From b0d99ea55a5a03a77c24d1aa0c06c821bfe7dfff Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jun 11 2019 09:29:20 +0000 Subject: import httpd24-mod_auth_mellon-0.14.0-3.el7 --- diff --git a/.gitignore b/.gitignore index d419d98..7a5701d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ -SOURCES/mod_auth_mellon-0.13.1.tar.gz -SOURCES/user_guide.tar.gz +SOURCES/mod_auth_mellon-0.14.0.tar.gz diff --git a/.httpd24-mod_auth_mellon.metadata b/.httpd24-mod_auth_mellon.metadata index 56de7c2..d39bbfd 100644 --- a/.httpd24-mod_auth_mellon.metadata +++ b/.httpd24-mod_auth_mellon.metadata @@ -1,2 +1 @@ -a0e8edcb4ecbbc2b37b98ce394ed17bee1b622a3 SOURCES/mod_auth_mellon-0.13.1.tar.gz -f1ecf8e6e809edcb5b595be206b745fe1dcfc5be SOURCES/user_guide.tar.gz +4a93f8b093e1dea20e8a286931693c614903f2d9 SOURCES/mod_auth_mellon-0.14.0.tar.gz diff --git a/SOURCES/README.redhat.rst b/SOURCES/README.redhat.rst new file mode 100644 index 0000000..a834aae --- /dev/null +++ b/SOURCES/README.redhat.rst @@ -0,0 +1,83 @@ +Red Hat Specific mod_auth_mellon Information +============================================ + +This README contains information specific to Red Hat's distribution of +``mod_auth_mellon``. + +Diagnostic Logging +------------------ + +Diagnostic logging can be used to collect run time information to help +diagnose problems with your ``mod_auth_mellon`` deployment. Please see +the "Mellon Diagnostics" section in the Mellon User Guide for more +details. + +How to enable diagnostic logging on Red Hat systems +``````````````````````````````````````````````````` + +Diagnostic logging adds overhead to the execution of +``mod_auth_mellon``. The code to emit diagnostic logging must be +compiled into ``mod_auth_mellon`` at build time. In addition the +diagnostic log file may contain security sensitive information which +should not normally be written to a log file. If you have a +version of ``mod_auth_mellon`` which was built with diagnostics you +can disable diagnostic logging via the ``MellonDiagnosticsEnable`` +configuration directive. However given human nature the potential to +enable diagnostic logging while resolving a problem and then forget to +disable it is not a situation that should exist by default. Therefore +given the overhead consideration and the desire to avoid enabling +diagnostic logging by mistake the Red Hat ``mod_auth_mellon`` RPM's +ship with two versions of the ``mod_auth_mellon`` Apache module. + +1. The ``mod_auth_mellon`` RPM contains the normal Apache module + ``/usr/lib*/httpd/modules/mod_auth_mellon.so`` + +2. The ``mod_auth_mellon-diagnostics`` RPM contains the diagnostic + version of the Apache module + ``/usr/lib*/httpd/modules/mod_auth_mellon-diagnostics.so`` + +Because each version of the module has a different name both the +normal and diagnostic modules can be installed simultaneously without +conflict. But Apache will only load one of the two modules. Which +module is loaded is controlled by the +``/etc/httpd/conf.modules.d/10-auth_mellon.conf`` config file which +has a line in it which looks like this:: + + LoadModule auth_mellon_module modules/mod_auth_mellon.so + +To load the diagnostics version of the module you need to change the +module name so it looks like this:: + + LoadModule auth_mellon_module modules/mod_auth_mellon-diagnostics.so + +**Don't forget to change it back again when you're done debugging.