Merge pull request #6 from jhrozek/v0_14_3

Let's release 0.15.0
latchset · Nov 19, 2019 · b54c0e3 · b54c0e3
2 parents 5f220e7 + 79b16ad
commit b54c0e3
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 3 deletions.
diff --git a/NEWS b/NEWS
@@ -1,3 +1,39 @@
+Version 0.15.0
+---------------------------------------------------------------------------
+
+Security fixes:
+
+* [CVE-2019-13038] Redirect URL validation bypass
+
+  Version 0.14.1 and older of mod_auth_mellon allows the redirect URL
+  validation to be bypassed by specifying an URL formatted as
+  "http:www.hostname.com". In this case, the APR parsing utility
+  would parse the scheme as http, host as NULL and path as www.hostname.com.
+  Browsers, however, interpret the URL differently and redirect to
+  www.hostname.com. This could be reproduced with:
+     https://application.com/mellon/login?ReturnTo=http:www.hostname.com
+
+  This version fixes that issue by rejecting all URLs with
+  scheme, but no host name.
+
+Enhancements:
+
+ * A XSLT script that allows converting attribute maps from Shibboleth
+   to a set of MellonSetEnvNoPrefix entries was added. The script can
+   be found at doc/mellon-attribute-map.xsl
+
+ * A new configuration option MellonEnvPrefix was added. This option allows
+   you to configure the variable prefix, which normally defaults to MELLON_
+
+ * A new configuration option MellonAuthnContextComparisonType was added.
+   This option allows you to set the "Comparison" attribute within
+   the AuthnRequest
+
+Notable bug fixes:
+
+  * Compilation issues on Solaris were fixed
+
+
 Version 0.14.2
 ---------------------------------------------------------------------------
 

diff --git a/README.md b/README.md
@@ -893,9 +893,10 @@ There's a mailing list for discussion and support.
 ## Reporting security vulnerabilities
 
 For reporting security vulnerabilities in mod_auth_mellon, please contact
-the maintainer directly at the following email address:
+the maintainers directly at the following email address:
 
-  olav.morken@uninett.no
+  jhrozek@redhat.com
+  simo@redhat.com
 
 This allows us to coordinate the disclosure of the vulnerability with the
 fixes for the vulnerability.

diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_mellon],[0.14.2],[olav.morken@uninett.no])
+AC_INIT([mod_auth_mellon],[0.15.0],[https://github.com/latchset/mod_auth_mellon/issues])
 AC_CONFIG_HEADERS([config.h])
 
 # We require support for C99.