Re: [Cosign-discuss] cosign and apache 2.4, actual mod_cosign bug

Mon, 20 Aug 2018 23:22:55 -0700 

I have it fixed locally.  I'm testing it now.

It appears to rear its head if you switch from the old deprecated Order,
Allow, Deny syntax to the newer 2.4 Required syntax.  Are you on the old
syntax still?

Chris




On 2018-08-20 23:19, Qais Patankar wrote:
> I haven't run into this issue but I'm looking forward to hearing if
> patches on GitHub will be considered.
>
> The repository is fairly pointless if not.
>
> Qais
>
> On Mon, 20 Aug 2018 at 21:24 Chris Hecker <chec...@d6.com
> <mailto:chec...@d6.com>> wrote:
>
>
>     I'm trying to update my server that runs CoSign from httpd 2.2.x
>     to 2.4.x, and I've got things building (there are several pull
>     requests on https://github.com/cosignweblogin/cosign to fix the
>     minor build errors), but I think I've found a more serious code bug:
>
>     Due to https://nvd.nist.gov/vuln/detail/CVE-2015-3185, they have
>     deprecated ap_some_auth_required and have silently made it
>     incompatible with 2.2 semantics, and they want people to switch to
>     ap_some_auth*n*_required, which has some reentry issues.  They're
>     claiming ap_some_auth_required now is a security hole, which
>     appears to be the case for me, meaning it circumvents the cosign
>     redirect when there's no cookie.
>
>     I'm working on a real patch, but I'm wondering if anybody else has
>     run into this.  Sadly, getting it built on 2.4 is not the only
>     problem.  I know CoSign is not really active anymore but I'd
>     assume some folks have updated like this and run into the problem?
>
>     Is there a plan to at least take patches on the github repo?
>
>     Chris
>
>
>
>     
> ------------------------------------------------------------------------------
>     Check out the vibrant tech community on one of the world's most
>     engaging tech sites, Slashdot.org!
>     http://sdm.link/slashdot_______________________________________________
>     Cosign-discuss mailing list
>     Cosign-discuss@lists.sourceforge.net
>     <mailto:Cosign-discuss@lists.sourceforge.net>
>     https://lists.sourceforge.net/lists/listinfo/cosign-discuss
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss

Reply via email to