automatic import of mod_auth_mellonopeneuler20.03

author: CoprDistGit <infra@openeuler.org> 2023-03-26 12:06:12 +0000
committer: CoprDistGit <infra@openeuler.org> 2023-03-26 12:06:12 +0000
commit: 03dba8af033ead62931986877f0b8d77e0c536f3 (patch)
tree: 1a15f239bc7bfd71eb309f1ec6f45fa9a154e59e /mod_auth_mellon.spec
parent: a8d510b1a8669d49d84d40279ef206df3bae5b44 (diff)
1 files changed, 275 insertions, 0 deletions
diff --git a/mod_auth_mellon.spec b/mod_auth_mellon.spec
new file mode 100644
index 0000000..7c46a7e
--- /dev/null
+++ b/mod_auth_mellon.spec
@@ -0,0 +1,275 @@
+Summary: A SAML 2.0 authentication module for the Apache Httpd Server
+Name: mod_auth_mellon
+Version: 0.14.0
+Release: 12%{?dist}.1
+Group: System Environment/Daemons
+Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
+Source1: auth_mellon.conf
+Source2: 10-auth_mellon.conf
+Source3: mod_auth_mellon.conf
+Source4: mellon_create_metadata.sh
+Source5: README.redhat.rst
+Source6: mellon_user_guide.html
+License: GPLv2+
+BuildRequires:  gcc
+BuildRequires: curl-devel
+BuildRequires: glib2-devel
+BuildRequires: httpd-devel
+BuildRequires: lasso-devel >= 2.5.1
+BuildRequires: openssl-devel
+BuildRequires: xmlsec1-devel
+Requires: httpd-mmn = %{_httpd_mmn}
+Requires: lasso >= 2.5.1
+Url: https://github.com/UNINETT/mod_auth_mellon
+
+Patch0001: 0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch
+Patch0002: 0002-Fix-redirect-URL-validation-bypass.patch
+Patch0003: 0003-backport-Make-the-environment-variable-prefix-configurable.patch
+Patch0004: 0004-Fix-incorrect-header-used-for-detecting-AJAX-request.patch
+Patch0005: 0005-CVE_2019_13038.patch
+Patch0006: 0006-Add-none-option-for-samesite.patch
+Patch0007: 0007-avoid-always-set-SameSite-cookie.patch
+Patch0008: 0008-Set-SameSite-to-None-on-test-cookie.patch
+Patch0009: 0009-Prevent-redirect-to-URLs-that-begin-with.patch
+
+# FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However,
+# I could not get asciidoc to render properly so instead I generated
+# mellon_user_guide.html on Fedora using asciidoctor and included
+# mellon_user_guide.html as a SOURCE. If the user guide source is updated
+# the mellon_user_guide.html will need to be regenerated. 
+
+%description
+The mod_auth_mellon module is an authentication service that implements the
+SAML 2.0 federation protocol. It grants access based on the attributes
+received in assertions generated by a IdP server.
+
+%prep
+%setup -q -n %{name}-%{version}
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+
+%build
+export APXS=%{_httpd_apxs}
+%configure --enable-diagnostics
+make clean
+make %{?_smp_mflags}
+cp .libs/%{name}.so %{name}-diagnostics.so
+
+%configure
+make clean
+make %{?_smp_mflags}
+
+%install
+# install module
+mkdir -p %{buildroot}%{_httpd_moddir}
+install -m 755 .libs/%{name}.so %{buildroot}%{_httpd_moddir}
+install -m 755 %{name}-diagnostics.so %{buildroot}%{_httpd_moddir}
+
+# install module configuration
+mkdir -p %{buildroot}%{_httpd_confdir}
+install -m 644 %{SOURCE1} %{buildroot}%{_httpd_confdir}
+mkdir -p %{buildroot}%{_httpd_modconfdir}
+install -m 644 %{SOURCE2} %{buildroot}%{_httpd_modconfdir}
+
+mkdir -p %{buildroot}%{_tmpfilesdir}
+install -m 644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}
+mkdir -p %{buildroot}/run/%{name}
+
+# install script to generate metadata
+mkdir -p %{buildroot}/%{_libexecdir}/%{name}
+install -m 755 %{SOURCE4} %{buildroot}/%{_libexecdir}/%{name}
+
+#install documentation
+mkdir -p %{buildroot}/%{_pkgdocdir}
+
+# install Red Hat README
+install -m 644 %{SOURCE5} %{buildroot}/%{_pkgdocdir}
+
+# install user guide
+cp -r doc/user_guide %{buildroot}/%{_pkgdocdir}
+install -m 644 %{SOURCE6} %{buildroot}/%{_pkgdocdir}/user_guide
+
+%package diagnostics
+Summary: Build of mod_auth_mellon with diagnostic logging
+Requires: %{name} = %{version}-%{release}
+
+%description diagnostics
+Build of mod_auth_mellon with diagnostic logging. See README.redhat.rst
+in the doc directory for instructions on using the diagnostics build.
