Menu
▾
▴
Re: [Cosign-discuss] cosign and apache 2.4, actual mod_cosign bug
|
From: Liam H. <li...@um...> - 2018-08-21 12:35:34
|
Hi Chris - The developer who is owns the main cosign repository ( https://github.com/umich-iam/cosign) has been totally unresponsive for several years. Our institution is moving away from cosign, but we do have a repo that sees some maintenance - https://github.com/umich-iam/cosign You could switch your remotes and issue a pull requests against us. Liam On Mon, Aug 20, 2018 at 2:31 PM, Chris Hecker <ch...@d6...> wrote: > > I'm trying to update my server that runs CoSign from httpd 2.2.x to 2.4.x, > and I've got things building (there are several pull requests on > https://github.com/cosignweblogin/cosign to fix the minor build errors), > but I think I've found a more serious code bug: > > Due to https://nvd.nist.gov/vuln/detail/CVE-2015-3185, they have > deprecated ap_some_auth_required and have silently made it incompatible > with 2.2 semantics, and they want people to switch to ap_some_auth*n*_required, > which has some reentry issues. They're claiming ap_some_auth_required now > is a security hole, which appears to be the case for me, meaning it > circumvents the cosign redirect when there's no cookie. > > I'm working on a real patch, but I'm wondering if anybody else has run > into this. Sadly, getting it built on 2.4 is not the only problem. I know > CoSign is not really active anymore but I'd assume some folks have updated > like this and run into the problem? > > Is there a plan to at least take patches on the github repo? > > Chris > > > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Cosign-discuss mailing list > Cos...@li... > https://lists.sourceforge.net/lists/listinfo/cosign-discuss > > |
