Pullup ticket #6533 - requested by bsiegert

www/ap2-auth-mellon: security fix

Revisions pulled up:
- www/ap2-auth-mellon/Makefile                                  1.66
- www/ap2-auth-mellon/distinfo                                  1.24

---
   Module Name:    pkgsrc
   Committed By:   manu
   Date:           Tue Nov  9 01:50:45 UTC 2021

   Modified Files:
           pkgsrc/doc: CHANGES-2021
           pkgsrc/www/ap2-auth-mellon: Makefile distinfo

   Log Message:
   Updated www/ap2-auth-mellon to 0.18.0

   Change sine 0.17 from NEWS file:

   Version 0.18.0
   ---------------------------------------------------------------------------

   Security fixes:

   * [CVE-2019-13038] Redirect URL validation bypass

     Version 0.17.0 and older of mod_auth_mellon allows the redirect URL
     validation to be bypassed by specifying an URL formatted as
     "///fishing-site.example.com/logout.html". In this case, the browser
     would interpret the URL differently than the APR parsing utility
     mellon uses and redirect to fishing-site.example.com.
     This could be reproduced with:
        https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com
   /logout.html

     This version fixes that issue by rejecting all URLs that start with "///".

   Enhancements:

   * A new option MellonSessionIdleTimeout that represents the amount of time
     a user can be inactive before the user's session times out in seconds.

   Bug fixes:

   * Several build-time fixes

   * The CookieTest SameSite attribute was only set to None if mellon configure
     option MellonCookieSameSite was set to something other than default.
     This is now fixed.

2 files changed, 13 insertions, 9 deletions

diff --git a/www/ap2-auth-mellon/Makefile b/www/ap2-auth-mellon/Makefile
index 1dbbd404a50..a80ff2c5d21 100644
--- a/www/ap2-auth-mellon/Makefile
+++ b/www/ap2-auth-mellon/Makefile
@@ -1,12 +1,13 @@
-# $NetBSD: Makefile,v 1.64 2021/06/08 07:26:52 manu Exp $
+# $NetBSD: Makefile,v 1.64.4.1 2021/11/20 22:29:03 tm Exp $
 
-DISTNAME=	mod_auth_mellon-0.17.0
+DISTNAME=	mod_auth_mellon-0.18.0
 PKGNAME=	${APACHE_PKG_PREFIX}-${DISTNAME:S/mod_//:S/_/-/g}
 #PKGREVISION=	1
 CATEGORIES=	www security
 MASTER_SITES=	${MASTER_SITE_GITHUB:=latchset/}
 GITHUB_PROJECT=	mod_auth_mellon
-GITHUB_RELEASE=	v${PKGVERSION_NOREV}
+GITHUB_TAG=	refs/tags/v${PKGVERSION_NOREV}
+WRKSRC=		${WRKDIR}/${DISTNAME}
 
 MAINTAINER=	manu@NetBSD.org
 HOMEPAGE=	https://github.com/latchset/mod_auth_mellon
@@ -15,7 +16,7 @@ LICENSE=	gnu-gpl-v2 # or later
 
 GNU_CONFIGURE=	YES
 USE_LIBTOOL=	YES
-USE_TOOLS+=	pkg-config
+USE_TOOLS+=	pkg-config autoconf automake
 
 APACHE_MODULE=	YES
 .include "../../mk/apache.mk"
@@ -28,6 +29,9 @@ SUBST_NOOP_OK.pthflags=	yes
 
 INSTALLATION_DIRS+=	lib/httpd
 
+pre-configure:
+	cd ${WRKSRC} && ./autogen.sh
+
 do-install:
 	cd ${WRKSRC} &&							\
 	    libexecdir=`${APXS} -q LIBEXECDIR` &&			\
diff --git a/www/ap2-auth-mellon/distinfo b/www/ap2-auth-mellon/distinfo
index fbc8f701864..cc94e332fea 100644
--- a/www/ap2-auth-mellon/distinfo
+++ b/www/ap2-auth-mellon/distinfo
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.21 2021/06/08 07:26:52 manu Exp $
+$NetBSD: distinfo,v 1.21.4.1 2021/11/20 22:29:03 tm Exp $
 
-SHA1 (mod_auth_mellon-0.17.0.tar.gz) = df4039cca9d706b10c49ea3435af0382da2b959a
-RMD160 (mod_auth_mellon-0.17.0.tar.gz) = 80454ec3823ec80af73bd5f58f3a051848f1bb90
-SHA512 (mod_auth_mellon-0.17.0.tar.gz) = 93919b46e5966d16b334f8f633345d8566f6873a68d1e619835a52a12a70fa7068fe036c69a43ca7b46e51b4c49354d51df13ffd64c60b82747eec86fe357d2e
-Size (mod_auth_mellon-0.17.0.tar.gz) = 955298 bytes
+SHA1 (mod_auth_mellon-0.18.0.tar.gz) = 7103c5f2e50bcbba81710c4f26087d8ac98f1e65
+RMD160 (mod_auth_mellon-0.18.0.tar.gz) = 9ef0edbbfd11d326ceb88d3525e9a3b282b45001
+SHA512 (mod_auth_mellon-0.18.0.tar.gz) = 477ac302fda9ed33b2ca51e88379250a41cc85111e71cacc8ba9f16cd8a2b63af6393fb038fc8f5c211b97926ef368c5989c92570c2e3c9eae072c7b4d32d7d5
+Size (mod_auth_mellon-0.18.0.tar.gz) = 918471 bytes