Apologies. I have deferred to writing my own filter for Cosign (not using
Apache), that's why I haven't encountered this.
Best of luck,
Qais
On Tue, 21 Aug 2018 at 07:22 Chris Hecker <chec...@d6.com> wrote:
>
> I have it fixed locally. I'm testing it now.
>
> It appears to rear its head if you switch from the old deprecated Order,
> Allow, Deny syntax to the newer 2.4 Required syntax. Are you on the old
> syntax still?
>
>
> Chris
>
>
>
>
>
> On 2018-08-20 23:19, Qais Patankar wrote:
>
> I haven't run into this issue but I'm looking forward to hearing if
> patches on GitHub will be considered.
>
> The repository is fairly pointless if not.
>
> Qais
>
> On Mon, 20 Aug 2018 at 21:24 Chris Hecker <chec...@d6.com> wrote:
>
>>
>> I'm trying to update my server that runs CoSign from httpd 2.2.x to
>> 2.4.x, and I've got things building (there are several pull requests on
>> https://github.com/cosignweblogin/cosign to fix the minor build errors),
>> but I think I've found a more serious code bug:
>>
>> Due to https://nvd.nist.gov/vuln/detail/CVE-2015-3185, they have
>> deprecated ap_some_auth_required and have silently made it incompatible
>> with 2.2 semantics, and they want people to switch to
>> ap_some_auth*n*_required,
>> which has some reentry issues. They're claiming ap_some_auth_required now
>> is a security hole, which appears to be the case for me, meaning it
>> circumvents the cosign redirect when there's no cookie.
>>
>> I'm working on a real patch, but I'm wondering if anybody else has run
>> into this. Sadly, getting it built on 2.4 is not the only problem. I know
>> CoSign is not really active anymore but I'd assume some folks have updated
>> like this and run into the problem?
>>
>> Is there a plan to at least take patches on the github repo?
>>
>> Chris
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Cosign-discuss mailing list
>> Cosign-discuss@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/cosign-discuss
>>
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
