+- if test "$with_jq" == "yes"; then
++ if test "$JQ_CFLAGS" = ""; then
++ if test "$with_jq" = "yes"; then
+ JQ_CFLAGS="-I/usr/include"
+ else
+ JQ_CFLAGS="-I$with_jq/include"
+ fi
+ fi
+- if test "$JQ_LIBS" == ""; then
+- if test "$with_jq" == "yes"; then
++ if test "$JQ_LIBS" = ""; then
++ if test "$with_jq" = "yes"; then
+ JQ_LIBS="-L/usr/lib -ljq"
+ else
+ JQ_LIBS="-L$with_jq/lib -ljq"
Home |
Main Index |
Thread Index |
Old Index