Re: [Cosign-discuss] cosign and apache 2.4, actual mod_cosign bug
Hi Chris - The developer who is owns the main cosign repository ( https://github.com/umich-iam/cosign) has been totally unresponsive for several years. Our institution is moving away from cosign, but we do have a repo that sees some maintenance - https://github.com/umich-iam/cosign You could switch your remotes and issue a pull requests against us. Liam On Mon, Aug 20, 2018 at 2:31 PM, Chris Hecker wrote: > > I'm trying to update my server that runs CoSign from httpd 2.2.x to 2.4.x, > and I've got things building (there are several pull requests on > https://github.com/cosignweblogin/cosign to fix the minor build errors), > but I think I've found a more serious code bug: > > Due to https://nvd.nist.gov/vuln/detail/CVE-2015-3185, they have > deprecated ap_some_auth_required and have silently made it incompatible > with 2.2 semantics, and they want people to switch to > ap_some_auth*n*_required, > which has some reentry issues. They're claiming ap_some_auth_required now > is a security hole, which appears to be the case for me, meaning it > circumvents the cosign redirect when there's no cookie. > > I'm working on a real patch, but I'm wondering if anybody else has run > into this. Sadly, getting it built on 2.4 is not the only problem. I know > CoSign is not really active anymore but I'd assume some folks have updated > like this and run into the problem? > > Is there a plan to at least take patches on the github repo? > > Chris > > > > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Cosign-discuss mailing list > Cosign-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/cosign-discuss > > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
Re: [Cosign-discuss] cosign and apache 2.4, actual mod_cosign bug
Apologies. I have deferred to writing my own filter for Cosign (not using Apache), that's why I haven't encountered this. Best of luck, Qais On Tue, 21 Aug 2018 at 07:22 Chris Hecker wrote: > > I have it fixed locally. I'm testing it now. > > It appears to rear its head if you switch from the old deprecated Order, > Allow, Deny syntax to the newer 2.4 Required syntax. Are you on the old > syntax still? > > > Chris > > > > > > On 2018-08-20 23:19, Qais Patankar wrote: > > I haven't run into this issue but I'm looking forward to hearing if > patches on GitHub will be considered. > > The repository is fairly pointless if not. > > Qais > > On Mon, 20 Aug 2018 at 21:24 Chris Hecker wrote: > >> >> I'm trying to update my server that runs CoSign from httpd 2.2.x to >> 2.4.x, and I've got things building (there are several pull requests on >> https://github.com/cosignweblogin/cosign to fix the minor build errors), >> but I think I've found a more serious code bug: >> >> Due to https://nvd.nist.gov/vuln/detail/CVE-2015-3185, they have >> deprecated ap_some_auth_required and have silently made it incompatible >> with 2.2 semantics, and they want people to switch to >> ap_some_auth*n*_required, >> which has some reentry issues. They're claiming ap_some_auth_required now >> is a security hole, which appears to be the case for me, meaning it >> circumvents the cosign redirect when there's no cookie. >> >> I'm working on a real patch, but I'm wondering if anybody else has run >> into this. Sadly, getting it built on 2.4 is not the only problem. I know >> CoSign is not really active anymore but I'd assume some folks have updated >> like this and run into the problem? >> >> Is there a plan to at least take patches on the github repo? >> >> Chris >> >> >> >> >> -- >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> ___ >> Cosign-discuss mailing list >> Cosign-discuss@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/cosign-discuss >> > > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
[Cosign-discuss] cosign and apache 2.4, actual mod_cosign bug
I'm trying to update my server that runs CoSign from httpd 2.2.x to 2.4.x, and I've got things building (there are several pull requests on https://github.com/cosignweblogin/cosign to fix the minor build errors), but I think I've found a more serious code bug: Due to https://nvd.nist.gov/vuln/detail/CVE-2015-3185, they have deprecated ap_some_auth_required and have silently made it incompatible with 2.2 semantics, and they want people to switch to ap_some_auth*n*_required, which has some reentry issues. They're claiming ap_some_auth_required now is a security hole, which appears to be the case for me, meaning it circumvents the cosign redirect when there's no cookie. I'm working on a real patch, but I'm wondering if anybody else has run into this. Sadly, getting it built on 2.4 is not the only problem. I know CoSign is not really active anymore but I'd assume some folks have updated like this and run into the problem? Is there a plan to at least take patches on the github repo? Chris -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
