NEWS

Version 0.18.0
---------------------------------------------------------------------------

Security fixes:

* [CVE-2019-13038] Redirect URL validation bypass

  Version 0.17.0 and older of mod_auth_mellon allows the redirect URL
  validation to be bypassed by specifying an URL formatted as
  "///fishing-site.example.com/logout.html". In this case, the browser
  would interpret the URL differently than the APR parsing utility
  mellon uses and redirect to fishing-site.example.com.
  This could be reproduced with:
     https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html

  This version fixes that issue by rejecting all URLs that start with "///".

Enhancements:

* A new option MellonSessionIdleTimeout that represents the amount of time
  a user can be inactive before the user's session times out in seconds.

Bug fixes:

* Several build-time fixes

* The CookieTest SameSite attribute was only set to None if mellon configure
  option MellonCookieSameSite was set to something other than default.
  This is now fixed.


Version 0.17.0
---------------------------------------------------------------------------

Enhancements:

 * New option MellonSendExpectHeader (default On) which allows to disable
   sending the Expect header in the HTTP-Artifact binding to improve
   performance when the remote party does not support this header.

 * Set SameSite attribute to None on on the cookietest cookie.

 * Bump default generated keysize to 3072 bits in mellon_create_metadata.

Bug fixes:

 * Validate if the assertion ID has not been used earlier before creating
   a new session.

 * Release session cache after calling invalidate endpoint.

 * In MellonCond directives, fix a bug that setting the NC option would
   also activate substring match and that REG would activate REF.

 * Fix MellonCond substring match to actually match the substring on
   the attribute value.

Version 0.16.0
---------------------------------------------------------------------------

Enhancements:

 * The MellonCookieSameSite option accepts a new valid "None". This is intended
   to be used together with "MellonSecureCookie On". With some newer browsers,
   only cookies with "SameSite=None; Secure" would be available for cross-site
   access.

 * A new option MellonEnabledInvalidateSessionEndpoint was added. When this
   option is enabled, then a user can invalidate their session locally by
   calling the "/invalidate" endpoint.

Version 0.15.0
---------------------------------------------------------------------------

Security fixes:

* [CVE-2019-13038] Redirect URL validation bypass

  Version 0.14.1 and older of mod_auth_mellon allows the redirect URL
  validation to be bypassed by specifying an URL formatted as
  "http:www.hostname.com". In this case, the APR parsing utility
  would parse the scheme as http, host as NULL and path as www.hostname.com.
  Browsers, however, interpret the URL differently and redirect to
  www.hostname.com. This could be reproduced with:
     https://application.com/mellon/login?ReturnTo=http:www.hostname.com

  This version fixes that issue by rejecting all URLs with
  scheme, but no host name.

Enhancements:

 * A XSLT script that allows converting attribute maps from Shibboleth
   to a set of MellonSetEnvNoPrefix entries was added. The script can
   be found at doc/mellon-attribute-map.xsl

 * A new configuration option MellonEnvPrefix was added. This option allows
   you to configure the variable prefix, which normally defaults to MELLON_

 * A new configuration option MellonAuthnContextComparisonType was added.
   This option allows you to set the "Comparison" attribute within
   the AuthnRequest

Notable bug fixes:

  * Compilation issues on Solaris were fixed


Version 0.14.2
---------------------------------------------------------------------------

Security fixes:

* [CVE-2019-3878] Authentication bypass when Apache is used as a
  reverse proxy

  If Apache is configured as a reverse proxy with mod_auth_mellon for
  authentication, the authentication can be bypassed by adding SAML
  2.0 ECP headers to the request.

  This vulnerability affects mod_auth_mellon 0.11.0 and newer.

  This vulnerability is due to both mod_auth_mellon and mod_proxy
  registering as handlers for the requests, with the same
  priority. When mod_auth_mellon handles the request first, it will
  trigger a ECP authentication request. If mod_proxy handles it first,
  it will forward it to the backend server.

  Which module handles it first depends on the order modules are
  loaded by Apache.

  This vulnerability is fixes by specifically registering that the
  mod_auth_mellon handler should run before mod_proxy.

  Thanks to Jakub Hrozek and John Dennis at RedHat for fixing this
  vulnerability.

* [CVE-2019-3877] Redirect URL validation bypass

  Version 0.14.1 and older of mod_auth_mellon allows the redirect URL
  validation to be bypassed by specifying an URL with backslashes
  instead of forward slashes. Browsers silently convert backslashes to
  forward slashes, which allows an attacker to bypass the redirect URL
  validation by using `%5c` in the ReturnTo-parameter. E.g.:

    https://sp.example.org/mellon/logout?ReturnTo=https:%5c%5cmalicious.example.org/

  This version fixes that issue by rejecting all URLs with
  backslashes.

