From 6ee3620ec66961c29c0a6516132f34db2362e43c Mon Sep 17 00:00:00 2001
From: manu <manu@pkgsrc.org>
Date: Mon, 14 Mar 2016 09:58:57 +0000
Subject: Update mod_auth_mellon to 0.12.0

Fixes CVE-2016-2145 and CVE-2016-2146

Changes since 0.10.0 frome NEWS file and patches/patch-0274

patch-0274
---------------------------------------------------------------------------
* Return 500 Internal Server Error if probe discovery fails.

Version 0.12.0
---------------------------------------------------------------------------

Security fixes:

* [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to
  incorrect error handling when reading POST data from client.

* [CVE-2016-2146] Fix DOS attack (Apache worker process crash /
  resource exhaustion) due to missing size checks when reading
  POST data.

In addition this release contains the following new features and fixes:

* Add MellonRedirecDomains option to limit the sites that
  mod_auth_mellon can redirect to. This option is enabled by default.

* Add support for ECP service options in PAOS requests.

* Fix AssertionConsumerService lookup for PAOS requests.

Version 0.11.1
---------------------------------------------------------------------------

Security fixes:

* [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to
  incorrect error handling when reading POST data from client.

* [CVE-2016-2146] Fix DOS attack (Apache worker process crash /
  resource exhaustion) due to missing size checks when reading
  POST data

Version 0.11.0
---------------------------------------------------------------------------

* Add SAML 2.0 ECP support.

* The MellonDecode option has been disabled. It was used to decode
  attributes in a Feide-specific encoding that is no longer used.

* Set max-age=0 in Cache-Control header, to ensure that all browsers
  verifies the data on each request.

* MellonMergeEnvVars On now accepts second optional parameter, the
  separator to be used instead of the default ';'.

* Add option MellonEnvVarsSetCount to specify if the number of values
  for any attribute should also be stored in environment variable
  suffixed _N.

* Add option MellonEnvVarsIndexStart to specify if environment variables
  for multi-valued attributes should start indexing with 0 (default) or
  with 1.

* Bugfixes:

  * Fix error about missing authentication with DirectoryIndex in
    Apache 2.4.
---
 www/ap2-auth-mellon/Makefile           |  8 ++---
 www/ap2-auth-mellon/distinfo           | 10 +++----
 www/ap2-auth-mellon/patches/patch-0274 | 53 ++++++++++++++++++++++++++++++++++
 3 files changed, 62 insertions(+), 9 deletions(-)
 create mode 100644 www/ap2-auth-mellon/patches/patch-0274

diff --git a/www/ap2-auth-mellon/Makefile b/www/ap2-auth-mellon/Makefile
index 28f62f1c1b2..d1c84e02de1 100644
--- a/www/ap2-auth-mellon/Makefile
+++ b/www/ap2-auth-mellon/Makefile
@@ -1,10 +1,9 @@
-# $NetBSD: Makefile,v 1.32 2016/03/05 11:29:34 jperkin Exp $
+# $NetBSD: Makefile,v 1.33 2016/03/14 09:58:57 manu Exp $
 #
 
-DISTNAME=	mod_auth_mellon-0.10.0
+DISTNAME=	mod_auth_mellon-0.12.0	
 PKGNAME=	${APACHE_PKG_PREFIX}-${DISTNAME:S/mod_//:S/_/-/g}
 PKGREVISION=	1
-#PKGREVISION=	1
 CATEGORIES=	www security
 MASTER_SITES=	https://github.com/UNINETT/mod_auth_mellon/releases/download/v${DISTNAME:C/.*-//}/
 
@@ -16,7 +15,6 @@ LICENSE=	gnu-gpl-v2 # or later
 GNU_CONFIGURE=	YES
 USE_LIBTOOL=	YES
 USE_TOOLS+=	pkg-config
-CFLAGS+=	-DLASSO_SERVER_LOAD_METADATA_FLAG_DEFAULT=0
 
 APACHE_MODULE=	YES
 PKG_APACHE_ACCEPTED=	apache22 apache24
@@ -36,6 +34,8 @@ do-install:
 	    ${APXS} -i -S LIBEXECDIR=${DESTDIR}"$${libexecdir}" 	\
 	      -n auth_mellon  mod_auth_mellon.la
 