** + +You'll also need to enable the collection of diagnostic information, +do this by adding this directive at the top of your Mellon conf.d +config file or inside your virtual host config (diagnostics are per +server instance):: + + MellonDiagnosticsEnable On + +.. NOTE:: + Some versions of the Mellon User Guide have a typo in the name of + this directive, it incorrectly uses ``MellonDiagnosticEnable`` + instead of ``MellonDiagnosticsEnable``. The difference is + Diagnostics is plural. + +The Apache ``error_log`` will contain a message indicating how it +processed the ``MellonDiagnosticsEnable`` directive. If you loaded the +standard module without diagnostics you'll see a message like this:: + + MellonDiagnosticsEnable has no effect because Mellon was not + compiled with diagnostics enabled, use + ./configure --enable-diagnostics at build time to turn this + feature on. + +If you've loaded the diagnostics version of the module you'll see a +message in the ``error_log`` like this:: + + mellon diagnostics enabled for virtual server *:443 + (/etc/httpd/conf.d/my_server.conf:7) + ServerName=https://my_server.example.com:443, diagnostics + filename=logs/mellon_diagnostics diff --git a/SOURCES/auth_mellon.conf b/SOURCES/auth_mellon.conf index ad86d39..f46765d 100644 --- a/SOURCES/auth_mellon.conf +++ b/SOURCES/auth_mellon.conf @@ -1,2 +1,2 @@ MellonCacheSize 100 -MellonLockFile "/run/mod_auth_mellon/lock" +MellonLockFile "/run/$name/lock" diff --git a/SOURCES/lasso_error_check.patch b/SOURCES/lasso_error_check.patch deleted file mode 100644 index f9cc4ca..0000000 --- a/SOURCES/lasso_error_check.patch +++ /dev/null @@ -1,70 +0,0 @@ -commit 2c2e19d96069f2d94d6c68f50e3ef2175a412cfb -Author: Olav Morken -Date: Tue Aug 8 14:34:24 2017 +0200 - - Fix incorrect error check for many `lasso_*`-functions. - - Several places in the code we assumed that Lasso error codes were - negative, however some of them are positive integers. This patch - ensures that we do direct check for a zero return code in all cases. - - Fixes issue #128. - -diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c -index 70462a7..5661083 100644 ---- a/auth_mellon_handler.c -+++ b/auth_mellon_handler.c -@@ -640,7 +640,7 @@ static void am_restore_lasso_profile_state(request_rec *r, - identity_dump = am_cache_get_lasso_identity(am_session); - if(identity_dump != NULL) { - rc = lasso_profile_set_identity_from_dump(profile, identity_dump); -- if(rc < 0) { -+ if(rc != 0) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "Could not restore identity from dump." - " Lasso error: [%i] %s", rc, lasso_strerror(rc)); -@@ -651,7 +651,7 @@ static void am_restore_lasso_profile_state(request_rec *r, - session_dump = am_cache_get_lasso_session(am_session); - if(session_dump != NULL) { - rc = lasso_profile_set_session_from_dump(profile, session_dump); -- if(rc < 0) { -+ if(rc != 0) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "Could not restore session from dump." - " Lasso error: [%i] %s", rc, lasso_strerror(rc)); -@@ -1842,7 +1842,7 @@ static int am_handle_reply_common(request_rec *r, LassoLogin *login, - } - - rc = lasso_login_accept_sso(login); -- if(rc < 0) { -+ if(rc != 0) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "Unable to accept SSO message." - " Lasso error: [%i] %s", rc, lasso_strerror(rc)); -@@ -2157,7 +2157,7 @@ static int am_handle_artifact_reply(request_rec *r) - rc = lasso_login_init_request(login, r->args, - LASSO_HTTP_METHOD_ARTIFACT_GET); - -- if(rc < 0) { -+ if(rc != 0) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "Failed to handle login response." - " Lasso error: [%i] %s", rc, lasso_strerror(rc)); -@@ -2181,7 +2181,7 @@ static int am_handle_artifact_reply(request_rec *r) - ap_unescape_url(saml_art); - - rc = lasso_login_init_request(login, saml_art, LASSO_HTTP_METHOD_ARTIFACT_POST); -- if(rc < 0) { -+ if(rc != 0) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "Failed to handle login