  Thanks to Eric Chamberland for discovering this vulnerability.


Version 0.14.1
---------------------------------------------------------------------------

Bug fixes:

* Fix environment variables in MellonCond
* Fix detection of AJAX requests
* Fix trailing semi-colon in Set-Cookie header

Version 0.14.0
---------------------------------------------------------------------------

Backwards incompatible changes:

This version switches the default signature algorithm used when
signing messages from rsa-sha1 to rsa-sha256. If your IdP does not
allow messages to be signed with that algorithm, you need to add a
setting switching back to the old algorithm:

  MellonSignatureMethod rsa-sha1

Note that this only affects messages sent from mod_auth_mellon to your
IdP. It does not affect authentication responses or other messages
sent from your IdP to mod_auth_mellon.

New features:

* Many improvements in what is logged during various errors.

* Diagnostics logging, which creates a detailed log during request
  processing.

* Add support for selecting which signature algorithm is used when
  signing messages, and switch to rsa-sha256 by default.

Bug fixes:

* Fix segmentation fault in POST replay functionality on empty value.

* Fix incorrect error check for many `lasso_*`-functions.

* Fix case sensitive match on MellonUser attribute name.


Version 0.13.1
---------------------------------------------------------------------------

Security fix:

Fix a cross-site session transfer vulnerability. mod_auth_mellon
version 0.13.0 and older failed to validate that the session specified
in the user's session cookie was created for the web site the user
actually accesses.

If two different web sites are hosted on the same web server, and both
web sites use mod_auth_mellon for authentication, this vulnerability
makes it possible for an attacker with access to one of the web sites
to copy their session cookie to the other web site, and then use the
same session to get access to the other web site.

Thanks to François Kooman for reporting this vulnerability.

This vulnerability has been assigned CVE-2017-6807.

Note: The fix for this vunlerability makes mod_auth_mellon validate
that the cookie parameters used when creating the session match the
cookie parameters that should be used when accessing the current
page. If you currently use mod_auth_mellon across multiple subdomains,
you must make sure that you set the `MellonCookie`-option to the same
value on all domains.

Bug fixes:

* Fix segmentation fault if a (trusted) identity provider returns a
  SAML 2.0 attribute without a Name.

* Fix segmentation fault if MellonPostReplay is enabled but
  MellonPostDirectory is not set.


Version 0.13.0
---------------------------------------------------------------------------

Security fix:

Fix a denial of service attack in the logout handler, which allows a
remote attacker to crash the Apache worker process with a segmentation
fault. This is caused by a null-pointer dereference when processing a
malformed logout message.

New features:

* Allow MellonSecureCookie to be configured to enable just one of the
  "httponly" of "secure" flags, instead of always enabling both flags.

* Support per-module log level with Apache 2.4.

* Allow disabling the Cache-Control HTTP response header.

* Add support for SameSite cookie parameter.

Bug fixes:

* Fix MellonProbeDiscoveryIdP redirecting to the wrong IdP if no IdPs
  respond to the probe request.

* Fix mod_auth_mellon interfering with other Apache authentication
  modules even when it is disabled for a path.

* Fix wrong HTTP status code being returned in some cases during user
  permission checks.

* Fix default POST size limit to actually be 1 MB.

* Fix error if authentication response is missing the optional
  Conditions-element.

* Fix AJAX requests being redirected to the IdP.

* Fix wrong content type for ECP authentication request responses.

In addition there are various fixes for errors in the documentation,
as well as internal code changes that do not have any user visible
effects.


Version 0.12.0
---------------------------------------------------------------------------

Security fixes:

* [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to
  incorrect error handling when reading POST data from client.

* [CVE-2016-2146] Fix DOS attack (Apache worker process crash /
  resource exhaustion) due to missing size checks when reading
  POST data.

In addition this release contains the following new features and fixes:

* Add MellonRedirectDomains option to limit the sites that
  mod_auth_mellon can redirect to. This option is enabled by default.

* Add support for ECP service options in PAOS requests.

* Fix AssertionConsumerService lookup for PAOS requests.


Version 0.11.1
---------------------------------------------------------------------------

Security fixes:

* [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to
  incorrect error handling when reading POST data from client.

* [CVE-2016-2146] Fix DOS attack (Apache worker process crash /
  resource exhaustion) due to missing size checks when reading
  POST data.


Version 0.11.0
---------------------------------------------------------------------------

* Add SAML 2.0 ECP support.

* The MellonDecode option has been disabled. It was used to decode
  attributes in a Feide-specific encoding that is no longer used.