+BUILDLINK_ABI_DEPENDS.lasso+=   lasso>=2.1.0
+
 .include "../../security/lasso/buildlink3.mk"
 .include "../../mk/pthread.buildlink3.mk"
 .include "../../www/curl/buildlink3.mk"
diff --git a/www/ap2-auth-mellon/distinfo b/www/ap2-auth-mellon/distinfo
index 642dbbf9725..df84839f148 100644
--- a/www/ap2-auth-mellon/distinfo
+++ b/www/ap2-auth-mellon/distinfo
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.14 2015/11/04 02:46:47 agc Exp $
+$NetBSD: distinfo,v 1.15 2016/03/14 09:58:57 manu Exp $
 
-SHA1 (mod_auth_mellon-0.10.0.tar.gz) = 853bd8506c3e70c9f0b7f7c6625a0c896dcf92bc
-RMD160 (mod_auth_mellon-0.10.0.tar.gz) = 7f8e40a9a7a5a7c5df772523dbb2c65e34658364
-SHA512 (mod_auth_mellon-0.10.0.tar.gz) = 7a3958f1e151a3f1521b8cddf605c201bdd2fd23d44a12052192c13faa9bec46dc4b9c731ed94e6f85fd1e2b0c5b3798136867db2404df478a83485fe7bd24ed
-Size (mod_auth_mellon-0.10.0.tar.gz) = 115727 bytes
+SHA1 (mod_auth_mellon-0.12.0.tar.gz) = 3d5cd4137154a7c848d8f3121e6497b88dc5f23e
+RMD160 (mod_auth_mellon-0.12.0.tar.gz) = 7ef278de6f4d0f0669d99c113706dc63d64f6fbc
+Size (mod_auth_mellon-0.12.0.tar.gz) = 136754 bytes
+SHA1 (patch-0274) = e523b560f8220352090db686a32a5f81f6579fda
diff --git a/www/ap2-auth-mellon/patches/patch-0274 b/www/ap2-auth-mellon/patches/patch-0274
new file mode 100644
index 00000000000..69832367fcb
--- /dev/null
+++ b/www/ap2-auth-mellon/patches/patch-0274
@@ -0,0 +1,53 @@
+From fe0eb56e29f89513b2dcf3c222fa3a2e8a09383f Mon Sep 17 00:00:00 2001
+From: Olav Morken <olav.morken@uninett.no>
+Date: Mon, 14 Mar 2016 09:47:48 +0100
+Subject: [PATCH 274/274] Return 500 Internal Server Error if probe discovery
+ fails.
+
+If we don't, we can end up sending an authentication request to an IdP
+that is not in the MellonProbeDiscoveryIdP list, which is probably not
+what the user wants.
+
+Patch by Emmanuel Dreyfus.
+---
+ README                |  3 +++
+ auth_mellon_handler.c | 10 +++++++++-
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/README b/README
+index 638329c..4e4f229 100644
+--- README
++++ README
+@@ -471,6 +471,9 @@ MellonPostCount 100
+ 
+         # MellonProbeDiscoveryIdP can be used to restrict the 
+         # list of IdP queried by the IdP probe discovery service.
++        # If probe discovery fails and this is provided, an
++        # HTTP error 500 is returned, instead of proceeding
++        # with first available IdP.
+         #
+         # Default unset, which means that all configured IdP are 
+         # queried.
+diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
+index 7f4b73a..a72e1ca 100644
+--- auth_mellon_handler.c
++++ auth_mellon_handler.c
+@@ -3316,9 +3316,17 @@ static int am_handle_probe_discovery(request_rec *r) {
+     }
+ 
+     /* 
+-     * On failure, try default
++     * On failure, fail if a MellonProbeDiscoveryIdP
++     * list was provided, otherwise try first IdP.
+      */
+     if (disco_idp == NULL) {
++        if (!apr_is_empty_table(cfg->probe_discovery_idp)) {
++            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                          "probeDiscovery failed and non empty "
++                          "MellonProbeDiscoveryIdP was provided.");
++            return HTTP_INTERNAL_SERVER_ERROR;
++        }
++
+         disco_idp = am_first_idp(r);
+         if (disco_idp == NULL) {
+             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 
-- 
cgit v1.2.3