You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
276 lines
10 KiB
276 lines
10 KiB
3 years ago
|
Summary: A SAML 2.0 authentication module for the Apache Httpd Server
|
||
|
Name: mod_auth_mellon
|
||
|
Version: 0.14.0
|
||
|
Release: 12%{?dist}.1
|
||
|
Group: System Environment/Daemons
|
||
|
Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
|
||
|
Source1: auth_mellon.conf
|
||
|
Source2: 10-auth_mellon.conf
|
||
|
Source3: mod_auth_mellon.conf
|
||
|
Source4: mellon_create_metadata.sh
|
||
|
Source5: README.redhat.rst
|
||
|
Source6: mellon_user_guide.html
|
||
|
License: GPLv2+
|
||
|
BuildRequires: gcc
|
||
|
BuildRequires: curl-devel
|
||
|
BuildRequires: glib2-devel
|
||
|
BuildRequires: httpd-devel
|
||
|
BuildRequires: lasso-devel >= 2.5.1
|
||
|
BuildRequires: openssl-devel
|
||
|
BuildRequires: xmlsec1-devel
|
||
|
Requires: httpd-mmn = %{_httpd_mmn}
|
||
|
Requires: lasso >= 2.5.1
|
||
|
Url: https://github.com/UNINETT/mod_auth_mellon
|
||
|
|
||
|
Patch0001: 0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch
|
||
|
Patch0002: 0002-Fix-redirect-URL-validation-bypass.patch
|
||
|
Patch0003: 0003-backport-Make-the-environment-variable-prefix-configurable.patch
|
||
|
Patch0004: 0004-Fix-incorrect-header-used-for-detecting-AJAX-request.patch
|
||
|
Patch0005: 0005-CVE_2019_13038.patch
|
||
|
Patch0006: 0006-Add-none-option-for-samesite.patch
|
||
|
Patch0007: 0007-avoid-always-set-SameSite-cookie.patch
|
||
|
Patch0008: 0008-Set-SameSite-to-None-on-test-cookie.patch
|
||
|
Patch0009: 0009-Prevent-redirect-to-URLs-that-begin-with.patch
|
||
|
|
||
|
# FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However,
|
||
|
# I could not get asciidoc to render properly so instead I generated
|
||
|
# mellon_user_guide.html on Fedora using asciidoctor and included
|
||
|
# mellon_user_guide.html as a SOURCE. If the user guide source is updated
|
||
|
# the mellon_user_guide.html will need to be regenerated.
|
||
|
|
||
|
%description
|
||
|
The mod_auth_mellon module is an authentication service that implements the
|
||
|
SAML 2.0 federation protocol. It grants access based on the attributes
|
||
|
received in assertions generated by a IdP server.
|
||
|
|
||
|
%prep
|
||
|
%setup -q -n %{name}-%{version}
|
||
|
%patch1 -p1
|
||
|
%patch2 -p1
|
||
|
%patch3 -p1
|
||
|
%patch4 -p1
|
||
|
%patch5 -p1
|
||
|
%patch6 -p1
|
||
|
%patch7 -p1
|
||
|
%patch8 -p1
|
||
|
%patch9 -p1
|
||
|
|
||
|
%build
|
||
|
export APXS=%{_httpd_apxs}
|
||
|
%configure --enable-diagnostics
|
||
|
make clean
|
||
|
make %{?_smp_mflags}
|
||
|
cp .libs/%{name}.so %{name}-diagnostics.so
|
||
|
|
||
|
%configure
|
||
|
make clean
|
||
|
make %{?_smp_mflags}
|
||
|
|
||
|
%install
|
||
|
# install module
|
||
|
mkdir -p %{buildroot}%{_httpd_moddir}
|
||
|
install -m 755 .libs/%{name}.so %{buildroot}%{_httpd_moddir}
|
||
|
install -m 755 %{name}-diagnostics.so %{buildroot}%{_httpd_moddir}
|
||
|
|
||
|
# install module configuration
|
||
|
mkdir -p %{buildroot}%{_httpd_confdir}
|
||
|
install -m 644 %{SOURCE1} %{buildroot}%{_httpd_confdir}
|
||
|
mkdir -p %{buildroot}%{_httpd_modconfdir}
|
||
|
install -m 644 %{SOURCE2} %{buildroot}%{_httpd_modconfdir}
|
||
|
|
||
|
mkdir -p %{buildroot}%{_tmpfilesdir}
|
||
|
install -m 644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}
|
||
|
mkdir -p %{buildroot}/run/%{name}
|
||
|
|
||
|
# install script to generate metadata
|
||
|
mkdir -p %{buildroot}/%{_libexecdir}/%{name}
|
||
|
install -m 755 %{SOURCE4} %{buildroot}/%{_libexecdir}/%{name}
|
||
|
|
||
|
#install documentation
|
||
|
mkdir -p %{buildroot}/%{_pkgdocdir}
|
||
|
|
||
|
# install Red Hat README
|
||
|
install -m 644 %{SOURCE5} %{buildroot}/%{_pkgdocdir}
|
||
|
|
||
|
# install user guide
|
||
|
cp -r doc/user_guide %{buildroot}/%{_pkgdocdir}
|
||
|
install -m 644 %{SOURCE6} %{buildroot}/%{_pkgdocdir}/user_guide
|
||
|
|
||
|
%package diagnostics
|
||
|
Summary: Build of mod_auth_mellon with diagnostic logging
|
||
|
Requires: %{name} = %{version}-%{release}
|
||
|
|
||
|
%description diagnostics
|
||
|
Build of mod_auth_mellon with diagnostic logging. See README.redhat.rst
|
||
|
in the doc directory for instructions on using the diagnostics build.