response." - " Lasso error: [%i] %s", rc, lasso_strerror(rc)); -@@ -2192,7 +2192,7 @@ static int am_handle_artifact_reply(request_rec *r) - - /* Prepare SOAP request. */ - rc = lasso_login_build_request_msg(login); -- if(rc < 0) { -+ if(rc != 0) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "Failed to prepare SOAP message for HTTP-Artifact" - " resolution." diff --git a/SOURCES/log_no_idp.patch b/SOURCES/log_no_idp.patch deleted file mode 100644 index c51f30b..0000000 --- a/SOURCES/log_no_idp.patch +++ /dev/null @@ -1,42 +0,0 @@ -commit daa5d1e66791a155dc74b220f16422ba206b8788 -Author: John Dennis -Date: Tue Jun 13 09:34:36 2017 -0400 - - If no IdP's are defined explicitly log that fact - - Sometimes configuration errors are made and a location does have any - IdP's defined for it. Previosly the error message in this case was: - - "Error adding IdP to lasso server object. Please verify the following - configuration directives: MellonIdPMetadataFile and - MellonIdPPublicKeyFile." - - But this message is misleading, it suggests an attempt was made to add - the IdP but somehow it failed, this will often cause folks to try to - determine what is wrong with the IdP metadata file, which may in fact - be defined in the mellon config but because of location inheritance is - not being included in the per directory config. - - It would be much more helpful to indicate no IdP's were defined for - this config location which is clearly a different problem than - suggesting an attempt was made to add an IdP but it failed. - - Signed-off-by: John Dennis - -diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c -index 44a5ee9..2004752 100644 ---- a/auth_mellon_handler.c -+++ b/auth_mellon_handler.c -@@ -242,6 +242,12 @@ static guint am_server_add_providers(am_dir_cfg_rec *cfg, request_rec *r) - idp_public_key_file = NULL; - #endif /* ! HAVE_lasso_server_load_metadata */ - -+ if (cfg->idp_metadata->nelts == 0) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, -+ "Error, URI \"%s\" has no IdP's defined", r->uri); -+ return 0; -+ } -+ - for (index = 0; index < cfg->idp_metadata->nelts; index++) { - const am_metadata_t *idp_metadata; - int error; diff --git a/SOURCES/log_typo.patch b/SOURCES/log_typo.patch deleted file mode 100644 index ff0cf6a..0000000 --- a/SOURCES/log_typo.patch +++ /dev/null @@ -1,52 +0,0 @@ -commit 4c924d9062406762c44ce95bdee14dadf4bfeed2 -Author: Thijs Kinkhorst -Date: Sun Jul 9 14:42:29 2017 +0000 - - Fix some log message typos - -diff --git a/auth_mellon_cache.c b/auth_mellon_cache.c -index 9a5bb0e..cd3b9b0 100644 ---- a/auth_mellon_cache.c -+++ b/auth_mellon_cache.c -@@ -740,7 +740,7 @@ int am_cache_set_lasso_state(am_cache_entry_t *session, - lasso_identity); - if (status != 0) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, -- "Lasso identity is to big for storage. Size of lasso" -+ "Lasso identity is too big for storage. Size of lasso" - " identity is %" APR_SIZE_T_FMT ".", - (apr_size_t)strlen(lasso_identity)); - return HTTP_INTERNAL_SERVER_ERROR; -@@ -751,7 +751,7 @@ int am_cache_set_lasso_state(am_cache_entry_t *session, - lasso_session); - if (status != 0) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, -- "Lasso session is to big for storage. Size of lasso" -+ "Lasso session is too big for storage. Size of lasso" - " session is %" APR_SIZE_T_FMT ".", - (apr_size_t)strlen(lasso_session)); - return HTTP_INTERNAL_SERVER_ERROR; -@@ -762,8 +762,8 @@ int am_cache_set_lasso_state(am_cache_entry_t *session, - lasso_saml_response); - if (status != 0) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, -- "Lasso SAML response is to big for storage. Size of " -- "lasso SAML Reponse is %" APR_SIZE_T_FMT ".", -+ "Lasso SAML response is too big for storage. Size of " -+ "lasso SAML Response is %" APR_SIZE_T_FMT ".", - (apr_size_t)strlen(lasso_saml_response)); - return HTTP_INTERNAL_SERVER_ERROR; - } -diff --git a/auth_mellon_util.c b/auth_mellon_util.c -index 34cf88d..19bfb41 100644 ---- a/auth_mellon_util.c -+++ b/auth_mellon_util.c -@@ -1823,7 +1823,7 @@ tokenize(apr_pool_t *pool, const char *str, bool ignore_whitespace, - } - if (*p != '\"') { - *error = apr_psprintf(pool, -- "unterminated string begining at " -+ "unterminated string beginning at " - "position %" APR_SIZE_T_FMT " in \"%s\"", - start-str, str); - break; diff --git a/SOURCES/mellon_user_case_insensitive.patch b/SOURCES/mellon_user_case_insensitive.patch deleted file mode 100644 index 5dad36b..0000000 --- a/SOURCES/mellon_user_case_insensitive.patch +++ /dev/null @@ -1,41 +0,0 @@ -commit c29123244e546986ff3c9e6fe94772c4411adf2b -Author: Olav Morken -Date: Wed Aug 16 17:28:16 2017 +0200 - - Make MellonUser case-insensitive. - - MellonUser used to perform its attribute match in a case-sesnsitive - manner, while environment variables are stored in a case-insensitive - table in Apache. - - The result is a bit of inconsistency between the way mod_auth_mellon - handles the attribute names and the way they are accessed other places - in Apache. - - This patch changes the code to use a case-insensitive match when - processing the MellonUser directive. - - Fixes issue #131. - -diff --git a/auth_mellon_cache.c b/auth_mellon_cache.c -index cd3b9b0..7d51589 100644 ---- a/auth_mellon_cache.c -+++ b/auth_mellon_cache.c -@@ -552,7 +552,7 @@ void am_cache_env_populate(request_rec *r, am_cache_entry_t *t) - if (am_cache_entry_slot_is_empty(&t->user)) { - for(i = 0; i < t->size; ++i) { - varname = am_cache_entry_get_string(t, &t->env[i].varname); -- if (strcmp(varname, d->userattr) == 0) { -+ if (strcasecmp(varname, d->userattr) == 0) { - value = am_cache_entry_get_string(t, &t->env[i].value); - status = am_cache_entry_store_string(t, &t->user, value); - if (status != 0) { -@@ -592,7 +592,7 @@ void am_cache_env_populate(request_rec *r, am_cache_entry_t *t) - * If we find a variable remapping to MellonUser, use it. - */ - if (am_cache_entry_slot_is_empty(&t->user) && -- (strcmp(varname, d->userattr) == 0)) { -+ (strcasecmp(varname, d->userattr) == 0)) { - status = am_cache_entry_store_string(t, &t->user, value); - if (status != 0) { - ap_log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, diff --git a/SOURCES/mod_auth_mellon-0.13.1-CVE-2019-3878.patch b/SOURCES/mod_auth_mellon-0.13.1-CVE-2019-3878.patch deleted file mode 100644 index 5b2fa26..0000000 --- a/SOURCES/mod_auth_mellon-0.13.1-CVE-2019-3878.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff --git a/mod_auth_mellon.c b/mod_auth_mellon.c -index 3d44460..36a3184 100644 ---- a/mod_auth_mellon.c -+++ b/mod_auth_mellon.c -@@ -204,6 +204,12 @@ static int am_create_request(request_rec *r) - - static void register_hooks(apr_pool_t *p) - { -+ /* Our handler needs to run before mod_proxy so that it can properly -+ * return ECP AuthnRequest messages when running as a reverse proxy. -+ * See: https://github.com/Uninett/mod_auth_mellon/pull/196 -+ */ -+ static const char * const run_handler_before[]={ "mod_proxy.c", NULL }; -+ - ap_hook_access_checker(am_auth_mellon_user, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_check_user_id(am_check_uid, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_post_config(am_global_init, NULL, NULL, APR_HOOK_MIDDLE); -@@ -219,7 +225,7 @@ static void register_hooks(apr_pool_t *p) - * Therefore this hook must run before any handler that may check - * r->handler and decide that it is the only handler for this URL. - */ -- ap_hook_handler(am_handler, NULL, NULL, APR_HOOK_FIRST); -+ ap_hook_handler(am_handler, NULL, run_handler_before, APR_HOOK_FIRST); - return; - } - diff --git a/SOURCES/mod_auth_mellon-0.14.0-CVE-2019-3878.patch b/SOURCES/mod_auth_mellon-0.14.0-CVE-2019-3878.patch new file mode 100644 index 0000000..b4af717 --- /dev/null +++ b/SOURCES/mod_auth_mellon-0.14.0-CVE-2019-3878.patch @@ -0,0 +1,26 @@ +diff --git a/mod_auth_mellon.c b/mod_auth_mellon.c +index 74bd328..5330f48 100644 +--- a/mod_auth_mellon.c ++++ b/mod_auth_mellon.c +@@ -207,6 +207,12 @@ static int am_create_request(request_rec *r) + + static void register_hooks(apr_pool_t *p) + { ++ /* Our handler needs to run before mod_proxy so that it can properly ++ * return ECP AuthnRequest messages when running as a reverse proxy. ++ * See: https://github.com/Uninett/mod_auth_mellon/pull/196 ++ */ ++ static const char * const run_handler_before[]={ "mod_proxy.c", NULL }; ++ + ap_hook_access_checker(am_auth_mellon_user, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_check_user_id(am_check_uid, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_post_config(am_global_init, NULL, NULL, APR_HOOK_MIDDLE); +@@ -222,7 +228,7 @@ static void register_hooks(apr_pool_t *p) + * Therefore this hook must run before any handler that may check + * r->handler and decide that it is the only handler for this URL. + */ +- ap_hook_handler(am_handler, NULL, NULL, APR_HOOK_FIRST); ++ ap_hook_handler(am_handler, NULL, run_handler_before, APR_HOOK_FIRST); + + #ifdef ENABLE_DIAGNOSTICS + ap_hook_open_logs(am_diag_log_init,NULL,NULL,APR_HOOK_MIDDLE); diff --git a/SOURCES/mod_auth_mellon.conf b/SOURCES/mod_auth_mellon.conf index 5e653bc..d7f8d81 100644 --- a/SOURCES/mod_auth_mellon.conf +++ b/SOURCES/mod_auth_mellon.conf @@ -1,2 +1,2 @@ # mod_auth_mellon lock file is created in this directory -d /run/mod_auth_mellon 0755 apache apache +d /run/$name 0755 apache apache diff --git a/SOURCES/post_segfault.patch b/SOURCES/post_segfault.patch deleted file mode 100644 index 2d20e16..0000000 --- a/SOURCES/post_segfault.patch +++ /dev/null @@ -1,38 +0,0 @@ -commit 5c5ed1d6ab2798b4833a12b81f77aca3f82e86f0 -Author: Olav Morken -Date: Tue Aug 8 09:45:10 2017 +0200 - - Fix segmentation fault with POST field without a value. - - This patch fixes a segmentation fault that can occur after the user - has logged in if the server is configured to replay POST data from - before login. If the POST data contained a field without a value we - would attempt to pass a constant string to the - am_urldecode()-function, which would crash with a segmentation fault. - - This patch fixes that by using an empty string allocated on the stack - instead of a constant string. - - Fixes #115. - -diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c -index f073721..70462a7 100644 ---- a/auth_mellon_handler.c -+++ b/auth_mellon_handler.c -@@ -2329,6 +2329,7 @@ const char *am_post_mkform_urlencoded(request_rec *r, const char *post_data) - const char *item; - char *last; - char *post_form = ""; -+ char empty_value[] = ""; - - for (item = am_xstrtok(r, post_data, "&", &last); item; - item = am_xstrtok(r, NULL, "&", &last)) { -@@ -2344,7 +2345,7 @@ const char *am_post_mkform_urlencoded(request_rec *r, const char *post_data) - continue; - - if (value == NULL) -- value = (char *)""; -+ value = empty_value; - - if (am_urldecode(name) != OK) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, diff --git a/SOURCES/update_log_invalid_dst.patch b/SOURCES/update_log_invalid_dst.patch deleted file mode 100644 index 17c328d..0000000 --- a/SOURCES/update_log_invalid_dst.patch +++ /dev/null @@ -1,32 +0,0 @@ -commit 93faba4505b2c02c4885d33f785db97efd6f9c1b -Author: nneul at neulinger.org -Date: Fri Oct 6 12:08:58 2017 +0000 - - Update log msg for Invalid Destination and Invalid Audience to show both the expected and received values. - -diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c -index afb3195..030abe7 100644 ---- a/auth_mellon_handler.c -+++ b/auth_mellon_handler.c -@@ -1461,8 +1461,8 @@ static int am_validate_conditions(request_rec *r, - - if (ar->Audience == NULL || strcmp(ar->Audience, providerID)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, -- "Invalid Audience in Conditions. Should be: %s", -- providerID); -+ "Invalid Audience in Conditions. Should be '%s', but was '%s'", -+ providerID, ar->Audience ? ar->Audience : ""); - return HTTP_BAD_REQUEST; - } - } -@@ -1791,8 +1791,8 @@ static int am_handle_reply_common(request_rec *r, LassoLogin *login, - if (response->parent.Destination) { - if (strcmp(response->parent.Destination, url)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, -- "Invalid Destination on Response. Should be: %s", -- url); -+ "Invalid Destination on Response. Should be '%s', but was '%s'", -+ url, response->parent.Destination); - lasso_login_destroy(login); - return HTTP_BAD_REQUEST; - } diff --git a/SPECS/mod_auth_mellon.spec b/SPECS/mod_auth_mellon.spec index a669407..4e64471 100644 --- a/SPECS/mod_auth_mellon.spec +++ b/SPECS/mod_auth_mellon.spec @@ -2,15 +2,15 @@ Summary: A SAML 2.0 authentication module for the Apache Httpd Server Name: %{?scl:%scl_prefix}mod_auth_mellon -Version: 0.13.1 -Release: 2%{?dist}.1 +Version: 0.14.0 +Release: 3%{?dist} Group: System Environment/Daemons Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/mod_auth_mellon-%{version}.tar.gz Source1: auth_mellon.conf Source2: 10-auth_mellon.conf Source3: mod_auth_mellon.conf Source4: mellon_create_metadata.sh -Source5: user_guide.tar.gz +Source5: README.redhat.rst License: GPLv2+ BuildRequires: curl-devel @@ -19,23 +19,20 @@ BuildRequires: %{?scl:%scl_prefix}httpd-devel BuildRequires: lasso-devel >= 2.5.0 BuildRequires: openssl-devel BuildRequires: xmlsec1-devel +BuildRequires: asciidoc %if 0%{?scl:1} Requires: %{?scl:%scl_prefix}httpd-mmn = %{_httpd24_mmn} %else Requires: httpd-mmn = %{_httpd_mmn} %endif -Requires: lasso >= 2.5.0 +Requires: lasso >= 2.5.1 %{?scl:Requires:%scl_runtime} Url: https://github.com/UNINETT/mod_auth_mellon -Patch1: log_typo.patch -Patch2: post_segfault.patch -Patch3: lasso_error_check.patch -Patch4: mellon_user_case_insensitive.patch -Patch5: log_no_idp.patch -Patch6: update_log_invalid_dst.patch -Patch7: mod_auth_mellon-0.13.1-CVE-2019-3878.patch +# Security patches: +# https://bugzilla.redhat.com/show_bug.cgi?id=1691126 +Patch100: mod_auth_mellon-0.14.0-CVE-2019-3878.patch %description The mod_auth_mellon module is an authentication service that implements the @@ -44,13 +41,8 @@ received in assertions generated by a IdP server. %prep %setup -q -n mod_auth_mellon-%{version} -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 + +%patch100 -p1 -b .CVE-2019-3878 %build %if 0%{?scl:1} @@ -58,43 +50,83 @@ export APXS=%{_httpd24_apxs} %else export APXS=%{_httpd_apxs} %endif + +%configure --with-apxs2=$APXS --enable-diagnostics +make clean +make %{?_smp_mflags} +cp .libs/mod_auth_mellon.so mod_auth_mellon-diagnostics.so + %configure --with-apxs2=$APXS +make clean make %{?