Releases: latchset/mod_auth_mellon
v0.19.1
v0.19.0
Contributors
Assets 3
v0.18.1
What's Changed
- Logout endpoint should handle idP POST response by @batrla in #84
- mellon_create_metadata.sh: Fix compatibility with OpenSSL 3 by @kvisle in #106
- Add some clarification to the documentation by @jorgarga in #109
- Add encryption certificate to generated metadata by @zi0r in #112
New Contributors
- @batrla made their first contribution in #84
- @kvisle made their first contribution in #106
- @jorgarga made their first contribution in #109
- @zi0r made their first contribution in #112
Full Changelog: v0.18.0...v0.18.1
Contributors
Assets 3
v0.18.0
Security fixes
- CVE-2021-3639 Redirect URL validation bypass - Version 0.17.0 and older of mod_auth_mellon allows the redirect URL validation to be bypassed by specifying an URL formatted as
///fishing-site.example.com/logout.html. In this case, the browser would interpret the URL differently than the APR parsing utility mellon uses and redirect tofishing-site.example.com. This could be reproduced with:
https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html
This version fixes that issue by rejecting all URLs that start with "///".
Enhancements
- A new option MellonSessionIdleTimeout that represents the amount of time a user can be inactive before the user's session times out in seconds.
Bug fixes
-
Several build-time fixes
-
The
CookieTestSameSiteattribute was only set to None if mellon configure optionMellonCookieSameSitewas set to something other than default.
This is now fixed.
mod_auth_mellon 0.17.0
Enhancements:
-
New option MellonSendExpectHeader (default On) which allows to disable
sending the Expect header in the HTTP-Artifact binding to improve
performance when the remote party does not support this header. -
Set SameSite attribute to None on on the cookietest cookie.
-
Bump default generated keysize to 3072 bits in mellon_create_metadata.
Bug fixes:
-
Validate if the assertion ID has not been used earlier before creating
a new session. -
Release session cache after calling invalidate endpoint.
-
In MellonCond directives, fix a bug that setting the NC option would
also activate substring match and that REG would activate REF. -
Fix MellonCond substring match to actually match the substring on
the attribute value.
mod_auth_mellon v0.16.0
Enhancements
-
The MellonCookieSameSite option accepts a new valid "None". This is intended
to be used together with "MellonSecureCookie On". With some newer browsers,
only cookies with "SameSite=None; Secure" would be available for cross-site
access. -
A new option MellonEnabledInvalidateSessionEndpoint was added. When this
option is enabled, then a user can invalidate their session locally by
calling the "/invalidate" endpoint.
mod_auth_mellon v0.15.0
Security fixes
-
CVE-2019-13038 Redirect URL validation bypass - Version 0.14.1 and older of mod_auth_mellon allows the redirect URL validation to be bypassed by specifying an URL formatted as
http:www.hostname.com. In this case, the APR parsing utility would parse the scheme as http, host as NULL and path aswww.hostname.com. Browsers, however, interpret the URL differently and redirect towww.hostname.com. This could be reproduced with:https://application.com/mellon/login?ReturnTo=http:www.hostname.com
This version fixes that issue by rejecting all URLs with scheme, but no host name.
Enhancements
- A XSLT script that allows converting attribute maps from Shibboleth to a set of
MellonSetEnvNoPrefixentries was added. The script can be found atdoc/mellon-attribute-map.xsl - A new configuration option
MellonEnvPrefixwas added. This option allows you to configure the variable prefix, which normally defaults toMELLON_ - A new configuration option
MellonAuthnContextComparisonTypewas added. This option allows you to set theComparisonattribute within theAuthnRequest
Notable bug fixes:
- Compilation issues on Solaris were fixed