SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for apache2-mod_auth_mellon-doc-0.19.0-150500.13.3.noarch.rpm :

* Mon Mar 25 2024 pgajdosAATTsuse.com- version update to 0.19.0 Enhancements:
* Support for HTTP-POST binding on Singe Logout endpoint.
* Update documentation. Cleanup:
* Raise minimum Lasso version to 2.4, cleaning up legacy code for compatibility with older versions, including the obsolete `MellonIdPPublicKeyFile` setting which was not working with recent Lasso versions.
* Mon Jul 31 2023 elimatAATTopensuse.org- Update to 0.18.1
* Logout endpoint should handle idP POST response
* mellon_create_metadata.sh: Fix compatibility with OpenSSL 3
* Add some clarification to the documentation
* Add encryption certificate to generated metadata- Changes in 0.18.0
* CVE-2021-3639 Redirect URL validation bypass - Version 0.17.0 and older of mod_auth_mellon allows the redirect URL validation to be bypassed by specifying an URL formatted as ///fishing-site.example.com/logout.html. In this case, the browser would interpret the URL differently than the APR parsing utility mellon uses and redirect to fishing-site.example.com. This could be reproduced with: https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html This version fixes that issue by rejecting all URLs that start with \"///\".
* A new option MellonSessionIdleTimeout that represents the amount of time a user can be inactive before the user\'s session times out in seconds.
* Several build-time fixes
* The CookieTest SameSite attribute was only set to None if mellon configure option MellonCookieSameSite was set to something other than default. This is now fixed.- add libtool and xmlsec1-openssl-devel as new dependencies- set Buildarch to noarch for docs sub-package
* Thu May 05 2022 archie.cobbsAATTgmail.com- Wrap default config in to avoid reload error
* Thu Sep 10 2020 kstreitovaAATTsuse.com- Update to 0.17.0
* New option MellonSendExpectHeader (default On) which allows to disable sending the Expect header in the HTTP-Artifact binding to improve performance when the remote party does not support this header.
* Set SameSite attribute to None on on the cookietest cookie.
* Bump default generated keysize to 3072 bits in mellon_create_metadata
* Validate if the assertion ID has not been used earlier before creating a new session.
* Release session cache after calling invalidate endpoint.
* In MellonCond directives, fix a bug that setting the NC option would also activate substring match and that REG would activate REF.
* Fix MellonCond substring match to actually match the substring on the attribute value
* Thu Jun 04 2020 kstreitovaAATTsuse.com- update mod_auth_mellon-0.16.0-env-script-interpreter.patch use /bin/bash instead of /usr/bin/bash
* Mon May 11 2020 kstreitovaAATTsuse.com- replace version_path with the fixed value
* Tue Apr 28 2020 kstreitovaAATTsuse.com- initial packaging
  
ICM