diff options
| author | manu <manu@pkgsrc.org> | 2021-11-09 01:50:45 +0000 |
|---|---|---|
| committer | manu <manu@pkgsrc.org> | 2021-11-09 01:50:45 +0000 |
| commit | 584800a15b12dff035c032d62a0daa897ae55e90 (patch) | |
| tree | 60891ff65474fa7cd554e7754b9663481dcd1516 /www | |
| parent | 173c347d6d76ac4fc6721ddf9d70836d65a0aa41 (diff) | |
| download | pkgsrc-584800a15b12dff035c032d62a0daa897ae55e90.tar.gz | |
Updated www/ap2-auth-mellon to 0.18.0
Change sine 0.17 from NEWS file:
Version 0.18.0
---------------------------------------------------------------------------
Security fixes:
* [CVE-2019-13038] Redirect URL validation bypass
Version 0.17.0 and older of mod_auth_mellon allows the redirect URL
validation to be bypassed by specifying an URL formatted as
"///fishing-site.example.com/logout.html". In this case, the browser
would interpret the URL differently than the APR parsing utility
mellon uses and redirect to fishing-site.example.com.
This could be reproduced with:
https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com
/logout.html
This version fixes that issue by rejecting all URLs that start with "///".
Enhancements:
* A new option MellonSessionIdleTimeout that represents the amount of time
a user can be inactive before the user's session times out in seconds.
Bug fixes:
* Several build-time fixes
* The CookieTest SameSite attribute was only set to None if mellon configure
option MellonCookieSameSite was set to something other than default.
This is now fixed.
Diffstat (limited to 'www')
| -rw-r--r-- | www/ap2-auth-mellon/Makefile | 12 | ||||
| -rw-r--r-- | www/ap2-auth-mellon/distinfo | 9 |
2 files changed, 13 insertions, 8 deletions
diff --git a/www/ap2-auth-mellon/Makefile b/www/ap2-auth-mellon/Makefile index 2bf88d2f617..fe709f63d1a 100644 --- a/www/ap2-auth-mellon/Makefile +++ b/www/ap2-auth-mellon/Makefile @@ -1,13 +1,14 @@ -# $NetBSD: Makefile,v 1.65 2021/09/29 19:01:25 adam Exp $ +# $NetBSD: Makefile,v 1.66 2021/11/09 01:50:45 manu Exp $ -DISTNAME= mod_auth_mellon-0.17.0 +DISTNAME= mod_auth_mellon-0.18.0 PKGNAME= ${APACHE_PKG_PREFIX}-${DISTNAME:S/mod_//:S/_/-/g} PKGREVISION= 1 #PKGREVISION= 1 CATEGORIES= www security MASTER_SITES= ${MASTER_SITE_GITHUB:=latchset/} GITHUB_PROJECT= mod_auth_mellon -GITHUB_RELEASE= v${PKGVERSION_NOREV} +GITHUB_TAG= refs/tags/v${PKGVERSION_NOREV} +WRKSRC= ${WRKDIR}/${DISTNAME} MAINTAINER= manu@NetBSD.org HOMEPAGE= https://github.com/latchset/mod_auth_mellon @@ -16,7 +17,7 @@ LICENSE= gnu-gpl-v2 # or later GNU_CONFIGURE= YES USE_LIBTOOL= YES -USE_TOOLS+= pkg-config +USE_TOOLS+= pkg-config autoconf automake APACHE_MODULE= YES .include "../../mk/apache.mk" @@ -29,6 +30,9 @@ SUBST_NOOP_OK.pthflags= yes INSTALLATION_DIRS+= lib/httpd +pre-configure: + cd ${WRKSRC} && ./autogen.sh + do-install: cd ${WRKSRC} && \ libexecdir=`${APXS} -q LIBEXECDIR` && \ diff --git a/www/ap2-auth-mellon/distinfo b/www/ap2-auth-mellon/distinfo index 3f9e24caab2..7033f541ec2 100644 --- a/www/ap2-auth-mellon/distinfo +++ b/www/ap2-auth-mellon/distinfo @@ -1,5 +1,6 @@ -$NetBSD: distinfo,v 1.23 2021/10/26 11:29:18 nia Exp $ +$NetBSD: distinfo,v 1.24 2021/11/09 01:50:45 manu Exp $ -BLAKE2s (mod_auth_mellon-0.17.0.tar.gz) = a616ec354f289e4ea985c9c59fbd341877a9dbf1eb778dbad44ea93a51956145 -SHA512 (mod_auth_mellon-0.17.0.tar.gz) = 93919b46e5966d16b334f8f633345d8566f6873a68d1e619835a52a12a70fa7068fe036c69a43ca7b46e51b4c49354d51df13ffd64c60b82747eec86fe357d2e -Size (mod_auth_mellon-0.17.0.tar.gz) = 955298 bytes +SHA1 (mod_auth_mellon-0.18.0.tar.gz) = 7103c5f2e50bcbba81710c4f26087d8ac98f1e65 +RMD160 (mod_auth_mellon-0.18.0.tar.gz) = 9ef0edbbfd11d326ceb88d3525e9a3b282b45001 +SHA512 (mod_auth_mellon-0.18.0.tar.gz) = 477ac302fda9ed33b2ca51e88379250a41cc85111e71cacc8ba9f16cd8a2b63af6393fb038fc8f5c211b97926ef368c5989c92570c2e3c9eae072c7b4d32d7d5 +Size (mod_auth_mellon-0.18.0.tar.gz) = 918471 bytes |