Prepare mellon release 0.18.0 (#72)

Resolves: #71
latchset · Jul 30, 2021 · d5cfa39 · d5cfa39
1 parent 0b494db
commit d5cfa39
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 1 deletion.
diff --git a/NEWS b/NEWS
@@ -1,3 +1,34 @@
+Version 0.18.0
+---------------------------------------------------------------------------
+
+Security fixes:
+
+* [CVE-2019-13038] Redirect URL validation bypass
+
+  Version 0.17.0 and older of mod_auth_mellon allows the redirect URL
+  validation to be bypassed by specifying an URL formatted as
+  "///fishing-site.example.com/logout.html". In this case, the browser
+  would interpret the URL differently than the APR parsing utility
+  mellon uses and redirect to fishing-site.example.com.
+  This could be reproduced with:
+     https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html
+
+  This version fixes that issue by rejecting all URLs that start with "///".
+
+Enhancements:
+
+* A new option MellonSessionIdleTimeout that represents the amount of time
+  a user can be inactive before the user's session times out in seconds.
+
+Bug fixes:
+
+* Several build-time fixes
+
+* The CookieTest SameSite attribute was only set to None if mellon configure
+  option MellonCookieSameSite was set to something other than default.
+  This is now fixed.
+
+
 Version 0.17.0
 ---------------------------------------------------------------------------
 

diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_mellon],[0.17.0],[https://github.com/latchset/mod_auth_mellon/issues])
+AC_INIT([mod_auth_mellon],[0.18.0],[https://github.com/latchset/mod_auth_mellon/issues])
 AC_CONFIG_HEADERS([config.h])
 
 # We require support for C99.