* Set max-age=0 in Cache-Control header, to ensure that all browsers
  verifies the data on each request.

* MellonMergeEnvVars On now accepts second optional parameter, the
  separator to be used instead of the default ';'.

* Add option MellonEnvVarsSetCount to specify if the number of values
  for any attribute should also be stored in environment variable
  suffixed _N.

* Add option MellonEnvVarsIndexStart to specify if environment variables
  for multi-valued attributes should start indexing with 0 (default) or
  with 1.

* Bugfixes:

  * Fix error about missing authentication with DirectoryIndex in
    Apache 2.4.


Version 0.10.0
---------------------------------------------------------------------------

* Make sure that we fail in the unlikely case where OpenSSL is not able
  to provide us with a secure session id.

* Increase the number of key-value pairs in the session to 2048.

* Add MellonMergeEnvVars-option to store multi-valued attributes in
  a single environment variable, separated with ';'.

* Bugfixes:

  * Fix the [MAP] option for MellonCond.

  * Fix cookie deletion for the session cookie. (Logout is not dependent
    on the cookie being deleted, so this only fixes the cookie showing
    up after the session is deleted.)


Version 0.9.1
---------------------------------------------------------------------------

* Bugfixes:

  * Fix session offset calculation that prevented us from having
    active sessions at once.

  * Run mod_auth_mellon request handler before most other handlers,
    so that other handlers cannot block it by accident.


Version 0.9.0
---------------------------------------------------------------------------

* Set the AssertionConsumerServiceURL attribute in authentication
  requests.

* Bugfixes:

  * Fix use of uninitialized data during logout.

  * Fix session entry overflow leading to segmentation faults.

  * Fix looking up sessions by NameID, which is used during logout.


Version 0.8.1
---------------------------------------------------------------------------

This is a security release with fixes backported from version 0.9.1.

It turned out that session overflow bugs fixes in version 0.9.0 and
0.9.1 can lead to information disclosure, where data from one session
is leaked to another session. Depending on how this data is used by the
web application, this may lead to data from one session being disclosed
to an user in a different session. (CVE-2014-8566)

In addition to the information disclosure, this release contains some
fixes for logout processing, where logout requests would crash the
Apache web server. (CVE-2014-8567)


Version 0.8.0
---------------------------------------------------------------------------

* Add support for receiving HTTP-Artifact identifiers as POST data.

* Simplify caching headers.

* Map login errors into more appropriate HTTP error codes than
  400 Bad Request.

* Add MellonNoSuccessErrorPage option to redirect to a error page on login
  failure.

* Turn session storage into a dynamic pool of memory, which means that
  attribute values (and other items) can have arbitrary sizes as long as
  they fit in the session as a whole.

* Various bugfixes:

  * Fix for compatibility with recent versions of CURL.

  * Fix broken option MellonDoNotVerifyLogoutSignature.

  * Fix deadlock that could occur during logout processing.

  * Fix some compile warnings.

  * Fix some NULL derefernce bugs that may lead to segmentation faults.

  * Fix a minor memory leak during IdP metadata loading.


Version 0.7.0
---------------------------------------------------------------------------

* Add MellonSPentityId to control entityId in autogenerated metadata

* Fix compatibility with Apache 2.4.

* Handle empty RelayState the same as missing RelayState.

* Add MellonSetEvnNoPrefix directive to set environment variables
  without "MELLON_"-prefix.


Version 0.6.1
---------------------------------------------------------------------------

* Fix the POST replay functionality when multiple users logging in
  at once.

* Add a fallback for the case where the POST replay data has expired
  before the user logs in.


Version 0.6.0
---------------------------------------------------------------------------

Backwards-incompatible changes:

* The POST replay functionality has been disabled by default, and the
  automatic creation of the MellonPostDirectory target directory has been
  removed. If you want to use the POST replay functionality, take a
  look at the README file for instructions for how to enable this.

* Start discovery service when accessing the login endpoint. We used
  to bypass the discovery service in this case, and just pick the first
  IdP. This has been changed to send a request to the discovery service
  instead, if one is configured.

* The MellonLockFile default path has been changed to:
    /var/run/mod_auth_mellon.lock
  This only affects platforms where a lock file is required and
  where Apache doesn't have write access to that directory during
  startup. (Apache can normally create files in that directory
  during startup.)

Other changes:

* Fix support for SOAP logout.

* Local logout when IdP does not support SAML 2.0 Single Logout.

* MellonDoNotVerifyLogoutSignature option to disable logout signature
  validation.

* Support for relative file paths in configuration.

* The debian build-directory has been removed from the repository.

* Various cleanups and bugfixes:

  * Fix cookie parsing header parsing for some HTTP libraries.

