Update mod_auth_mellon to 0.12.0

Fixes CVE-2016-2145 and CVE-2016-2146 Changes since 0.10.0 frome NEWS file and patches/patch-0274 patch-0274 --------------------------------------------------------------------------- * Return 500 Internal Server Error if probe discovery fails. Version 0.12.0 --------------------------------------------------------------------------- Security fixes: * [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to incorrect error handling when reading POST data from client. * [CVE-2016-2146] Fix DOS attack (Apache worker process crash / resource exhaustion) due to missing size checks when reading POST data. In addition this release contains the following new features and fixes: * Add MellonRedirecDomains option to limit the sites that mod_auth_mellon can redirect to. This option is enabled by default. * Add support for ECP service options in PAOS requests. * Fix AssertionConsumerService lookup for PAOS requests. Version 0.11.1 --------------------------------------------------------------------------- Security fixes: * [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to incorrect error handling when reading POST data from client. * [CVE-2016-2146] Fix DOS attack (Apache worker process crash / resource exhaustion) due to missing size checks when reading POST data Version 0.11.0 --------------------------------------------------------------------------- * Add SAML 2.0 ECP support. * The MellonDecode option has been disabled. It was used to decode attributes in a Feide-specific encoding that is no longer used. * Set max-age=0 in Cache-Control header, to ensure that all browsers verifies the data on each request. * MellonMergeEnvVars On now accepts second optional parameter, the separator to be used instead of the default ';'. * Add option MellonEnvVarsSetCount to specify if the number of values for any attribute should also be stored in environment variable suffixed _N. * Add option MellonEnvVarsIndexStart to specify if environment variables for multi-valued attributes should start indexing with 0 (default) or with 1. * Bugfixes: * Fix error about missing authentication with DirectoryIndex in Apache 2.4.
author: manu <manu@pkgsrc.org> 2016-03-14 09:58:57 +0000
committer: manu <manu@pkgsrc.org> 2016-03-14 09:58:57 +0000
commit: 6ee3620ec66961c29c0a6516132f34db2362e43c (patch)
tree: 98cc05f6a08201de06aaef2897c7f36cfc17b476 /www
parent: 4bd2ff4c1c78b713cd349d6ba78dda90b9943e4b (diff)
download: pkgsrc-6ee3620ec66961c29c0a6516132f34db2362e43c.tar.gz
3 files changed, 62 insertions, 9 deletions
diff --git a/www/ap2-auth-mellon/Makefile b/www/ap2-auth-mellon/Makefile
index 28f62f1c1b2..d1c84e02de1 100644
--- a/www/ap2-auth-mellon/Makefile
+++ b/www/ap2-auth-mellon/Makefile
@@ -1,10 +1,9 @@
-# $NetBSD: Makefile,v 1.32 2016/03/05 11:29:34 jperkin Exp $
+# $NetBSD: Makefile,v 1.33 2016/03/14 09:58:57 manu Exp $
 #
 
-DISTNAME=	mod_auth_mellon-0.10.0
+DISTNAME=	mod_auth_mellon-0.12.0	
 PKGNAME=	${APACHE_PKG_PREFIX}-${DISTNAME:S/mod_//:S/_/-/g}
 PKGREVISION=	1
-#PKGREVISION=	1
 CATEGORIES=	www security
 MASTER_SITES=	https://github.com/UNINETT/mod_auth_mellon/releases/download/v${DISTNAME:C/.*-//}/
 
@@ -16,7 +15,6 @@ LICENSE=	gnu-gpl-v2 # or later
 GNU_CONFIGURE=	YES
 USE_LIBTOOL=	YES
 USE_TOOLS+=	pkg-config
-CFLAGS+=	-DLASSO_SERVER_LOAD_METADATA_FLAG_DEFAULT=0
 
 APACHE_MODULE=	YES
 PKG_APACHE_ACCEPTED=	apache22 apache24
@@ -36,6 +34,8 @@ do-install:
 	    ${APXS} -i -S LIBEXECDIR=${DESTDIR}"$${libexecdir}" 	\
 	      -n auth_mellon  mod_auth_mellon.la
 
