diff options
author | tm <tm@pkgsrc.org> | 2021-11-20 22:29:03 +0000 |
---|---|---|
committer | tm <tm@pkgsrc.org> | 2021-11-20 22:29:03 +0000 |
commit | 0b4538d149588a0ef83592ae2b6cfbfd861aba67 (patch) | |
tree | a44ebe332713830d39543fab445546f24d824d07 /www/ap2-auth-mellon/Makefile | |
parent | 47974b177d0d802d278b0904b151b277b438dd17 (diff) | |
download | pkgsrc-0b4538d149588a0ef83592ae2b6cfbfd861aba67.tar.gz |
Pullup ticket #6533 - requested by bsiegert
www/ap2-auth-mellon: security fix
Revisions pulled up:
- www/ap2-auth-mellon/Makefile 1.66
- www/ap2-auth-mellon/distinfo 1.24
---
Module Name: pkgsrc
Committed By: manu
Date: Tue Nov 9 01:50:45 UTC 2021
Modified Files:
pkgsrc/doc: CHANGES-2021
pkgsrc/www/ap2-auth-mellon: Makefile distinfo
Log Message:
Updated www/ap2-auth-mellon to 0.18.0
Change sine 0.17 from NEWS file:
Version 0.18.0
---------------------------------------------------------------------------
Security fixes:
* [CVE-2019-13038] Redirect URL validation bypass
Version 0.17.0 and older of mod_auth_mellon allows the redirect URL
validation to be bypassed by specifying an URL formatted as
"///fishing-site.example.com/logout.html". In this case, the browser
would interpret the URL differently than the APR parsing utility
mellon uses and redirect to fishing-site.example.com.
This could be reproduced with:
https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com
/logout.html
This version fixes that issue by rejecting all URLs that start with "///".
Enhancements:
* A new option MellonSessionIdleTimeout that represents the amount of time
a user can be inactive before the user's session times out in seconds.
Bug fixes:
* Several build-time fixes
* The CookieTest SameSite attribute was only set to None if mellon configure
option MellonCookieSameSite was set to something other than default.
This is now fixed.
Diffstat (limited to 'www/ap2-auth-mellon/Makefile')
-rw-r--r-- | www/ap2-auth-mellon/Makefile | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/www/ap2-auth-mellon/Makefile b/www/ap2-auth-mellon/Makefile index 1dbbd404a50..a80ff2c5d21 100644 --- a/www/ap2-auth-mellon/Makefile +++ b/www/ap2-auth-mellon/Makefile @@ -1,12 +1,13 @@ -# $NetBSD: Makefile,v 1.64 2021/06/08 07:26:52 manu Exp $ +# $NetBSD: Makefile,v 1.64.4.1 2021/11/20 22:29:03 tm Exp $ -DISTNAME= mod_auth_mellon-0.17.0 +DISTNAME= mod_auth_mellon-0.18.0 PKGNAME= ${APACHE_PKG_PREFIX}-${DISTNAME:S/mod_//:S/_/-/g} #PKGREVISION= 1 CATEGORIES= www security MASTER_SITES= ${MASTER_SITE_GITHUB:=latchset/} GITHUB_PROJECT= mod_auth_mellon -GITHUB_RELEASE= v${PKGVERSION_NOREV} +GITHUB_TAG= refs/tags/v${PKGVERSION_NOREV} +WRKSRC= ${WRKDIR}/${DISTNAME} MAINTAINER= manu@NetBSD.org HOMEPAGE= https://github.com/latchset/mod_auth_mellon @@ -15,7 +16,7 @@ LICENSE= gnu-gpl-v2 # or later GNU_CONFIGURE= YES USE_LIBTOOL= YES -USE_TOOLS+= pkg-config +USE_TOOLS+= pkg-config autoconf automake APACHE_MODULE= YES .include "../../mk/apache.mk" @@ -28,6 +29,9 @@ SUBST_NOOP_OK.pthflags= yes INSTALLATION_DIRS+= lib/httpd +pre-configure: + cd ${WRKSRC} && ./autogen.sh + do-install: cd ${WRKSRC} && \ libexecdir=`${APXS} -q LIBEXECDIR` && \ |