  * Fix inheritance of MellonAuthnContextClassRef option.

  * Use ap_set_content_type() instead of accessing request->content_type.

  * README indentation cleanups.

  * Support for even older versions of GLib.

  * Fixes for error handling during session initialization.

  * Directly link with GLib rather than relying on the Lasso library
    linking to it for us.

  * Some code cleanups.


Version 0.5.0
---------------------------------------------------------------------------

* Honour MellonProbeDiscoveryIdP order when sending probes.

* MellonAuthnContextClassRef configuration directive, to limit
  authentication to specific authentication methods.

* Support for the HTTP-POST binding when sending authentication
  requests to the IdP.

* MellonSubjectConfirmationDataAddressCheck option to disable received
  address checking.

* Various cleanups and bugfixes:

  * Support for older versions of GLib and APR.

  * Send the correct SP entityID to the discovery service.

  * Do not set response headers twice.

  * Several cleanups in the code that starts authentication.


Version 0.4.0
---------------------------------------------------------------------------

* Allow MellonUser variable to be translated through MellonSetEnv

* A /mellon/probeDisco endpoint replaces the builtin:get-metadata 
  IdP dicovery URL scheme

* New MellonCond directive to enable attribute filtering beyond
  MellonRequire functionalities. 

* New MellonIdPMetadataGlob directive to load mulitple IdP metadata
  using a glob(3) pattern.

* Support for running behind reverse proxy.

* MellonCookieDomain and MellonCookiePath options to configure cookie
  settings.

* Support for loading federation metadata files.

* Several bugfixes.


Version 0.3.0
---------------------------------------------------------------------------

* New login-endpoint, which allows easier manual initiation of login
  requests, and specifying parameters such as IsPassive.

* Validation of Conditions and SubjectConfirmation data in the assertion
  we receive from the IdP.

* Various bugfixes.


Version 0.2.7
---------------------------------------------------------------------------

* Optionaly save the remote IdP entityId in the environment

* Shibboleth 2 interoperability


Version 0.2.6
---------------------------------------------------------------------------

* Fix XSS/DOS vulnerability in repost handler.


Version 0.2.5
---------------------------------------------------------------------------

* Replay POST requests after been sent to the IdP

* Fix HTTP response splitting vulnerability.


Version 0.2.4
---------------------------------------------------------------------------

* Fix for downloads of files with Internet Explorer with SSL enabled.

* Mark session as disabled as soon as logout starts, in case the IdP
  doesn't respond.


Version 0.2.3
---------------------------------------------------------------------------

* Bugfix for session lifetime. Take the session lifetime from the
  SessionNotOnOrAfter attribute if it is present.


Version 0.2.2
---------------------------------------------------------------------------

* Improve metadata autogeneration: cleanup certificate, allow Organizarion
  element data to be supplied from Apache configuration


Version 0.2.1
---------------------------------------------------------------------------

* Make SAML authentication assertion and Lasso session available in the
  environment.


Version 0.2.0
---------------------------------------------------------------------------

* Autogeneration of SP metadata. (Requires Lasso 2.2.2 or newer.)

* Multiple IdP support, with discovery service.

* Built in discovery service which tests the availability of each IdP,
  and uses the first available IdP.

* Fix a mutex leak.


Version 0.1.1
---------------------------------------------------------------------------

* MellonSecureCookie option, which enables Secure + HttpOnly flags on
  session cookies.

* Better handling of logout request when the user is already logged out.


Version 0.1.0
---------------------------------------------------------------------------

* Better support for BSD.

* Support for setting a IdP CA certificate and SP certificate.

* Support for loading the private key during web server initialization.
  With this, the private key only needs to be readable by root. This
  requires a recent version of Lasso to work.

* Better DOS resistance, by only allocating a session when the user has
  authenticated with the IdP.

* Support for IdP initiated login. The MellonDefaultLoginPath option can
  be to configure which page the user should land on after authentication.


Version 0.0.7
---------------------------------------------------------------------------

* Renamed the logout endpoint from "logoutRequest" to "logout".
  "logoutRequest" is now an alias for "logout", and may be removed in the
  future.

* Added SP initiated logout. To initiate a logout from the web site, link
  the user to the logout endpoint, with a ReturnTo parameter with the url
  the user should be redirected to after being logged out. Example url:
  "https://www.example.com/secret/endpoint/logout
   ?ReturnTo=http://www.example.com/". (Note that this should be on a
  single line.)

* Fixed a memory leak on login.

* Increased maximum Lasso session size to 8192 from 3074. This allows us to
  handle users with more attributes.

* Fixed handling of multiple AttributeValue elements in response.