I'm trying to update my server that runs CoSign from httpd 2.2.x to
2.4.x, and I've got things building (there are several pull requests on
https://github.com/cosignweblogin/cosign to fix the minor build errors),
but I think I've found a more serious code bug:
Due to https://nvd.nist.gov/vuln/detail/CVE-2015-3185, they have
deprecated ap_some_auth_required and have silently made it incompatible
with 2.2 semantics, and they want people to switch to
ap_some_auth*n*_required, which has some reentry issues. They're
claiming ap_some_auth_required now is a security hole, which appears to
be the case for me, meaning it circumvents the cosign redirect when
there's no cookie.
I'm working on a real patch, but I'm wondering if anybody else has run
into this. Sadly, getting it built on 2.4 is not the only problem. I
know CoSign is not really active anymore but I'd assume some folks have
updated like this and run into the problem?
Is there a plan to at least take patches on the github repo?
Chris
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
