entrouvert
/
modmellon
17
0
Fork 0
Code Issues Pull Requests Releases Activity
modmellon/NEWS

581 lines
18 KiB
Plaintext
Raw Permalink Blame History

Version 0.14.2
---------------------------------------------------------------------------
Security fixes:
* [CVE-2019-3878] Authentication bypass when Apache is used as a
reverse proxy
If Apache is configured as a reverse proxy with mod_auth_mellon for
authentication, the authentication can be bypassed by adding SAML
2.0 ECP headers to the request.
This vulnerability affects mod_auth_mellon 0.11.0 and newer.
This vulnerability is due to both mod_auth_mellon and mod_proxy
registering as handlers for the requests, with the same
priority. When mod_auth_mellon handles the request first, it will
trigger a ECP authentication request. If mod_proxy handles it first,
it will forward it to the backend server.
Which module handles it first depends on the order modules are
loaded by Apache.
This vulnerability is fixes by specifically registering that the
mod_auth_mellon handler should run before mod_proxy.
Thanks to Jakub Hrozek and John Dennis at RedHat for fixing this
vulnerability.
* [CVE-2019-3877] Redirect URL validation bypass
Version 0.14.1 and older of mod_auth_mellon allows the redirect URL
validation to be bypassed by specifying an URL with backslashes
instead of forward slashes. Browsers silently convert backslashes to
forward slashes, which allows an attacker to bypass the redirect URL
validation by using `%5c` in the ReturnTo-parameter. E.g.:
https://sp.example.org/mellon/logout?ReturnTo=https:%5c%5cmalicious.example.org/
This version fixes that issue by rejecting all URLs with
backslashes.
Thanks to Eric Chamberland for discovering this vulnerability.
Version 0.14.1
---------------------------------------------------------------------------
Bug fixes:
* Fix environment variables in MellonCond
* Fix detection of AJAX requests
* Fix trailing semi-colon in Set-Cookie header
Version 0.14.0
---------------------------------------------------------------------------
Backwards incompatible changes:
This version switches the default signature algorithm used when
signing messages from rsa-sha1 to rsa-sha256. If your IdP does not
allow messages to be signed with that algorithm, you need to add a
setting switching back to the old algorithm:
MellonSignatureMethod rsa-sha1
Note that this only affects messages sent from mod_auth_mellon to your
IdP. It does not affect authentication responses or other messages
sent from your IdP to mod_auth_mellon.
New features:
* Many improvements in what is logged during various errors.
* Diagnostics logging, which creates a detailed log during request
processing.
* Add support for selecting which signature algorithm is used when
signing messages, and switch to rsa-sha256 by default.
Bug fixes:
* Fix segmentation fault in POST replay functionality on empty value.
* Fix incorrect error check for many `lasso_*`-functions.
* Fix case sensitive match on MellonUser attribute name.
Version 0.13.1
---------------------------------------------------------------------------
Security fix:
Fix a cross-site session transfer vulnerability. mod_auth_mellon
version 0.13.0 and older failed to validate that the session specified
in the user's session cookie was created for the web site the user
actually accesses.
If two different web sites are hosted on the same web server, and both
web sites use mod_auth_mellon for authentication, this vulnerability
makes it possible for an attacker with access to one of the web sites
to copy their session cookie to the other web site, and then use the
same session to get access to the other web site.
Thanks to François Kooman for reporting this vulnerability.
This vulnerability has been assigned CVE-2017-6807.
Note: The fix for this vunlerability makes mod_auth_mellon validate
that the cookie parameters used when creating the session match the
cookie parameters that should be used when accessing the current
page. If you currently use mod_auth_mellon across multiple subdomains,
you must make sure that you set the `MellonCookie`-option to the same
value on all domains.
Bug fixes:
* Fix segmentation fault if a (trusted) identity provider returns a
SAML 2.0 attribute without a Name.
* Fix segmentation fault if MellonPostReplay is enabled but
MellonPostDirectory is not set.
Version 0.13.0
---------------------------------------------------------------------------
Security fix:
Fix a denial of service attack in the logout handler, which allows a
remote attacker to crash the Apache worker process with a segmentation
fault. This is caused by a null-pointer dereference when processing a
malformed logout message.
New features:
* Allow MellonSecureCookie to be configured to enable just one of the
"httponly" of "secure" flags, instead of always enabling both flags.
* Support per-module log level with Apache 2.4.
* Allow disabling the Cache-Control HTTP response header.
* Add support for SameSite cookie parameter.
Bug fixes:
* Fix MellonProbeDiscoveryIdP redirecting to the wrong IdP if no IdPs
respond to the probe request.
* Fix mod_auth_mellon interfering with other Apache authentication
modules even when it is disabled for a path.
* Fix wrong HTTP status code being returned in some cases during user
permission checks.
* Fix default POST size limit to actually be 1 MB.
* Fix error if authentication response is missing the optional
Conditions-element.
* Fix AJAX requests being redirected to the IdP.
* Fix wrong content type for ECP authentication request responses.
In addition there are various fixes for errors in the documentation,
as well as internal code changes that do not have any user visible
effects.
