[pubcookie-dev] CVS update: dors;
webiso/pubcookie/doc CHANGES.txt,1.32,1.33
CREDITS.txt,1.14,1.15 install-filter.html,1.28,1.29
install-login.html,1.47,1.48 install-mod_pubcookie.html,1.33,1.34
dors at cac.washington.edu
dors at cac.washington.edu
Sun Jan 31 22:39:39 PST 2010
Update of /usr/local/cvsroot/webiso/pubcookie/doc
In directory webiso-cvs.cac.washington.edu:/var/tmp/cvs-serv15064/doc
Modified Files:
CHANGES.txt CREDITS.txt install-filter.html install-login.html
install-mod_pubcookie.html
Log Message:
doc updates for 3.3.4
Index: webiso/pubcookie/doc/CHANGES.txt
diff -u webiso/pubcookie/doc/CHANGES.txt:1.32 webiso/pubcookie/doc/CHANGES.txt:1.33
--- webiso/pubcookie/doc/CHANGES.txt:1.32 Thu Sep 6 14:46:52 2007
+++ webiso/pubcookie/doc/CHANGES.txt Sun Jan 31 22:39:37 2010
@@ -1,3 +1,30 @@
+Changes with 3.3.4:
+
+*) Security fix to ISAPI filter for stack buffer overflow. (Reported by
+ Chris Ries, Carnegie Mellon University.)
+
+*) Fixed bug in the login cgi's supporting cgic library that caused
+ granting request parsing problems (for referring URLs with no
+ "name=value" args), which particularly affect session reauth.
+ (Bug diagnosed and reported by Todd Ross.)
+
+*) Fixed bug in login cgi allocation of space to altconfig; we were
+ off by 1. (Discovered and fixed by Bradley Schwoerer and Jon Miner.)
+
+*) Fixed bug in Apache module handling of angle brackets in the argument
+ names in POST data. (Bug reported by Trevor Bortins and Jon Hauser.)
+
+*) Fixed ISAPI filter meta-refresh redirect that enforces https to
+ re-encode query string arguments prior to redirect so that values
+ aren't truncated. (Bug reported by William Jordan.)
+
+*) Fixed bug in keyserver that crashed it when using the login_servers
+ config file option. (Bug report and patch provided by Pascal Lalonde.)
+
+*) Added support for 4096 bit private keys to login cgi.
+
+*) Modified login cgi to log user's IP address on Redirect log line.
+
Changes with 3.3.3:
*) Fixed Apache module not to handle /favicon.ico requests when
Index: webiso/pubcookie/doc/CREDITS.txt
diff -u webiso/pubcookie/doc/CREDITS.txt:1.14 webiso/pubcookie/doc/CREDITS.txt:1.15
--- webiso/pubcookie/doc/CREDITS.txt:1.14 Tue Jun 20 10:09:23 2006
+++ webiso/pubcookie/doc/CREDITS.txt Sun Jan 31 22:39:37 2010
@@ -39,6 +39,7 @@
* Benjamin Armintor University of Texas-Austin
* Doug DeJulio Carnegie Mellon University
* Konstantin Ryabitsev McGill University
+ * Chris Ries Carnegie Mellon University
Sponsors:
* The Andrew W. Mellon Foundation
Index: webiso/pubcookie/doc/install-filter.html
diff -u webiso/pubcookie/doc/install-filter.html:1.28 webiso/pubcookie/doc/install-filter.html:1.29
--- webiso/pubcookie/doc/install-filter.html:1.28 Wed Sep 12 08:32:22 2007
+++ webiso/pubcookie/doc/install-filter.html Sun Jan 31 22:39:37 2010
@@ -66,6 +66,16 @@
<h4><a name="news">What's New</a></h4>
+ <p>Significant changes in Pubcookie 3.3.4:</p>
+
+ <ul>
+ <li><p><b>Fixed Stack Buffer Overflow in ISAPI Filter.</b>
+ Applied security fix to address stack buffer overflow vulnerability described in
+ <a href="http://pubcookie.org/news/20100201-apps-secadv.html">February 1, 2010 security advisory</a>.</p></li>
+ <li><p><b>Fixed query string encoding bug in Meta-Refresh redirect.</b> When enforcing https, the filter
+ re-encodes query string arguments prior to redirection, so that values aren't truncated.</p></li>
+ </ul>
+
<p>Significant changes in Pubcookie 3.3.3:</p>
<ul>
@@ -731,7 +741,7 @@
<h4><a name="problems">Known Problems</a></h4>
- <p>Known problems with the Windows components in Pubcookie 3.3.1:</p>
+ <p>Known problems with the Windows components in Pubcookie 3.3:</p>
<ul>
<li>
@@ -783,7 +793,12 @@
directories at the root level of a site require a trailing slash. Without it, the filter uses
the default configuration and doesn't pick up the settings specific to the folder or virtual
directory. Until this is fixed in the filter, links and requests should always include the trailing slash.
