Skip to content

Releases: latchset/mod_auth_mellon

v0.19.1

16 Jul 14:08
@thijskh thijskh
v0.19.1
d01a6b4
Compare
Choose a tag to compare
v0.19.1 Latest
Latest

What's Changed

  • Remove legacy code that is unused because of minimum requirements.
  • Cleanup HTML in rendered forms.
  • Documentation cleanups and improvements.
Assets 3
Loading

v0.19.0

13 Jan 14:34
@thijskh thijskh
v0.19.0
62757fd
Compare
Choose a tag to compare
v0.19.0

What's Changed

  • Remove compatibility with lasso before 2.4 by @thijskh in #129
  • Fix compatibility with mod_rpaf/mod_remoteip + follow Apache Module Dev Guide by @zi0r in #122
  • IDP Initiated POST SLO Implementation by @gurtzoo in #131

Full Changelog: v0.18.1...v0.19.0

Contributors

zi0r, thijskh, and gurtzoo
Assets 3
Loading

v0.18.1

03 Jan 12:04
@thijskh thijskh
v0.18.1
This tag was signed with the committer’s verified signature.
thijskh Thijs Kinkhorst
GPG key ID: 56F61A79401DAC04
Learn about vigilant mode.
a85083e
Compare
Choose a tag to compare
v0.18.1

What's Changed

  • Logout endpoint should handle idP POST response by @batrla in #84
  • mellon_create_metadata.sh: Fix compatibility with OpenSSL 3 by @kvisle in #106
  • Add some clarification to the documentation by @jorgarga in #109
  • Add encryption certificate to generated metadata by @zi0r in #112

New Contributors

Full Changelog: v0.18.0...v0.18.1

Contributors

kvisle, jorgarga, and 2 other contributors
Assets 3
Loading

v0.18.0

30 Jul 19:44
@jhrozek jhrozek
v0.18.0
d5cfa39
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.18.0

Security fixes

  • CVE-2021-3639 Redirect URL validation bypass - Version 0.17.0 and older of mod_auth_mellon allows the redirect URL validation to be bypassed by specifying an URL formatted as ///fishing-site.example.com/logout.html. In this case, the browser would interpret the URL differently than the APR parsing utility mellon uses and redirect to fishing-site.example.com. This could be reproduced with:
    https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html
    This version fixes that issue by rejecting all URLs that start with "///".

Enhancements

  • A new option MellonSessionIdleTimeout that represents the amount of time a user can be inactive before the user's session times out in seconds.

Bug fixes

  • Several build-time fixes

  • The CookieTest SameSite attribute was only set to None if mellon configure option MellonCookieSameSite was set to something other than default.
    This is now fixed.

Assets 3
Loading

mod_auth_mellon 0.17.0

08 Sep 10:55
@thijskh thijskh
v0.17.0
d79336b
Compare
Choose a tag to compare
mod_auth_mellon 0.17.0

Enhancements:

  • New option MellonSendExpectHeader (default On) which allows to disable
    sending the Expect header in the HTTP-Artifact binding to improve
    performance when the remote party does not support this header.

  • Set SameSite attribute to None on on the cookietest cookie.

  • Bump default generated keysize to 3072 bits in mellon_create_metadata.

Bug fixes:

  • Validate if the assertion ID has not been used earlier before creating
    a new session.

  • Release session cache after calling invalidate endpoint.

  • In MellonCond directives, fix a bug that setting the NC option would
    also activate substring match and that REG would activate REF.

  • Fix MellonCond substring match to actually match the substring on
    the attribute value.

Assets 3
Loading

mod_auth_mellon v0.16.0

28 Jan 15:02
@jhrozek jhrozek
v0_16_0
dd7c207
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
mod_auth_mellon v0.16.0

Enhancements

  • The MellonCookieSameSite option accepts a new valid "None". This is intended
    to be used together with "MellonSecureCookie On". With some newer browsers,
    only cookies with "SameSite=None; Secure" would be available for cross-site
    access.

  • A new option MellonEnabledInvalidateSessionEndpoint was added. When this
    option is enabled, then a user can invalidate their session locally by
    calling the "/invalidate" endpoint.

Assets 3
Loading

mod_auth_mellon v0.15.0

19 Nov 09:30
@jhrozek jhrozek
v0.15.0
b54c0e3
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
mod_auth_mellon v0.15.0

Security fixes

  • CVE-2019-13038 Redirect URL validation bypass - Version 0.14.1 and older of mod_auth_mellon allows the redirect URL validation to be bypassed by specifying an URL formatted as http:www.hostname.com. In this case, the APR parsing utility would parse the scheme as http, host as NULL and path as www.hostname.com. Browsers, however, interpret the URL differently and redirect to www.hostname.com. This could be reproduced with:

    • https://application.com/mellon/login?ReturnTo=http:www.hostname.com

    This version fixes that issue by rejecting all URLs with scheme, but no host name.

Enhancements

  • A XSLT script that allows converting attribute maps from Shibboleth to a set of MellonSetEnvNoPrefix entries was added. The script can be found at doc/mellon-attribute-map.xsl
  • A new configuration option MellonEnvPrefix was added. This option allows you to configure the variable prefix, which normally defaults to MELLON_
  • A new configuration option MellonAuthnContextComparisonType was added. This option allows you to set the Comparison attribute within the AuthnRequest

Notable bug fixes:

  • Compilation issues on Solaris were fixed
Assets 3
Loading