Version 0.12.0
---------------------------------------------------------------------------
Security fixes:
* [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to
incorrect error handling when reading POST data from client.
* [CVE-2016-2146] Fix DOS attack (Apache worker process crash /
resource exhaustion) due to missing size checks when reading
POST data.
In addition this release contains the following new features and fixes:
* Add MellonRedirectDomains option to limit the sites that
mod_auth_mellon can redirect to. This option is enabled by default.
* Add support for ECP service options in PAOS requests.
* Fix AssertionConsumerService lookup for PAOS requests.
Version 0.11.1
---------------------------------------------------------------------------
Security fixes:
* [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to
incorrect error handling when reading POST data from client.
* [CVE-2016-2146] Fix DOS attack (Apache worker process crash /
resource exhaustion) due to missing size checks when reading
POST data.
Version 0.11.0
---------------------------------------------------------------------------
* Add SAML 2.0 ECP support.
* The MellonDecode option has been disabled. It was used to decode
attributes in a Feide-specific encoding that is no longer used.
* Set max-age=0 in Cache-Control header, to ensure that all browsers
verifies the data on each request.
* MellonMergeEnvVars On now accepts second optional parameter, the
separator to be used instead of the default ';'.
* Add option MellonEnvVarsSetCount to specify if the number of values
for any attribute should also be stored in environment variable
suffixed _N.
* Add option MellonEnvVarsIndexStart to specify if environment variables
for multi-valued attributes should start indexing with 0 (default) or
with 1.
* Bugfixes:
* Fix error about missing authentication with DirectoryIndex in
Apache 2.4.
Version 0.10.0
---------------------------------------------------------------------------
* Make sure that we fail in the unlikely case where OpenSSL is not able
to provide us with a secure session id.
* Increase the number of key-value pairs in the session to 2048.
* Add MellonMergeEnvVars-option to store multi-valued attributes in
a single environment variable, separated with ';'.
* Bugfixes:
* Fix the [MAP] option for MellonCond.
* Fix cookie deletion for the session cookie. (Logout is not dependent
on the cookie being deleted, so this only fixes the cookie showing
up after the session is deleted.)
Version 0.9.1
---------------------------------------------------------------------------
* Bugfixes:
* Fix session offset calculation that prevented us from having
active sessions at once.
* Run mod_auth_mellon request handler before most other handlers,
so that other handlers cannot block it by accident.
Version 0.9.0
---------------------------------------------------------------------------
* Set the AssertionConsumerServiceURL attribute in authentication
requests.
* Bugfixes:
* Fix use of uninitialized data during logout.
* Fix session entry overflow leading to segmentation faults.
* Fix looking up sessions by NameID, which is used during logout.
Version 0.8.1
---------------------------------------------------------------------------
This is a security release with fixes backported from version 0.9.1.
It turned out that session overflow bugs fixes in version 0.9.0 and
0.9.1 can lead to information disclosure, where data from one session
is leaked to another session. Depending on how this data is used by the
web application, this may lead to data from one session being disclosed
to an user in a different session. (CVE-2014-8566)
In addition to the information disclosure, this release contains some
fixes for logout processing, where logout requests would crash the
Apache web server. (CVE-2014-8567)
Version 0.8.0
---------------------------------------------------------------------------
* Add support for receiving HTTP-Artifact identifiers as POST data.
* Simplify caching headers.
* Map login errors into more appropriate HTTP error codes than
400 Bad Request.
* Add MellonNoSuccessErrorPage option to redirect to a error page on login
failure.
* Turn session storage into a dynamic pool of memory, which means that
attribute values (and other items) can have arbitrary sizes as long as
they fit in the session as a whole.
* Various bugfixes:
* Fix for compatibility with recent versions of CURL.
* Fix broken option MellonDoNotVerifyLogoutSignature.
* Fix deadlock that could occur during logout processing.
* Fix some compile warnings.
* Fix some NULL derefernce bugs that may lead to segmentation faults.
* Fix a minor memory leak during IdP metadata loading.
Version 0.7.0
---------------------------------------------------------------------------
* Add MellonSPentityId to control entityId in autogenerated metadata
* Fix compatibility with Apache 2.4.
* Handle empty RelayState the same as missing RelayState.
* Add MellonSetEvnNoPrefix directive to set environment variables
without "MELLON_"-prefix.
Version 0.6.1
---------------------------------------------------------------------------
* Fix the POST replay functionality when multiple users logging in
at once.
* Add a fallback for the case where the POST replay data has expired
before the user logs in.
Version 0.6.0
---------------------------------------------------------------------------
Backwards-incompatible changes:
* The POST replay functionality has been disabled by default, and the
automatic creation of the MellonPostDirectory target directory has been
removed. If you want to use the POST replay functionality, take a
look at the README file for instructions for how to enable this.
* Start discovery service when accessing the login endpoint. We used
to bypass the discovery service in this case, and just pick the first
IdP. This has been changed to send a request to the discovery service
instead, if one is configured.