- (But that's good form anyway.)
+ (But that's good form anyway.)</p>
+
+ <li>
+ <p><b>Filter works okay, but status not updating.</b> With IIS 6, the "Network Service" account needs read
+ permission to the Pubcookie folder to update the ISAPI filter status (to status up/green). This is the account the
+ filter runs under as per the DefaultAppPool Identity setting.</p>
</ul>
<h4><a name="certs">Appendix A: Windows Certificate Store</a></h4>
Index: webiso/pubcookie/doc/install-login.html
diff -u webiso/pubcookie/doc/install-login.html:1.47 webiso/pubcookie/doc/install-login.html:1.48
--- webiso/pubcookie/doc/install-login.html:1.47 Wed Feb 7 14:49:22 2007
+++ webiso/pubcookie/doc/install-login.html Sun Jan 31 22:39:37 2010
@@ -79,7 +79,30 @@
<h4><a name="new">What's New</a></h4>
<p>Significant improvements and changes to the login server components
-included in Pubcookie 3.3.2c:</p>
+included in Pubcookie 3.3.4:</p>
+
+<ul>
+
+<li>Added support for 4096-bit private keys to login cgi.</li>
+
+<li>Modified login cgi to log user's IP address on Redirect log line.</li>
+
+</ul>
+
+<p>Significant improvements and changes to the login server
+components included in Pubcookie 3.3.2d:</p>
+
+<ul>
+
+<li>Applied security fixes to address vulnerability described in
+<a href="http://pubcookie.org/news/20070606-login-secadv.html">June
+28, 2007 security advisory</a>.</li>
+
+</ul>
+
+<p>Significant improvements and changes
+to the login server
+components included in Pubcookie 3.3.2c:</p>
<ul>
@@ -177,7 +200,6 @@
</ul>
-
<p>See <tt>doc/CHANGES.txt</tt> for bug fixes and other improvements.</p>
<h4><a name="upgrading">Upgrading & Compatibility</a></h4>
@@ -214,6 +236,15 @@
<dl>
+<dt>Upgrading to 3.3.4:</dt>
+
+<dd><b>User's IP address added to Redirect log line:</b>
+Sites that parse the login cgi's log file data should be aware that
+the user's IP address has been added to support additional business
+purposes (e.g. usage metrics, forensics, troubleshooting). Any scripts
+or programs that depend on the format of this data should be tested
+for compatibility prior to deploying the new version.</dd>
+
<dt>Upgrading to 3.3:</dt>
<dd><b>AES encryption impact on SSO:</b> Sites upgrading to 3.3 should
@@ -1259,7 +1290,7 @@
See doc/LICENSE.txt for terms of use.
