Menu
▾
▴
Re: [Cosign-discuss] cosign and apache 2.4, actual mod_cosign bug
|
From: Qais P. <me...@qa...> - 2018-08-21 06:54:34
|
Apologies. I have deferred to writing my own filter for Cosign (not using Apache), that's why I haven't encountered this. Best of luck, Qais On Tue, 21 Aug 2018 at 07:22 Chris Hecker <ch...@d6...> wrote: > > I have it fixed locally. I'm testing it now. > > It appears to rear its head if you switch from the old deprecated Order, > Allow, Deny syntax to the newer 2.4 Required syntax. Are you on the old > syntax still? > > > Chris > > > > > > On 2018-08-20 23:19, Qais Patankar wrote: > > I haven't run into this issue but I'm looking forward to hearing if > patches on GitHub will be considered. > > The repository is fairly pointless if not. > > Qais > > On Mon, 20 Aug 2018 at 21:24 Chris Hecker <ch...@d6...> wrote: > >> >> I'm trying to update my server that runs CoSign from httpd 2.2.x to >> 2.4.x, and I've got things building (there are several pull requests on >> https://github.com/cosignweblogin/cosign to fix the minor build errors), >> but I think I've found a more serious code bug: >> >> Due to https://nvd.nist.gov/vuln/detail/CVE-2015-3185, they have >> deprecated ap_some_auth_required and have silently made it incompatible >> with 2.2 semantics, and they want people to switch to ap_some_auth*n*_required, >> which has some reentry issues. They're claiming ap_some_auth_required now >> is a security hole, which appears to be the case for me, meaning it >> circumvents the cosign redirect when there's no cookie. >> >> I'm working on a real patch, but I'm wondering if anybody else has run >> into this. Sadly, getting it built on 2.4 is not the only problem. I know >> CoSign is not really active anymore but I'd assume some folks have updated >> like this and run into the problem? >> >> Is there a plan to at least take patches on the github repo? >> >> Chris >> >> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Cosign-discuss mailing list >> Cos...@li... >> https://lists.sourceforge.net/lists/listinfo/cosign-discuss >> > > |