* The MellonLockFile default path has been changed to:
/var/run/mod_auth_mellon.lock
This only affects platforms where a lock file is required and
where Apache doesn't have write access to that directory during
startup. (Apache can normally create files in that directory
during startup.)
Other changes:
* Fix support for SOAP logout.
* Local logout when IdP does not support SAML 2.0 Single Logout.
* MellonDoNotVerifyLogoutSignature option to disable logout signature
validation.
* Support for relative file paths in configuration.
* The debian build-directory has been removed from the repository.
* Various cleanups and bugfixes:
* Fix cookie parsing header parsing for some HTTP libraries.
* Fix inheritance of MellonAuthnContextClassRef option.
* Use ap_set_content_type() instead of accessing request->content_type.
* README indentation cleanups.
* Support for even older versions of GLib.
* Fixes for error handling during session initialization.
* Directly link with GLib rather than relying on the Lasso library
linking to it for us.
* Some code cleanups.
Version 0.5.0
---------------------------------------------------------------------------
* Honour MellonProbeDiscoveryIdP order when sending probes.
* MellonAuthnContextClassRef configuration directive, to limit
authentication to specific authentication methods.
* Support for the HTTP-POST binding when sending authentication
requests to the IdP.
* MellonSubjectConfirmationDataAddressCheck option to disable received
address checking.
* Various cleanups and bugfixes:
* Support for older versions of GLib and APR.
* Send the correct SP entityID to the discovery service.
* Do not set response headers twice.
* Several cleanups in the code that starts authentication.
Version 0.4.0
---------------------------------------------------------------------------
* Allow MellonUser variable to be translated through MellonSetEnv
* A /mellon/probeDisco endpoint replaces the builtin:get-metadata
IdP dicovery URL scheme
* New MellonCond directive to enable attribute filtering beyond
MellonRequire functionalities.
* New MellonIdPMetadataGlob directive to load mulitple IdP metadata
using a glob(3) pattern.
* Support for running behind reverse proxy.
* MellonCookieDomain and MellonCookiePath options to configure cookie
settings.
* Support for loading federation metadata files.
* Several bugfixes.
Version 0.3.0
---------------------------------------------------------------------------
* New login-endpoint, which allows easier manual initiation of login
requests, and specifying parameters such as IsPassive.
* Validation of Conditions and SubjectConfirmation data in the assertion
we receive from the IdP.
* Various bugfixes.
Version 0.2.7
---------------------------------------------------------------------------
* Optionaly save the remote IdP entityId in the environment
* Shibboleth 2 interoperability
Version 0.2.6
---------------------------------------------------------------------------
* Fix XSS/DOS vulnerability in repost handler.
Version 0.2.5
---------------------------------------------------------------------------
* Replay POST requests after been sent to the IdP
* Fix HTTP response splitting vulnerability.
Version 0.2.4
---------------------------------------------------------------------------
* Fix for downloads of files with Internet Explorer with SSL enabled.
* Mark session as disabled as soon as logout starts, in case the IdP
doesn't respond.
Version 0.2.3
---------------------------------------------------------------------------
* Bugfix for session lifetime. Take the session lifetime from the
SessionNotOnOrAfter attribute if it is present.
Version 0.2.2
---------------------------------------------------------------------------
* Improve metadata autogeneration: cleanup certificate, allow Organizarion
element data to be supplied from Apache configuration
Version 0.2.1
---------------------------------------------------------------------------
* Make SAML authentication assertion and Lasso session available in the
environment.
Version 0.2.0
---------------------------------------------------------------------------
* Autogeneration of SP metadata. (Requires Lasso 2.2.2 or newer.)
* Multiple IdP support, with discovery service.
* Built in discovery service which tests the availability of each IdP,
and uses the first available IdP.
* Fix a mutex leak.
Version 0.1.1
---------------------------------------------------------------------------
* MellonSecureCookie option, which enables Secure + HttpOnly flags on
session cookies.
* Better handling of logout request when the user is already logged out.
Version 0.1.0
---------------------------------------------------------------------------
* Better support for BSD.
* Support for setting a IdP CA certificate and SP certificate.
* Support for loading the private key during web server initialization.
With this, the private key only needs to be readable by root. This
requires a recent version of Lasso to work.
* Better DOS resistance, by only allocating a session when the user has
authenticated with the IdP.
* Support for IdP initiated login. The MellonDefaultLoginPath option can
be to configure which page the user should land on after authentication.
Version 0.0.7
---------------------------------------------------------------------------
* Renamed the logout endpoint from "logoutRequest" to "logout".
"logoutRequest" is now an alias for "logout", and may be removed in the
future.
* Added SP initiated logout. To initiate a logout from the web site, link
the user to the logout endpoint, with a ReturnTo parameter with the url
the user should be redirected to after being logged out. Example url:
"https://www.example.com/secret/endpoint/logout
?ReturnTo=http://www.example.com/". (Note that this should be on a
single line.)
* Fixed a memory leak on login.
* Increased maximum Lasso session size to 8192 from 3074. This allows us to
handle users with more attributes.
* Fixed handling of multiple AttributeValue elements in response.
View Git Blame Copy Permalink