Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apache2-mod_auth_openidc for
openSUSE:Factory checked in at 2021-04-06 17:29:54
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2-mod_auth_openidc (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.2401 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_auth_openidc"
Tue Apr 6 17:29:54 2021 rev:15 rq:883176 version:2.4.7
Changes:
--------
---
/work/SRC/openSUSE:Factory/apache2-mod_auth_openidc/apache2-mod_auth_openidc.changes
2021-03-30 21:06:18.441107314 +0200
+++
/work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.2401/apache2-mod_auth_openidc.changes
2021-04-06 17:31:18.511227385 +0200
@@ -1,0 +2,25 @@
+Mon Apr 5 22:41:02 UTC 2021 - Michael Str??der <mich...@stroeder.com>
+
+- Update to version 2.4.7
+ * Bugfixes
+ - avoid logged-out sessions remaining (valid) in the session cache:
+ remove session from cache before clearing it; see #542
+ * Features
+ - add maximum session lifetime (exp), inactivity timeout (timeout)
+ and remote_user to OIDCInfoHook; closes #541
+ * Security
+ - add opt-out on sub check in userinfo endpoint response using the
+ (undocumented) OIDC_NO_USERINFO_SUB environment variable,
+ for backwards (but insecure) compatibility, see #544
+ * Dependencies
+ - libcjose >= 0.5.1
+ - if your distribution does not provide libcjose in its package repository,
+ recent packages for a number of platforms are available from the "Assets"
+ section in release 2.4.0
+
+-------------------------------------------------------------------
+Thu Apr 1 12:13:33 UTC 2021 - pgaj...@suse.com
+
+- require hiredis only for newer distros than SLE-15 [jsc#SLE-11726]
+
+-------------------------------------------------------------------
Old:
----
apache2-mod_auth_openidc-2.4.6.tar.gz
New:
----
apache2-mod_auth_openidc-2.4.7.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2-mod_auth_openidc.spec ++++++
--- /var/tmp/diff_new_pack.oaMO24/_old 2021-04-06 17:31:18.987227924 +0200
+++ /var/tmp/diff_new_pack.oaMO24/_new 2021-04-06 17:31:18.991227929 +0200
@@ -19,7 +19,7 @@
%define apxs %{_sbindir}/apxs2
%define apache_libexecdir %(%{apxs} -q LIBEXECDIR)
Name: apache2-mod_auth_openidc
-Version: 2.4.6
+Version: 2.4.7
Release: 0
Summary: Apache2.x module for an OpenID Connect enabled Identity
Provider
License: Apache-2.0
@@ -30,7 +30,7 @@
BuildRequires: apache2-devel
BuildRequires: autoconf
BuildRequires: automake
-%if 0%{?is_opensuse} > 0
+%if 0%{?suse_version} >= 1550
BuildRequires: hiredis-devel
%endif
BuildRequires: libtool
++++++ apache2-mod_auth_openidc-2.4.6.tar.gz ->
apache2-mod_auth_openidc-2.4.7.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.6/AUTHORS
new/mod_auth_openidc-2.4.7/AUTHORS
--- old/mod_auth_openidc-2.4.6/AUTHORS 2021-02-08 14:35:38.000000000 +0100
+++ new/mod_auth_openidc-2.4.7/AUTHORS 2021-04-05 16:22:26.000000000 +0200
@@ -67,3 +67,4 @@
Paul Spangler <https://github.com/spanglerco>
Chris Pawling <https://github.com/chris468>
Matthias Flesch??tz <https://github.com/blindzero>
+ Harri Rautila <https://github.com/hrautila>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.6/ChangeLog
new/mod_auth_openidc-2.4.7/ChangeLog
--- old/mod_auth_openidc-2.4.6/ChangeLog 2021-02-08 14:35:38.000000000
+0100
+++ new/mod_auth_openidc-2.4.7/ChangeLog 2021-04-05 16:22:26.000000000
+0200
@@ -1,3 +1,17 @@
+04/04/2021
+- improve documentation on OIDCPreservePost
+- release 2.4.7
+
+04/01/2021
+- bump to 2.4.7rc1
+
+02/16/2021
+- remove session from cache before clearing it.