</p>
<pre>
-$Id: install-login.html,v 1.47 2007/02/07 22:49:22 willey Exp $
+$Id: install-login.html,v 1.48 2010/02/01 06:39:37 dors Exp $
</pre>
</body>
Index: webiso/pubcookie/doc/install-mod_pubcookie.html
diff -u webiso/pubcookie/doc/install-mod_pubcookie.html:1.33 webiso/pubcookie/doc/install-mod_pubcookie.html:1.34
--- webiso/pubcookie/doc/install-mod_pubcookie.html:1.33 Wed Sep 12 08:32:22 2007
+++ webiso/pubcookie/doc/install-mod_pubcookie.html Sun Jan 31 22:39:37 2010
@@ -56,6 +56,12 @@
<h4><a name="new">What's New</a></h4>
+ <p>Significant improvements and changes included in Pubcookie 3.3.4:</p>
+
+ <ul>
+ <li>Fix handling of angle brackets in the argument names in POST data.</li>
+ </ul>
+
<p>Significant improvements and changes included in Pubcookie 3.3.3:</p>
<ul>
@@ -619,25 +625,16 @@
<p>
<TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5">
<TR>
- <TD> <pre><IfDefine HAVE_SSL>
-LoadModule ssl_module modules/libssl.so
+ <TD> <pre>LoadModule ssl_module modules/libssl.so
LoadModule pubcookie_module modules/mod_pubcookie.so
-</IfDefine>
...
-<IfDefine HAVE_SSL>
AddModule mod_ssl.c
-AddModule mod_pubcookie.c
-</IfDefine></pre></TD>
+AddModule mod_pubcookie.c</pre></TD>
</TR>
</TABLE></p>
<p>Again, this is just an example. Your httpd.conf may differ.</p>
- <p>Warning: if your LoadModule and AddModule directives for the
- module are placed within an <tt><IfDefine HAVE_SSL></tt> block
- directive, all Pubcookie run-time directives must
- also be placed with an <tt><IfDefine HAVE_SSL></tt> block
- directive.</p>
<p><b>Apache 2.0: LoadModule</b><br>
With Apache 2.0, add a <a href="http://httpd.apache.org/docs-2.0/mod/mod_so.html#loadmodule">LoadModule</a>
@@ -649,13 +646,20 @@
<TD> <pre>LoadModule pubcookie_module modules/mod_pubcookie.so</pre></TD>
</TR>
</TABLE></p>
+ <p>Tip: With Apache 2.2, <a href="http://httpd.apache.org/docs/2.2/mod/mod_authz_user.html">authz_user_module</a>
+ should be loaded to use the 'require valid-user' syntax often used in tandem with Pubcookie authentication.</p>
+ <p>
+ <TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5">
+ <TR>
+ <TD> <pre>LoadModule authz_user_module modules/mod_authz_user.so</pre></TD>
+ </TR>
+ </TABLE></p>
<li>
<p>Add a new section in httpd.conf for configuring the module:</p>
<p>
<TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5">
<TR>
- <TD> <pre><IfDefine HAVE_SSL>
-<IfModule mod_pubcookie.c>
+ <TD> <pre><IfModule mod_pubcookie.c>
#
# Pubcookie configuration section
@@ -677,8 +681,7 @@
PubcookieInactiveExpire -1
</Directory>
-</IfModule>
-</IfDefine></pre></TD>
+</IfModule></pre></TD>
</TR>
</TABLE>
@@ -720,10 +723,9 @@
</li>
<li>
<p>Warning: If your LoadModule and AddModule directives
- reside within an <tt><IfDefine HAVE_SSL></tt> block directive
+ reside within an <tt><IfDefine HAVE_SSL></tt> block directive,
then all the module's configuration directives must also reside
- within an <tt><IfDefine HAVE_SSL></tt> block directive. This is the
- convention used throughout this guide.</p>
+ within an <tt><IfDefine HAVE_SSL></tt> block directive.</p>
</li>
<li>
<p>Permissions. If you initially start Apache as root and use the
@@ -947,8 +949,7 @@
<p>
<TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5">
<TR>
- <TD> <pre><IfDefine HAVE_SSL>
-<IfModule mod_pubcookie.c>
+ <TD> <pre><IfModule mod_pubcookie.c>
#
# Pubcookie configuration section
@@ -972,8 +973,7 @@
PubcookieEndSession clearLogin
</LocationMatch>
-</IfModule mod_pubcookie.c>
-</IfDefine></pre></TD>
+</IfModule mod_pubcookie.c></pre></TD>
</TR>
</TABLE>
</p>
end of message
More information about the pubcookie-dev
mailing list