Re: [Cosign-discuss] cosign and apache 2.4, actual mod_cosign bug

Tue, 21 Aug 2018 05:36:02 -0700 

Hi Chris -

The developer who is owns the main cosign repository (
https://github.com/umich-iam/cosign) has been totally unresponsive for
several years.
Our institution is moving away from cosign, but we do have a repo that sees
some maintenance - https://github.com/umich-iam/cosign
You could switch your remotes and issue a pull requests against us.

Liam

On Mon, Aug 20, 2018 at 2:31 PM, Chris Hecker <chec...@d6.com> wrote:

>
> I'm trying to update my server that runs CoSign from httpd 2.2.x to 2.4.x,
> and I've got things building (there are several pull requests on
> https://github.com/cosignweblogin/cosign to fix the minor build errors),
> but I think I've found a more serious code bug:
>
> Due to https://nvd.nist.gov/vuln/detail/CVE-2015-3185, they have
> deprecated ap_some_auth_required and have silently made it incompatible
> with 2.2 semantics, and they want people to switch to 
> ap_some_auth*n*_required,
> which has some reentry issues.  They're claiming ap_some_auth_required now
> is a security hole, which appears to be the case for me, meaning it
> circumvents the cosign redirect when there's no cookie.
>
> I'm working on a real patch, but I'm wondering if anybody else has run
> into this.  Sadly, getting it built on 2.4 is not the only problem.  I know
> CoSign is not really active anymore but I'd assume some folks have updated
> like this and run into the problem?
>
> Is there a plan to at least take patches on the github repo?
>
> Chris
>
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Cosign-discuss mailing list
> Cosign-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/cosign-discuss
>
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss

Reply via email to