+
+02/12/2021
+- add maximum session lifetime (exp), inactivity timeout (timeout) and
remote_user to OIDCInfoHook
+- bump to 2.4.7-dev
+
02/08/2021
- return 400 instead of 500 when state cookie matching fails
- release 2.4.6
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.6/auth_openidc.conf
new/mod_auth_openidc-2.4.7/auth_openidc.conf
--- old/mod_auth_openidc-2.4.6/auth_openidc.conf 2021-02-08
14:35:38.000000000 +0100
+++ new/mod_auth_openidc-2.4.7/auth_openidc.conf 2021-04-05
16:22:26.000000000 +0200
@@ -821,8 +821,10 @@
#OIDCUnAutzAction [401|403|auth]
# Indicates whether POST data will be preserved across authentication requests
(and discovery in case of multiple OPs).
-# Preservation is done via HTML 5 local storage. Note that this can lead to
private data exposure on shared terminals,
-# that is why the default is "Off". Can be configured on a per
Directory/Location basis.
+# This is designed to prevent data loss when a session timeout occurs in a
(long) user filled HTML form.
+# It cannot handle arbitrary payloads for security (DOS) reasons, merely
form-encoded user data.
+# Preservation is done via HTML 5 local storage: note that this can lead to
private data exposure on shared terminals.
+# The default is "Off" (for security reasons). Can be configured on a per
Directory/Location basis.
#OIDCPreservePost [On|Off]
# Indicates whether the refresh token will be passed to the application in a
header/environment variable, according
@@ -859,9 +861,12 @@
# id_token (object) : the claims presented in the ID token
# userinfo (object) : the claims resolved from the UserInfo endpoint
# refresh_token (string) : the refresh token (if returned by the OP)
+# exp (int) : the maximum session lifetime (Unix timestamp
in seconds)
+# timeout (int) : the session inactivity timeout (Unix
timestamp in seconds)
+# remote_user (string) : the remote user name
# session (object) : (for debugging) mod_auth_openidc specific
session data such as "remote user", "session expiry", "session id" and a
"state" object
# When not defined the session hook will not return any data but a HTTP 404
-#OIDCInfoHook
[iat|access_token|access_token_expires|id_token|userinfo|refresh_token|session]+
+#OIDCInfoHook
[iat|access_token|access_token_expires|id_token|userinfo|refresh_token|exp|timeout|remote_user|session]+
# Specify claims that should be removed from the userinfo and/or id_token
before storing them in the session.
# Note that OIDCBlackListedClaims takes precedence over OIDCWhiteListedClaims
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.6/configure.ac
new/mod_auth_openidc-2.4.7/configure.ac
--- old/mod_auth_openidc-2.4.6/configure.ac 2021-02-08 14:35:38.000000000
+0100
+++ new/mod_auth_openidc-2.4.7/configure.ac 2021-04-05 16:22:26.000000000
+0200
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.6],[hans.zandb...@zmartzone.eu])
+AC_INIT([mod_auth_openidc],[2.4.7],[hans.zandb...@zmartzone.eu])
AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.6/src/mod_auth_openidc.c
new/mod_auth_openidc-2.4.7/src/mod_auth_openidc.c
--- old/mod_auth_openidc-2.4.6/src/mod_auth_openidc.c 2021-02-08
14:35:38.000000000 +0100
+++ new/mod_auth_openidc-2.4.7/src/mod_auth_openidc.c 2021-04-05
16:22:26.000000000 +0200
@@ -3524,6 +3524,29 @@
json_object_set_new(json, OIDC_HOOK_INFO_USER_INFO,
claims);
}
+ /* include the maximum session lifetime in the session info */
+ if (apr_hash_get(c->info_hook_data, OIDC_HOOK_INFO_SESSION_EXP,
+ APR_HASH_KEY_STRING)) {
+ apr_time_t session_expires = oidc_session_get_session_expires(r,