_smp_mflags} +# don't have asciidoctor in rhel-7 +pushd doc/user_guide +asciidoc -a data-uri mellon_user_guide.adoc +popd %install # install module %if 0%{?scl:1} install -Dm 755 .libs/mod_auth_mellon.so \ %{buildroot}%{_httpd24_moddir}/mod_auth_mellon.so +install -Dm 755 mod_auth_mellon-diagnostics.so \ + %{buildroot}%{_httpd24_moddir}/mod_auth_mellon-diagnostics.so %else install -Dm 755 .libs/mod_auth_mellon.so \ %{buildroot}%{_httpd_moddir}/mod_auth_mellon.so +install -Dm 755 mod_auth_mellon-diagnostics.so \ + %{buildroot}%{_httpd_moddir}/mod_auth_mellon-diagnostics.so %endif # install module configuration %if 0%{?scl:1} mkdir -p %{buildroot}%{_httpd24_confdir} install -m 644 %{SOURCE1} %{buildroot}%{_httpd24_confdir} +sed -i 's|\$name|%{name}|g' %{buildroot}%{_httpd24_confdir}/auth_mellon.conf + mkdir -p %{buildroot}%{_httpd24_modconfdir} install -m 644 %{SOURCE2} %{buildroot}%{_httpd24_modconfdir} %else mkdir -p %{buildroot}%{_httpd_confdir} install -m 644 %{SOURCE1} %{buildroot}%{_httpd_confdir} +sed -i 's|\$name|%{name}|g' %{buildroot}%{_httpd24_confdir}/auth_mellon.conf + mkdir -p %{buildroot}%{_httpd_modconfdir} install -m 644 %{SOURCE2} %{buildroot}%{_httpd_modconfdir} %endif mkdir -p %{buildroot}%{_tmpfilesdir} -install -m 644 %{SOURCE3} %{buildroot}%{_tmpfilesdir} -mkdir -p %{buildroot}%{_localstatedir}/run/mod_auth_mellon +install -m 644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}/%{name}.conf +sed -i 's|\$name|%{name}|g' %{buildroot}%{_root_prefix}/lib/tmpfiles.d/%{name}.conf +mkdir -p %{buildroot}%{_localstatedir}/run/%{name} # install script to generate metadata mkdir -p %{buildroot}%{_libexecdir}/mod_auth_mellon install -m 755 %{SOURCE4} %{buildroot}%{_libexecdir}/mod_auth_mellon +#install documentation +mkdir -p %{buildroot}/%{_pkgdocdir} + +# install Red Hat README +install %{SOURCE5} %{buildroot}/%{_pkgdocdir} + # install user guide -mkdir -p %{buildroot}%{_pkgdocdir} -tar -C %{buildroot}%{_pkgdocdir} -xf %{SOURCE5} +cp -r doc/user_guide %{buildroot}/%{_pkgdocdir} + +%package diagnostics +Summary: Build of mod_auth_mellon with diagnostic logging +Requires: %{name} = %{version}-%{release} + +%description diagnostics +Build of mod_auth_mellon with diagnostic logging. See README.redhat.rst +in the doc directory for instructions on using the diagnostics build. + +%files diagnostics +%if 0%{?scl:1} +%{_httpd24_moddir}/mod_auth_mellon-diagnostics.so +%else +%{_httpd_moddir}/mod_auth_mellon-diagnostics.so +%endif %files %defattr(-,root,root) @@ -103,9 +135,9 @@ tar -C %{buildroot}%{_pkgdocdir} -xf %{SOURCE5} %else %license COPYING %endif -%doc README NEWS ECP.rst +%doc %{_pkgdocdir}/README.redhat.rst %doc %{_pkgdocdir}/user_guide - +%doc README.md NEWS ECP.rst %if 0%{?scl:1} %config(noreplace) %{_httpd24_modconfdir}/10-auth_mellon.conf %config(noreplace) %{_httpd24_confdir}/auth_mellon.conf @@ -115,15 +147,22 @@ tar -C %{buildroot}%{_pkgdocdir} -xf %{SOURCE5} %config(noreplace) %{_httpd_confdir}/auth_mellon.conf %{_httpd_moddir}/mod_auth_mellon.so %endif -%{_tmpfilesdir}/mod_auth_mellon.conf +%{_tmpfilesdir}/%{name}.conf %{_libexecdir}/mod_auth_mellon -%dir %{_localstatedir}/run/mod_auth_mellon/ +%dir %{_localstatedir}/run/%{name}/ %changelog -* Wed Apr 03 2019 Lubos Uhliarik - 0.13.1-2.1 -- Resolves: #1692458 - CVE-2019-3878 httpd24-mod_auth_mellon: mod_auth_mellon: +* Wed Apr 03 2019 Lubos Uhliarik - 0.14.0-3 +- Resolves: #1692459 - CVE-2019-3878 httpd24-mod_auth_mellon: mod_auth_mellon: authentication bypass in ECP flow +* Wed Jan 09 2019 Lubos Uhliarik - 0.14.0-2 +- Resolves: #1568475 - mod_auth_mellon: tmpfiles.d drop-in wrong location +- Resolves: #1568837 - ownership test fail + +* Tue Jan 08 2019 Lubos Uhliarik - 0.14.0-1 +- new version 0.14.0 (#1582039) + * Fri Jan 05 2018 Luboš Uhliarik - 0.13.1-2 - Resolves: #1514391 - [RFE] Include mod_auth_mellon for RHSCL httpd24 - Merged with RHEL-7.5 branch, SCLized spec