80 lines
3.5 KiB
Plaintext
80 lines
3.5 KiB
Plaintext
-------------------------------------------------------------------
|
|
Mon Mar 25 14:01:29 UTC 2024 - pgajdos@suse.com
|
|
|
|
- version update to 0.19.0
|
|
Enhancements:
|
|
* Support for HTTP-POST binding on Singe Logout endpoint.
|
|
* Update documentation.
|
|
Cleanup:
|
|
* Raise minimum Lasso version to 2.4, cleaning up legacy code for
|
|
compatibility with older versions, including the obsolete
|
|
`MellonIdPPublicKeyFile` setting which was not working with recent
|
|
Lasso versions.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jul 31 21:02:37 UTC 2023 - Matthias Eliasson <elimat@opensuse.org>
|
|
|
|
- Update to 0.18.1
|
|
* Logout endpoint should handle idP POST response
|
|
* mellon_create_metadata.sh: Fix compatibility with OpenSSL 3
|
|
* Add some clarification to the documentation
|
|
* Add encryption certificate to generated metadata
|
|
- Changes in 0.18.0
|
|
* CVE-2021-3639 Redirect URL validation bypass - Version 0.17.0 and
|
|
older of mod_auth_mellon allows the redirect URL validation to be
|
|
bypassed by specifying an URL formatted as ///fishing-site.example.com/logout.html.
|
|
In this case, the browser would interpret the URL differently
|
|
than the APR parsing utility mellon uses and redirect to
|
|
fishing-site.example.com. This could be reproduced with:
|
|
https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html
|
|
This version fixes that issue by rejecting all URLs that start with "///".
|
|
* A new option MellonSessionIdleTimeout that represents the amount of
|
|
time a user can be inactive before the user's session times out in seconds.
|
|
* Several build-time fixes
|
|
* The CookieTest SameSite attribute was only set to None if mellon configure option
|
|
MellonCookieSameSite was set to something other than default. This is now fixed.
|
|
- add libtool and xmlsec1-openssl-devel as new dependencies
|
|
- set Buildarch to noarch for docs sub-package
|
|
|
|
-------------------------------------------------------------------
|
|
Thu May 5 17:38:16 UTC 2022 - Archie Cobbs <archie.cobbs@gmail.com>
|
|
|
|
- Wrap default config in <IfModule> to avoid reload error
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Sep 10 14:19:03 UTC 2020 - Kristyna Streitova <kstreitova@suse.com>
|
|
|
|
- Update to 0.17.0
|
|
* New option MellonSendExpectHeader (default On) which allows to
|
|
disable sending the Expect header in the HTTP-Artifact binding to
|
|
improve performance when the remote party does not support this
|
|
header.
|
|
* Set SameSite attribute to None on on the cookietest cookie.
|
|
* Bump default generated keysize to 3072 bits in
|
|
mellon_create_metadata
|
|
* Validate if the assertion ID has not been used earlier before
|
|
creating a new session.
|
|
* Release session cache after calling invalidate endpoint.
|
|
* In MellonCond directives, fix a bug that setting the NC option
|
|
would also activate substring match and that REG would activate
|
|
REF.
|
|
* Fix MellonCond substring match to actually match the substring on
|
|
the attribute value
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jun 4 11:00:04 UTC 2020 - Kristyna Streitova <kstreitova@suse.com>
|
|
|
|
- update mod_auth_mellon-0.16.0-env-script-interpreter.patch
|
|
use /bin/bash instead of /usr/bin/bash
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 11 15:44:36 UTC 2020 - Kristyna Streitova <kstreitova@suse.com>
|
|
|
|
- replace version_path with the fixed value
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Apr 28 12:06:51 UTC 2020 - Kristyna Streitova <kstreitova@suse.com>
|
|
|
|
- initial packaging
|
|
|