+ session);
+ json_object_set_new(json, OIDC_HOOK_INFO_SESSION_EXP,
+ json_integer(apr_time_sec(session_expires)));
+ }
+
+ /* include the inactivity timeout in the session info */
+ if (apr_hash_get(c->info_hook_data, OIDC_HOOK_INFO_SESSION_TIMEOUT,
+ APR_HASH_KEY_STRING)) {
+ json_object_set_new(json, OIDC_HOOK_INFO_SESSION_TIMEOUT,
+ json_integer(apr_time_sec(session->expiry)));
+ }
+
+ /* include the remote_user in the session info */
+ if (apr_hash_get(c->info_hook_data, OIDC_HOOK_INFO_SESSION_REMOTE_USER,
+ APR_HASH_KEY_STRING)) {
+ json_object_set_new(json, OIDC_HOOK_INFO_SESSION_REMOTE_USER,
+ json_string(session->remote_user));
+ }
+
if (apr_hash_get(c->info_hook_data, OIDC_HOOK_INFO_SESSION,
APR_HASH_KEY_STRING)) {
json_t *j_session = json_object();
@@ -3531,14 +3554,6 @@
session->state);
json_object_set_new(j_session, OIDC_HOOK_INFO_SESSION_UUID,
json_string(session->uuid));
- json_object_set_new(j_session, OIDC_HOOK_INFO_SESSION_TIMEOUT,
- json_integer(apr_time_sec(session->expiry)));
- apr_time_t session_expires = oidc_session_get_session_expires(r,
- session);
- json_object_set_new(j_session, OIDC_HOOK_INFO_SESSION_EXP,
- json_integer(apr_time_sec(session_expires)));
- json_object_set_new(j_session,
OIDC_HOOK_INFO_SESSION_REMOTE_USER,
- json_string(session->remote_user));
json_object_set_new(json, OIDC_HOOK_INFO_SESSION, j_session);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.6/src/parse.c
new/mod_auth_openidc-2.4.7/src/parse.c
--- old/mod_auth_openidc-2.4.6/src/parse.c 2021-02-08 14:35:38.000000000
+0100
+++ new/mod_auth_openidc-2.4.7/src/parse.c 2021-04-05 16:22:26.000000000
+0200
@@ -1187,6 +1187,9 @@
OIDC_HOOK_INFO_ID_TOKEN,
OIDC_HOOK_INFO_USER_INFO,
OIDC_HOOK_INFO_REFRESH_TOKEN,
+ OIDC_HOOK_INFO_SESSION_EXP,
+ OIDC_HOOK_INFO_SESSION_TIMEOUT,
+ OIDC_HOOK_INFO_SESSION_REMOTE_USER,
OIDC_HOOK_INFO_SESSION,
NULL };
const char *rv = oidc_valid_string_option(pool, arg, options);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.6/src/proto.c
new/mod_auth_openidc-2.4.7/src/proto.c
--- old/mod_auth_openidc-2.4.6/src/proto.c 2021-02-08 14:35:38.000000000
+0100
+++ new/mod_auth_openidc-2.4.7/src/proto.c 2021-04-05 16:22:26.000000000
+0200
@@ -2335,7 +2335,8 @@
oidc_debug(r, "id_token_sub=%s, user_info_sub=%s", id_token_sub,
user_info_sub);
- if (user_info_sub == NULL) {
+ if ((user_info_sub == NULL)
+ && (apr_table_get(r->subprocess_env,
"OIDC_NO_USERINFO_SUB") == NULL)) {
oidc_error(r,
"mandatory claim (\"%s\") was not returned from
userinfo endpoint
(https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse)",
OIDC_CLAIM_SUB);
@@ -2343,7 +2344,7 @@
return FALSE;
}
- if (id_token_sub != NULL) {
+ if ((id_token_sub != NULL) && (user_info_sub != NULL)) {
if (apr_strnatcmp(id_token_sub, user_info_sub) != 0) {
oidc_error(r,
"\"%s\" claim (\"%s\") returned from
userinfo endpoint does not match the one in the id_token (\"%s\")",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.6/src/session.c
new/mod_auth_openidc-2.4.7/src/session.c
--- old/mod_auth_openidc-2.4.6/src/session.c 2021-02-08 14:35:38.000000000
+0100
+++ new/mod_auth_openidc-2.4.7/src/session.c 2021-04-05 16:22:26.000000000
+0200
@@ -398,8 +398,12 @@
* terminate a session
*/
apr_byte_t oidc_session_kill(request_rec *r, oidc_session_t *z) {
- oidc_session_free(r, z);
- return oidc_session_save(r, z, FALSE);
+ if (z->state) {
+ json_decref(z->state);
+ z->state = NULL;
+ }
+ oidc_session_save(r, z, FALSE);
+ return oidc_session_free(r, z);
}
/*
