pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/www/ap-auth-openidc



Module Name:    pkgsrc
Committed By:   markd
Date:           Sat Jun 13 10:51:14 UTC 2026

Modified Files:
        pkgsrc/www/ap-auth-openidc: Makefile distinfo
        pkgsrc/www/ap-auth-openidc/patches: patch-configure

Log Message:
ap-auth-openidc: update to version 2.4.19.3

== 2.4.19.3

The 2.4.19.x versions use a backwards incompatible session format so existing sessions
(created by versions <=2.4.18.x) are invalid.

Security
* code: fix >25 cases of potential string/URL matching attacks, XSS attacks,
  buffer overload etc.
* config: fix low-risk - insider admin attack based- security vulnerabilities
* log: do not log refresh tokens at warn/error levels

== 2.4.19

Features
* cookie: support individual SameSite cookie settings on the session cookie, state
  cookie and Discovery CSRF cookie by adding 2 more arguments to OIDCCookieSameSite
* id_token: add off option to OIDCPassIDTokenAs so no claims from the ID token will
  be passed on
* passphrase: generate a crypto key when OIDCCryptoPassphrase is not set

== 2.4.18

Bugfixes
* fix segmentation faults upon gracefully restarting the same process: use the
  server process pool for static variable allocation rather than the pconf pool
* fix setting OIDCMemCacheConnectionsTTL: interpret the value correctly in seconds
  instead of microseconds

== 2.4.17

Features
* proto: pass the scope parameter as returned from the token endpoint in the
  OIDC_scope header/environment variable and make it available for Require claim
  scope: purposes, if not available as a claim returned in the id_token or userinfo
  endpoint

Bugfixes
* fix memory leaks when using provider specific client keys and/or signed_jwks_uri_key
  in a multi-provider setup
* allow for regular Apache processing (e.g. setting response/security headers) by
  deferring HTML/HTTP output generation to the content handler (instead of user id
  check handler) for the following use cases:
  * OIDCProviderAuthRequestMethod POST
  * OIDCPreservePost On (both internal and template-based)
  * POST page for the implicit grant type
  * Request URI handler
  * internally generated POST logout page
  * session management RP iframe
  * session management logout HTML top-window redirect page

== 2.4.16

Security
* disable support for the RSA PKCS v1.5 JWE/JWT encryption algorithm as it is considered
  insecure due to the Marvin attack; it is removed from libcjose >= 0.6.2.3 as well

Features
* add Relying Party support for the FAPI 2.0 Security Profile (OpenID Financial-grade API v2.0)
* add Relying Party support for RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)
* add support for RFC 9126 OAuth 2.0 Pushed Authorization Requests
* add the nbf claim to the Request Object
* store the token_type in the session and make it available on the info hook together with
  the access_token
* replace multi-provider .conf issuer_specific_redirect_uri boolean with response_require_iss
  boolean to require the Provider to pass the iss value in authorization responses, mitigating
  the OP mixup attack
* return HTTP 502 when refreshing acces token or userinfo fails (default: 502_on_error)
* add support for OIDCOAuthIntrospectionEndpointKeyPassword, i.e. to configure a password for
  accessing the private key file used for OAuth 2.0 token introspection
* when an expression is configured for OIDCUnAuthAction (i.e. in the 2nd argument), also apply
  it to OIDCUnAutzAction so that it can be used to enable step-up authentication for SPAs with
  non-conformant browsers (some versions of Safari) and in (potentially insecure) iframes

== 2.4.15

The 2.4.15.x releases change a number of default settings to their more secure and
standards-compliant values. In rare cases this may break existing configurations

New Defaults
* use Proof Key for Code Exchange (PKCE S256) by default
* use SameSite cookies Strict by default; disable by configuring OIDCCookieSameSite Off
* apply ISO-8859-1 (latin1) as default encoding mechanism for claim values passed in headers
  and environment variables to comply with https://www.rfc-editor.org/rfc/rfc5987

== 2.4.14

Deprecated
* OIDCHTMLErrorTemplate is now deprecated in favour of standard Apache error handling
  capabilities

== 2.4.12

Release 2.4.12 was (re-)certified for all OpenID Connect Relying Party conformance profiles
using the OpenID Foundation's certification suite: https://openid.net/certification/#RPs.