|
||
|
|
||
|
%files diagnostics
|
||
|
%{_httpd_moddir}/%{name}-diagnostics.so
|
||
|
|
||
|
%files
|
||
|
%if 0%{?rhel} && 0%{?rhel} < 7
|
||
|
%doc COPYING
|
||
|
%else
|
||
|
%license COPYING
|
||
|
%endif
|
||
|
%doc README.md NEWS ECP.rst
|
||
|
%doc %{_pkgdocdir}/README.redhat.rst
|
||
|
%doc %{_pkgdocdir}/user_guide
|
||
|
%config(noreplace) %{_httpd_modconfdir}/10-auth_mellon.conf
|
||
|
%config(noreplace) %{_httpd_confdir}/auth_mellon.conf
|
||
|
%{_httpd_moddir}/mod_auth_mellon.so
|
||
|
%{_tmpfilesdir}/mod_auth_mellon.conf
|
||
|
%{_libexecdir}/%{name}
|
||
|
%attr(0755,apache,apache) %dir /run/%{name}/
|
||
|
|
||
|
%changelog
|
||
|
* Wed Dec 15 2021 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-12.1
|
||
|
- Resolves: rhbz#1986805 - CVE-2021-3639 mod_auth_mellon: Open Redirect
|
||
|
vulnerability in logout URLs [rhel-8]
|
||
|
|
||
|
* Mon Jan 25 2021 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-12
|
||
|
- Resolves: rhbz#1791262 - Backport SameSite=None cookie from upstream to
|
||
|
support latest browsers
|
||
|
|
||
|
* Fri Oct 18 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-11
|
||
|
- Resolves: rhbz#1731053 - CVE-2019-13038 mod_auth_mellon: an Open Redirect
|
||
|
via the login?ReturnTo= substring which could
|
||
|
facilitate information theft [rhel-8]
|
||
|
|
||
|
* Fri Oct 18 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-10
|
||
|
- Resolves: rhbz#1761774 - mod_auth_mellon fix for AJAX header name
|
||
|
X-Requested-With
|
||
|
|
||
|
* Thu Jun 13 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-9
|
||
|
- Just bump the release number
|
||
|
- Related: rhbz#1718238 - mod_auth_mellon-diagnostics RPM not in product
|
||
|
listings
|
||
|
|
||
|
* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-8
|
||
|
- Resolves: rhbz#1691894 - [RFE] Config option to change mod_auth_mellon prefix
|
||
|
|
||
|
* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-7
|
||
|
- Apply the patch from the previous commit
|
||
|
- Resolves: rhbz#1692471 - CVE-2019-3877 appstream/mod_auth_mellon: open
|
||
|
redirect in logout url when using URLs with
|
||
|
backslashes [rhel-8]
|
||
|
|
||
|
* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-6
|
||
|
- Resolves: rhbz#1692471 - CVE-2019-3877 appstream/mod_auth_mellon: open
|
||
|
redirect in logout url when using URLs with
|
||
|
backslashes [rhel-8]
|
||
|
|
||
|
* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-5
|
||
|
- Resolves: rhbz#1692457 - CVE-2019-3878 mod_auth_mellon: authentication
|
||
|
bypass in ECP flow [rhel-8.1.0]
|
||
|
|
||
|
* Wed Apr 24 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-4
|
||
|
- Resolves: rhbz#1702695 - fresh install of mod_auth_mellon shows rpm
|
||
|
verification warnings
|
||
|
|
||
|
* Mon Jul 30 2018 Florian Weimer <fweimer@redhat.com> - 0.14.0-3
|
||
|
- Rebuild with fixed binutils
|
||
|
|
||
|
* Fri Jun 1 2018 <jdennis@redhat.com> - 0.14.0-2
|
||
|
- Resolves: rhbz#1553885
|
||
|
- fix file permissions on doc files
|
||
|
|
||
|
* Fri Jun 1 2018 <jdennis@redhat.com> - 0.14.0-1
|
||
|
- Resolves: rhbz#1553885
|
||
|
- Rebase to current upstream release
|
||
|
|
||
|
* Thu Mar 29 2018 John Dennis <jdennis@redhat.com> - 0.13.1-2
|
||
|
- Resolves: rhbz#1481330 Add diagnostic logging
|
||
|
- Resolves: rhbz#1295472 Add MellonSignatureMethod config option to set
|
||
|
signature method used to sign SAML messages sent by Mellon.
