diff options
author | tm <tm@pkgsrc.org> | 2021-11-20 22:29:03 +0000 |
---|---|---|
committer | tm <tm@pkgsrc.org> | 2021-11-20 22:29:03 +0000 |
commit | 0b4538d149588a0ef83592ae2b6cfbfd861aba67 (patch) | |
tree | a44ebe332713830d39543fab445546f24d824d07 | |
parent | 47974b177d0d802d278b0904b151b277b438dd17 (diff) | |
download | pkgsrc-0b4538d149588a0ef83592ae2b6cfbfd861aba67.tar.gz |
Pullup ticket #6533 - requested by bsiegert
www/ap2-auth-mellon: security fix
Revisions pulled up:
- www/ap2-auth-mellon/Makefile 1.66
- www/ap2-auth-mellon/distinfo 1.24
---
Module Name: pkgsrc
Committed By: manu
Date: Tue Nov 9 01:50:45 UTC 2021
Modified Files:
pkgsrc/doc: CHANGES-2021
pkgsrc/www/ap2-auth-mellon: Makefile distinfo
Log Message:
Updated www/ap2-auth-mellon to 0.18.0
Change sine 0.17 from NEWS file:
Version 0.18.0
---------------------------------------------------------------------------
Security fixes:
* [CVE-2019-13038] Redirect URL validation bypass
Version 0.17.0 and older of mod_auth_mellon allows the redirect URL
validation to be bypassed by specifying an URL formatted as
"///fishing-site.example.com/logout.html". In this case, the browser
would interpret the URL differently than the APR parsing utility
mellon uses and redirect to fishing-site.example.com.
This could be reproduced with:
https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com
/logout.html
This version fixes that issue by rejecting all URLs that start with "///".
Enhancements:
* A new option MellonSessionIdleTimeout that represents the amount of time
a user can be inactive before the user's session times out in seconds.
Bug fixes:
* Several build-time fixes
* The CookieTest SameSite attribute was only set to None if mellon configure
option MellonCookieSameSite was set to something other than default.
This is now fixed.
-rw-r--r-- | www/ap2-auth-mellon/Makefile | 12 | ||||
-rw-r--r-- | www/ap2-auth-mellon/distinfo | 10 |
2 files changed, 13 insertions, 9 deletions
diff --git a/www/ap2-auth-mellon/Makefile b/www/ap2-auth-mellon/Makefile index 1dbbd404a50..a80ff2c5d21 100644 --- a/www/ap2-auth-mellon/Makefile +++ b/www/ap2-auth-mellon/Makefile @@ -1,12 +1,13 @@ -# $NetBSD: Makefile,v 1.64 2021/06/08 07:26:52 manu Exp $ +# $NetBSD: Makefile,v 1.64.4.1 2021/11/20 22:29:03 tm Exp $ -DISTNAME= mod_auth_mellon-0.17.0 +DISTNAME= mod_auth_mellon-0.18.0 PKGNAME= ${APACHE_PKG_PREFIX}-${DISTNAME:S/mod_//:S/_/-/g} #PKGREVISION= 1 CATEGORIES= www security MASTER_SITES= ${MASTER_SITE_GITHUB:=latchset/} GITHUB_PROJECT= mod_auth_mellon -GITHUB_RELEASE= v${PKGVERSION_NOREV} +GITHUB_TAG= refs/tags/v${PKGVERSION_NOREV} +WRKSRC= ${WRKDIR}/${DISTNAME} MAINTAINER= manu@NetBSD.org HOMEPAGE= https://github.com/latchset/mod_auth_mellon @@ -15,7 +16,7 @@ LICENSE= gnu-gpl-v2 # or later GNU_CONFIGURE= YES USE_LIBTOOL= YES -USE_TOOLS+= pkg-config +USE_TOOLS+= pkg-config autoconf automake APACHE_MODULE= YES .include "../../mk/apache.mk" @@ -28,6 +29,9 @@ SUBST_NOOP_OK.pthflags= yes INSTALLATION_DIRS+= lib/httpd +pre-configure: + cd ${WRKSRC} && ./autogen.sh + do-install: cd ${WRKSRC} && \ libexecdir=`${APXS} -q LIBEXECDIR` && \ diff --git a/www/ap2-auth-mellon/distinfo b/www/ap2-auth-mellon/distinfo index fbc8f701864..cc94e332fea 100644 --- a/www/ap2-auth-mellon/distinfo +++ b/www/ap2-auth-mellon/distinfo @@ -1,6 +1,6 @@ -$NetBSD: distinfo,v 1.21 2021/06/08 07:26:52 manu Exp $ +$NetBSD: distinfo,v 1.21.4.1 2021/11/20 22:29:03 tm Exp $ -SHA1 (mod_auth_mellon-0.17.0.tar.gz) = df4039cca9d706b10c49ea3435af0382da2b959a -RMD160 (mod_auth_mellon-0.17.0.tar.gz) = 80454ec3823ec80af73bd5f58f3a051848f1bb90 -SHA512 (mod_auth_mellon-0.17.0.tar.gz) = 93919b46e5966d16b334f8f633345d8566f6873a68d1e619835a52a12a70fa7068fe036c69a43ca7b46e51b4c49354d51df13ffd64c60b82747eec86fe357d2e -Size (mod_auth_mellon-0.17.0.tar.gz) = 955298 bytes +SHA1 (mod_auth_mellon-0.18.0.tar.gz) = 7103c5f2e50bcbba81710c4f26087d8ac98f1e65 +RMD160 (mod_auth_mellon-0.18.0.tar.gz) = 9ef0edbbfd11d326ceb88d3525e9a3b282b45001 +SHA512 (mod_auth_mellon-0.18.0.tar.gz) = 477ac302fda9ed33b2ca51e88379250a41cc85111e71cacc8ba9f16cd8a2b63af6393fb038fc8f5c211b97926ef368c5989c92570c2e3c9eae072c7b4d32d7d5 +Size (mod_auth_mellon-0.18.0.tar.gz) = 918471 bytes |