== 2.4.11

Note that as of this release running mod_auth_openidc behind a reverse proxy that sets
X-Forwarded-* headers needs explicit configuration of OIDCXForwardedHeaders for mod_auth_openidc
to interpret those headers, thus this may break existing configurations if unmodified for the
former.

== 2.4.10

This release improves prevention of state cookies piling up (e.g. for Single Page Applications)
by interpreting Sec-Fetc-* headers provided by modern browsers. This also means that - by
default - authentication in an iframe is prevented, which may impact existing deployments.

== 2.4.9

Note that the format of encrypted cache contents have changed and as such existing server
side sessions cannot survive an update to 2.4.9. Clearing the cache contents before restarting
the Apache server with the upgraded module is advised.


To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.20 pkgsrc/www/ap-auth-openidc/Makefile
cvs rdiff -u -r1.3 -r1.4 pkgsrc/www/ap-auth-openidc/distinfo
cvs rdiff -u -r1.1 -r1.2 pkgsrc/www/ap-auth-openidc/patches/patch-configure

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/ap-auth-openidc/Makefile
diff -u pkgsrc/www/ap-auth-openidc/Makefile:1.19 pkgsrc/www/ap-auth-openidc/Makefile:1.20
--- pkgsrc/www/ap-auth-openidc/Makefile:1.19    Thu May 14 16:42:18 2026
+++ pkgsrc/www/ap-auth-openidc/Makefile Sat Jun 13 10:51:14 2026
@@ -1,14 +1,13 @@
-# $NetBSD: Makefile,v 1.19 2026/05/14 16:42:18 ryoon Exp $
+# $NetBSD: Makefile,v 1.20 2026/06/13 10:51:14 markd Exp $
 
-GITHUB_PROJECT=        mod_auth_openidc
-DISTNAME=      ${GITHUB_PROJECT}-2.4.8.4
+DISTNAME=      ${GITHUB_PROJECT}-2.4.19.3
 PKGNAME=       ${DISTNAME:S/mod/${APACHE_PKG_PREFIX}/:S/_/-/g}
-PKGREVISION=   17
 CATEGORIES=    www
-MASTER_SITES=  ${MASTER_SITE_GITHUB:=zmartzone/}
+MASTER_SITES=  ${MASTER_SITE_GITHUB:=OpenIDC/}
+GITHUB_PROJECT=        mod_auth_openidc
 GITHUB_RELEASE=        v${PKGVERSION_NOREV}
 
-HOMEPAGE=      https://github.com/zmartzone/mod_auth_openidc
+HOMEPAGE=      https://github.com/OpenIDC/mod_auth_openidc
 COMMENT=       OpenID Connect Relying Party implementation for Apache HTTP Server 2.x
 LICENSE=       apache-2.0
 

Index: pkgsrc/www/ap-auth-openidc/distinfo
diff -u pkgsrc/www/ap-auth-openidc/distinfo:1.3 pkgsrc/www/ap-auth-openidc/distinfo:1.4
--- pkgsrc/www/ap-auth-openidc/distinfo:1.3     Tue Oct 26 11:29:17 2021
+++ pkgsrc/www/ap-auth-openidc/distinfo Sat Jun 13 10:51:14 2026
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.3 2021/10/26 11:29:17 nia Exp $
+$NetBSD: distinfo,v 1.4 2026/06/13 10:51:14 markd Exp $
 
