Skip to content

Commit

Permalink
Prepare mellon release 0.18.0 (#72)
Browse files Browse the repository at this point in the history
Resolves: #71
  • Loading branch information
jhrozek authored Jul 30, 2021
1 parent 0b494db commit d5cfa39
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 1 deletion.
31 changes: 31 additions & 0 deletions NEWS
Original file line number Diff line number Diff line change
@@ -1,3 +1,34 @@
Version 0.18.0
---------------------------------------------------------------------------

Security fixes:

* [CVE-2019-13038] Redirect URL validation bypass

Version 0.17.0 and older of mod_auth_mellon allows the redirect URL
validation to be bypassed by specifying an URL formatted as
"///fishing-site.example.com/logout.html". In this case, the browser
would interpret the URL differently than the APR parsing utility
mellon uses and redirect to fishing-site.example.com.
This could be reproduced with:
https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html

This version fixes that issue by rejecting all URLs that start with "///".

Enhancements:

* A new option MellonSessionIdleTimeout that represents the amount of time
a user can be inactive before the user's session times out in seconds.

Bug fixes:

* Several build-time fixes

* The CookieTest SameSite attribute was only set to None if mellon configure
option MellonCookieSameSite was set to something other than default.
This is now fixed.


Version 0.17.0
---------------------------------------------------------------------------

Expand Down
2 changes: 1 addition & 1 deletion configure.ac
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
AC_INIT([mod_auth_mellon],[0.17.0],[https://github.com/latchset/mod_auth_mellon/issues])
AC_INIT([mod_auth_mellon],[0.18.0],[https://github.com/latchset/mod_auth_mellon/issues])
AC_CONFIG_HEADERS([config.h])

# We require support for C99.
Expand Down

0 comments on commit d5cfa39

Please sign in to comment.