Menu
▾
▴
[Cosign-discuss] cosign and apache 2.4, actual mod_cosign bug
|
From: Chris H. <ch...@d6...> - 2018-08-20 20:24:32
|
I'm trying to update my server that runs CoSign from httpd 2.2.x to 2.4.x, and I've got things building (there are several pull requests on https://github.com/cosignweblogin/cosign to fix the minor build errors), but I think I've found a more serious code bug: Due to https://nvd.nist.gov/vuln/detail/CVE-2015-3185, they have deprecated ap_some_auth_required and have silently made it incompatible with 2.2 semantics, and they want people to switch to ap_some_auth*n*_required, which has some reentry issues. They're claiming ap_some_auth_required now is a security hole, which appears to be the case for me, meaning it circumvents the cosign redirect when there's no cookie. I'm working on a real patch, but I'm wondering if anybody else has run into this. Sadly, getting it built on 2.4 is not the only problem. I know CoSign is not really active anymore but I'd assume some folks have updated like this and run into the problem? Is there a plan to at least take patches on the github repo? Chris |