+
+%files diagnostics
+%{_httpd_moddir}/%{name}-diagnostics.so
+
+%files
+%if 0%{?rhel} && 0%{?rhel} < 7
+%doc COPYING
+%else
+%license COPYING
+%endif
+%doc README.md NEWS ECP.rst
+%doc %{_pkgdocdir}/README.redhat.rst
+%doc %{_pkgdocdir}/user_guide
+%config(noreplace) %{_httpd_modconfdir}/10-auth_mellon.conf
+%config(noreplace) %{_httpd_confdir}/auth_mellon.conf
+%{_httpd_moddir}/mod_auth_mellon.so
+%{_tmpfilesdir}/mod_auth_mellon.conf
+%{_libexecdir}/%{name}
+%attr(0755,apache,apache) %dir /run/%{name}/
+
+%changelog
+* Wed Dec 15 2021 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-12.1
+- Resolves: rhbz#1986805 - CVE-2021-3639 mod_auth_mellon: Open Redirect
+                           vulnerability in logout URLs [rhel-8]
+
+* Mon Jan 25 2021 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-12
+- Resolves: rhbz#1791262 - Backport SameSite=None cookie from upstream to
+                           support latest browsers
+
+* Fri Oct 18 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-11
+- Resolves: rhbz#1731053 - CVE-2019-13038 mod_auth_mellon: an Open Redirect
+                           via the login?ReturnTo= substring which could
+                           facilitate information theft [rhel-8]
+
+* Fri Oct 18 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-10
+- Resolves: rhbz#1761774 - mod_auth_mellon fix for AJAX header name
+                           X-Requested-With
+
+* Thu Jun 13 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-9
+- Just bump the release number
+- Related: rhbz#1718238 - mod_auth_mellon-diagnostics RPM not in product
+                          listings
+
+* Fri Jun  7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-8
+- Resolves: rhbz#1691894 - [RFE] Config option to change mod_auth_mellon prefix
+
+* Fri Jun  7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-7
+- Apply the patch from the previous commit
+- Resolves: rhbz#1692471 - CVE-2019-3877 appstream/mod_auth_mellon: open
+                           redirect in logout url when using URLs with
+                           backslashes [rhel-8]
+
+* Fri Jun  7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-6
+- Resolves: rhbz#1692471 - CVE-2019-3877 appstream/mod_auth_mellon: open
+                           redirect in logout url when using URLs with
+                           backslashes [rhel-8]
+
+* Fri Jun  7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-5
+- Resolves: rhbz#1692457 - CVE-2019-3878 mod_auth_mellon: authentication
+                           bypass in ECP flow [rhel-8.1.0]
+
+* Wed Apr 24 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-4
+- Resolves: rhbz#1702695 - fresh install of mod_auth_mellon shows rpm
+                           verification warnings
+
+* Mon Jul 30 2018 Florian Weimer <fweimer@redhat.com> - 0.14.0-3
+- Rebuild with fixed binutils
+
+* Fri Jun  1 2018  <jdennis@redhat.com> - 0.14.0-2
+- Resolves: rhbz#1553885
+- fix file permissions on doc files
+
+* Fri Jun  1 2018  <jdennis@redhat.com> - 0.14.0-1
+- Resolves: rhbz#1553885
+- Rebase to current upstream release
+
+* Thu Mar 29 2018 John Dennis <jdennis@redhat.com> - 0.13.1-2
+- Resolves: rhbz#1481330 Add diagnostic logging
+- Resolves: rhbz#1295472 Add MellonSignatureMethod config option to set
+  signature method used to sign SAML messages sent by Mellon.