|
||
|
Defaults to original sha1.
|
||
|
|
||
|
* Sun Oct 1 2017 John Dennis <jdennis@redhat.com> - 0.13.1-1
|
||
|
- upgrade to new upstream release
|
||
|
|
||
|
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.0-7
|
||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||
|
|
||
|
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.0-6
|
||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||
|
|
||
|
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.0-5
|
||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||
|
|
||
|
* Tue Jan 17 2017 John Dennis <jdennis@redhat.com> - 0.12.0-4
|
||
|
- Resolves: bug #1414019 Incorrect PAOS Content-Type header
|
||
|
|
||
|
* Mon Jan 9 2017 John Dennis <jdennis@redhat.com> - 0.12.0-3
|
||
|
- bump release for rebuild
|
||
|
|
||
|
* Tue May 3 2016 John Dennis <jdennis@redhat.com> - 0.12.0-2
|
||
|
- Resolves: bug #1332729, mellon conflicts with mod_auth_openidc
|
||
|
- am_check_uid() should be no-op if mellon not enabled
|
||
|
|
||
|
* Wed Mar 9 2016 John Dennis <jdennis@redhat.com> - 0.12.0-1
|
||
|
- Update to new upstream 0.12.0
|
||
|
- [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to
|
||
|
incorrect error handling when reading POST data from client.
|
||
|
|
||
|
- [CVE-2016-2146] Fix DOS attack (Apache worker process crash /
|
||
|
resource exhaustion) due to missing size checks when reading
|
||
|
POST data.
|
||
|
|
||
|
In addition this release contains the following new features and fixes:
|
||
|
|
||
|
- Add MellonRedirectDomains option to limit the sites that
|
||
|
mod_auth_mellon can redirect to. This option is enabled by default.
|
||
|
|
||
|
- Add support for ECP service options in PAOS requests.
|
||
|
|
||
|
- Fix AssertionConsumerService lookup for PAOS requests.
|
||
|
|
||
|
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.0-4
|
||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||
|
|
||
|
* Wed Dec 23 2015 John Dennis <jdennis@redhat.com> - 0.11.0-3
|
||
|
- Fix the following warning that appears in the Apache log
|
||
|
lasso-CRITICAL **: lasso_provider_get_metadata_list_for_role: assertion '_lasso_provider_get_role_index(role)' failed
|
||
|
|
||
|
* Fri Sep 18 2015 John Dennis <jdennis@redhat.com> - 0.11.0-2
|
||
|
- Add lasso 2.5.0 version dependency
|
||
|
|
||
|
* Fri Sep 18 2015 John Dennis <jdennis@redhat.com> - 0.11.0-1
|
||
|
- Upgrade to upstream 0.11.0 release.
|
||
|
- Includes ECP support, see NEWS for all changes.
|
||
|
- Update mellon_create_metadata.sh to match internally generated metadata,
|
||
|
includes AssertionConsumerService for postResponse, artifactResponse &
|
||
|
paosResponse.
|
||
|
|
||
|
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.10.0-2
|
||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||
|
|
||
|
* Wed Jan 7 2015 Simo Sorce <simo@redhat.com> 0.10.0-1
|
||
|
- New upstream release
|
||
|
|
||
|
* Tue Sep 2 2014 Simo Sorce <simo@redhat.com> 0.9.1-1
|
||
|
- New upstream release
|
||
|
|
||
|
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.0-2
|
||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
||
|
|
||
|
* Tue Jun 24 2014 Simo Sorce <simo@redhat.com> 0.8.0-1
|
||
|
- New upstream realease version 0.8.0
|
||
|
- Upstream moved to github
|
||
|
- Drops patches as they have been all included upstream
|
||
|
|
||
|
* Fri Jun 20 2014 Simo Sorce <simo@redhat.com> 0.7.0-3
|
||
|
- Backport of useful patches from upstream
|
||
|
- Better handling of IDP reported errors
|
||
|
- Better handling of session data storage size
|
||
|
|
||
|
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.0-2
|
||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||
|
|
||
|
* Tue Dec 10 2013 Simo Sorce <simo@redhat.com> 0.7.0-1
|
||
|
- Fix ownership of /run files
|
||
|
|
||
|
* Wed Nov 27 2013 Simo Sorce <simo@redhat.com> 0.7.0-0
|
||
|
- Initial Fedora release based on version 0.7.0
|
||
|
- Based on an old spec file by Jean-Marc Liger <jmliger@siris.sorbonne.fr>
|