-BLAKE2s (mod_auth_openidc-2.4.8.4.tar.gz) = 9ed561386c2d2f39eca0ccf9fe301f5ec0755427c2f37b6fdc5c3c3a04cb3760
-SHA512 (mod_auth_openidc-2.4.8.4.tar.gz) = fcba4a26944d4173b4ab33f9171441046ad106b707fc6e296a9abddf582bc97573c7aab2a2d74317be05a10156b87e24f82bd665c2961aa2d896f3ab317f2834
-Size (mod_auth_openidc-2.4.8.4.tar.gz) = 287237 bytes
-SHA1 (patch-configure) = 98afe179c3f8f6126f5a8c70d36337953573eb26
+BLAKE2s (mod_auth_openidc-2.4.19.3.tar.gz) = 4c409c3d3d186e41a9fae5c42b0c8c265a18e68c170485a3ce82a74887255f59
+SHA512 (mod_auth_openidc-2.4.19.3.tar.gz) = 4e61941055c4d04a294eb29856a1b11fd38c61669250311f4941b300654e58d36380c77475de36f6c150ada4017d41350edf109d0a2d9101d6e8203e1a8bb1e0
+Size (mod_auth_openidc-2.4.19.3.tar.gz) = 855838 bytes
+SHA1 (patch-configure) = ed00826cc407c4fcb98c13ef24ce230f27002349

Index: pkgsrc/www/ap-auth-openidc/patches/patch-configure
diff -u pkgsrc/www/ap-auth-openidc/patches/patch-configure:1.1 pkgsrc/www/ap-auth-openidc/patches/patch-configure:1.2
--- pkgsrc/www/ap-auth-openidc/patches/patch-configure:1.1      Thu Jul 22 15:58:49 2021
+++ pkgsrc/www/ap-auth-openidc/patches/patch-configure  Sat Jun 13 10:51:14 2026
@@ -1,15 +1,44 @@
-$NetBSD: patch-configure,v 1.1 2021/07/22 15:58:49 jperkin Exp $
+$NetBSD: patch-configure,v 1.2 2026/06/13 10:51:14 markd Exp $
 
 Shell portability.
 
---- configure.orig     2021-06-02 06:20:17.000000000 +0000
+--- configure.orig     2026-06-01 10:24:45.000000000 +0000
 +++ configure
-@@ -4181,7 +4181,7 @@ fi
- 
+@@ -15705,7 +15705,7 @@ printf "%s\n" "yes" >&6; }
+         with_libbrotlidec=yes
+ fi
+ fi
+- if test "${with_libbrotlienc}" == "yes" && test "${with_libbrotlidec}" == "yes"; then
++ if test "${with_libbrotlienc}" = "yes" && test "${with_libbrotlidec}" = "yes"; then
+   HAVE_LIBBROTLI_TRUE=
+   HAVE_LIBBROTLI_FALSE='#'
+ else
+@@ -15816,7 +15816,7 @@ fi
  case "$with_hiredis" in #(
    yes) :
--    if test "$HIREDIS_LIBS" == ""; then
-+    if test "$HIREDIS_LIBS" = ""; then
+ 
+-              if test "$HIREDIS_LIBS" == ""; then
++              if test "$HIREDIS_LIBS" = ""; then
  pkg_failed=no
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for hiredis" >&5
  printf %s "checking for hiredis... " >&6; }
+@@ -15987,15 +15987,15 @@ fi
+ 
+ if test -n "$with_jq"
+ then
+-      if test "$JQ_CFLAGS" == ""; then
+-              if test "$with_jq" == "yes"; then
++      if test "$JQ_CFLAGS" = ""; then
++              if test "$with_jq" = "yes"; then
+                       JQ_CFLAGS="-I/usr/include"
+               else
+                       JQ_CFLAGS="-I$with_jq/include"
+               fi
+       fi
+-      if test "$JQ_LIBS" == ""; then
+-              if test "$with_jq" == "yes"; then
++      if test "$JQ_LIBS" = ""; then
++              if test "$with_jq" = "yes"; then
+                       JQ_LIBS="-L/usr/lib -ljq"
+               else
+                       JQ_LIBS="-L$with_jq/lib -ljq"



Home | Main Index | Thread Index | Old Index