+  Defaults to original sha1.
+
+* Sun Oct  1 2017 John Dennis <jdennis@redhat.com> - 0.13.1-1
+- upgrade to new upstream release
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.0-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Tue Jan 17 2017 John Dennis <jdennis@redhat.com> - 0.12.0-4
+- Resolves: bug #1414019 Incorrect PAOS Content-Type header
+
+* Mon Jan  9 2017 John Dennis <jdennis@redhat.com> - 0.12.0-3
+- bump release for rebuild
+
+* Tue May  3 2016 John Dennis <jdennis@redhat.com> - 0.12.0-2
+- Resolves: bug #1332729, mellon conflicts with mod_auth_openidc
+- am_check_uid() should be no-op if mellon not enabled
+
+* Wed Mar  9 2016 John Dennis <jdennis@redhat.com> - 0.12.0-1
+- Update to new upstream 0.12.0
+- [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to
+  incorrect error handling when reading POST data from client.
+
+- [CVE-2016-2146] Fix DOS attack (Apache worker process crash /
+  resource exhaustion) due to missing size checks when reading
+  POST data.
+
+In addition this release contains the following new features and fixes:
+
+- Add MellonRedirectDomains option to limit the sites that
+  mod_auth_mellon can redirect to. This option is enabled by default.
+
+- Add support for ECP service options in PAOS requests.
+
+- Fix AssertionConsumerService lookup for PAOS requests.
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Dec 23 2015 John Dennis <jdennis@redhat.com> - 0.11.0-3
+- Fix the following warning that appears in the Apache log
+  lasso-CRITICAL **: lasso_provider_get_metadata_list_for_role: assertion '_lasso_provider_get_role_index(role)' failed
+
+* Fri Sep 18 2015 John Dennis <jdennis@redhat.com> - 0.11.0-2
+- Add lasso 2.5.0 version dependency
+
+* Fri Sep 18 2015 John Dennis <jdennis@redhat.com> - 0.11.0-1
+- Upgrade to upstream 0.11.0 release.
+- Includes ECP support, see NEWS for all changes.
+- Update mellon_create_metadata.sh to match internally generated metadata,
+  includes AssertionConsumerService for postResponse, artifactResponse &
+  paosResponse.
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.10.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Wed Jan  7 2015 Simo Sorce <simo@redhat.com> 0.10.0-1
+- New upstream release
+
+* Tue Sep  2 2014 Simo Sorce <simo@redhat.com> 0.9.1-1
+- New upstream release
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Tue Jun 24 2014 Simo Sorce <simo@redhat.com> 0.8.0-1
+- New upstream realease version 0.8.0
+- Upstream moved to github
+- Drops patches as they have been all included upstream
+
+* Fri Jun 20 2014 Simo Sorce <simo@redhat.com> 0.7.0-3
+- Backport of useful patches from upstream
+  - Better handling of IDP reported errors
+  - Better handling of session data storage size
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Tue Dec 10 2013 Simo Sorce <simo@redhat.com> 0.7.0-1
+- Fix ownership of /run files
+
+* Wed Nov 27 2013 Simo Sorce <simo@redhat.com> 0.7.0-0
+- Initial Fedora release based on version 0.7.0
+- Based on an old spec file by Jean-Marc Liger <jmliger@siris.sorbonne.fr>
author	CoprDistGit <infra@openeuler.org>	2023-03-26 12:06:12 +0000
committer	CoprDistGit <infra@openeuler.org>	2023-03-26 12:06:12 +0000
commit	03dba8af033ead62931986877f0b8d77e0c536f3 (patch)
tree	1a15f239bc7bfd71eb309f1ec6f45fa9a154e59e /mod_auth_mellon.spec
parent	a8d510b1a8669d49d84d40279ef206df3bae5b44 (diff)