+BUILDLINK_ABI_DEPENDS.lasso+=   lasso>=2.1.0
+
 .include "../../security/lasso/buildlink3.mk"
 .include "../../mk/pthread.buildlink3.mk"
 .include "../../www/curl/buildlink3.mk"
diff --git a/www/ap2-auth-mellon/distinfo b/www/ap2-auth-mellon/distinfo
index 642dbbf9725..df84839f148 100644
--- a/www/ap2-auth-mellon/distinfo
+++ b/www/ap2-auth-mellon/distinfo
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.14 2015/11/04 02:46:47 agc Exp $
+$NetBSD: distinfo,v 1.15 2016/03/14 09:58:57 manu Exp $
 
-SHA1 (mod_auth_mellon-0.10.0.tar.gz) = 853bd8506c3e70c9f0b7f7c6625a0c896dcf92bc
-RMD160 (mod_auth_mellon-0.10.0.tar.gz) = 7f8e40a9a7a5a7c5df772523dbb2c65e34658364
-SHA512 (mod_auth_mellon-0.10.0.tar.gz) = 7a3958f1e151a3f1521b8cddf605c201bdd2fd23d44a12052192c13faa9bec46dc4b9c731ed94e6f85fd1e2b0c5b3798136867db2404df478a83485fe7bd24ed
-Size (mod_auth_mellon-0.10.0.tar.gz) = 115727 bytes
+SHA1 (mod_auth_mellon-0.12.0.tar.gz) = 3d5cd4137154a7c848d8f3121e6497b88dc5f23e
+RMD160 (mod_auth_mellon-0.12.0.tar.gz) = 7ef278de6f4d0f0669d99c113706dc63d64f6fbc
+Size (mod_auth_mellon-0.12.0.tar.gz) = 136754 bytes
+SHA1 (patch-0274) = e523b560f8220352090db686a32a5f81f6579fda
diff --git a/www/ap2-auth-mellon/patches/patch-0274 b/www/ap2-auth-mellon/patches/patch-0274
new file mode 100644
index 00000000000..69832367fcb
--- /dev/null
+++ b/www/ap2-auth-mellon/patches/patch-0274
@@ -0,0 +1,53 @@
+From fe0eb56e29f89513b2dcf3c222fa3a2e8a09383f Mon Sep 17 00:00:00 2001
+From: Olav Morken <olav.morken@uninett.no>
+Date: Mon, 14 Mar 2016 09:47:48 +0100
+Subject: [PATCH 274/274] Return 500 Internal Server Error if probe discovery
+ fails.
+
+If we don't, we can end up sending an authentication request to an IdP
+that is not in the MellonProbeDiscoveryIdP list, which is probably not
+what the user wants.
+
+Patch by Emmanuel Dreyfus.
+---
+ README                |  3 +++
+ auth_mellon_handler.c | 10 +++++++++-
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/README b/README
+index 638329c..4e4f229 100644
+--- README
++++ README
+@@ -471,6 +471,9 @@ MellonPostCount 100
+ 
+         # MellonProbeDiscoveryIdP can be used to restrict the 
+         # list of IdP queried by the IdP probe discovery service.
++        # If probe discovery fails and this is provided, an
++        # HTTP error 500 is returned, instead of proceeding
++        # with first available IdP.
+         #
+         # Default unset, which means that all configured IdP are 
+         # queried.
+diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
+index 7f4b73a..a72e1ca 100644
+--- auth_mellon_handler.c
++++ auth_mellon_handler.c
+@@ -3316,9 +3316,17 @@ static int am_handle_probe_discovery(request_rec *r) {
+     }
+ 
+     /* 
+-     * On failure, try default
++     * On failure, fail if a MellonProbeDiscoveryIdP
++     * list was provided, otherwise try first IdP.
+      */
+     if (disco_idp == NULL) {
++        if (!apr_is_empty_table(cfg->probe_discovery_idp)) {
++            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                          "probeDiscovery failed and non empty "
++                          "MellonProbeDiscoveryIdP was provided.");
++            return HTTP_INTERNAL_SERVER_ERROR;
++        }
++
+         disco_idp = am_first_idp(r);
+         if (disco_idp == NULL) {
+             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
author	manu <manu@pkgsrc.org>	2016-03-14 09:58:57 +0000
committer	manu <manu@pkgsrc.org>	2016-03-14 09:58:57 +0000
commit	6ee3620ec66961c29c0a6516132f34db2362e43c (patch)
tree	98cc05f6a08201de06aaef2897c7f36cfc17b476 /www
parent	4bd2ff4c1c78b713cd349d6ba78dda90b9943e4b (diff)
download	pkgsrc-6ee3620ec66961c29c0a6516132f34db2362e43c.tar.gz