lp:debian/webauth

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

22. By Russ Allbery on 2012-04-25

* New upstream release (no Apache 2.4 support yet; that's next).
  - Fix webauth_user_info bug in interpreting login history timestamps.
  - Fix login history timestamp handling in sample confirm template.
  - Suppress history and token rights in sample confirm template when
    those data elements are empty. (Closes: #664735)
  - Add explicit HTML filters to all sample template variable
    interpolations as an additional security measure.
  - Update the mod_webkdc manual for changes in 4.1.0.
* If Apache is running and has the module loaded, restart Apache on
  configure of libapache2-webauth or libapache2-webkdc.
* Remove the conditional around the postinst actions for
  libapache2-webauth and libapache2-webkdc and just always configure the
  package. This is at least arguably more correct for the various abort
  cases, is simpler, and shouldn't hurt.

21. By Russ Allbery on 2012-03-15

* New upstream release.
  - New mod_webkdc WebKdcUserInfoTimeout option to set a network timeout
    for user information service queries. The new default is 30
    seconds.
  - New mod_webkdc WebKdcUserInfoIgnoreFail error to allow users to
    authenticate with password and use pre-existing single sign-on
    cookies even if the user information service is down. Be aware that
    this can allow bypassing a centrally-mandated multifactor
    requirement.
  - Use remctl_set_ccache instead of setting KRB5CCNAME when available
    to avoid memory leaks on calling the user information service and to
    not leak settings across threads.
  - Fix WebLogin error handling when the password field is left blank.
  - Fix WebLogin error handling of empty usernames.
  - Drop library support for base64-encoded token attributes (which was
    never used by WebAuth).
  - Drop webauth_info_{build,version} library APIs.
  - Document Apache/Tomcat security interaction around URL parsing in
    the mod_webauth manual. This affects any Apache security mechanism
    used in conjunction with Tomcat.
* Bump libremctl-dev build dependency to >= 3.1 for consistent builds.
* Add Build-Depends-Package to the symbols file for better dependency
  handling.
* Update standards version to 3.9.3 (no changes required).

20. By Russ Allbery on 2011-12-02

* New upstream release.
  - Fix setting of the REMOTE_USER preference cookie in WebLogin.
  - Ignore undefined cookies in WebLogin to reduce error logs.
  - Document factor codes in the mod_webauth manual.
* Remove ${shlibs:Depends} from libwebauth-dev dependencies to remove a
  warning. This package won't contain compiled binaries.

19. By Russ Allbery on 2011-09-23

* New upstream release.
  - Change user information service and WebKDC to WebLogin protocols for
    conveying suspicious login information to use the IP address as the
    CDATA and put the hostname in an attribute.
  - Display suspicious logins in WebLogin, forcing a confirmation page.
  - Log the return URL of authentication requests to the WebKDC.
  - Reduce mod_webauth log level when retrieving credentials.

18. By Russ Allbery on 2011-09-03

* Fix a variety of uninitialized variables and memory leaks in the
  libwebauth library and the test suite. Thanks, Christoph Egger and
  Aaron M. Ucko. (Closes: #640259)
* Don't attempt to chown files in libwebkdc-perl when doing a
  binary-only build. Thanks, Aaron M. Ucko. (Closes: #640268)

17. By Russ Allbery on 2011-09-02

* New upstream release.
  - Added support for multifactor, including new WebAuth directives
    WebAuthRequireInitialFactor, WebAuthRequireSessionFactor, and
    WebAuthRequireLOA and new WebKDC directives WebKdcUserInfoURL and
    WebKdcUserInfoPrincipal. Currently requires a metadata service for
    which there isn't a packaged implementation.
  - mod_webauth now exposes the user's initial and session
    authentication details and level of assurance (if known) in
    environment variables WEBAUTH_FACTORS_INITIAL,
    WEBAUTH_FACTORS_SESSION, and WEBAUTH_LOA.
  - WebLogin now uses Template Toolkit for all templating. All
    templates will have to be revised to use the new syntax.
  - WebLogin can tell an external middleware service to send the user an
    OTP code via some means, such as SMS. There are new configuration
    variables for /etc/webkdc/webkdc.conf that control this.
  - WebLogin now supports a site-specific callback to determine the
    initial and session factors and level of assurance for a user who
    has been authenticated via Apache authentication.
  - The keyring functions of the WebAuth Perl module have been rewritten
    to use an object-oriented style and new WebAuth::Keyring and
    WebAuth::KeyringEntry objects. Perl code that used the keyring API
    will need to be modified. Methods to remove a key from a keyring,
    get the timestamps and keys associated with keyring entries, and
    choose the best key have been added.
  - The libwebauth API has been changed substantially and will be
    changed further in subsequent releases.
  - The proxy data attribute of webkdc-proxy tokens is now optional.
* Install /var/cache/weblogin, writable by www-data, as a directory to
  use for Template Toolkit to cache compiled templates. Mention the new
  $TEMPLATE_COMPILE_PATH directive in the libwebkdc-perl NEWS.Debian.
* Update the webauth-weblogin README.Debian to mention the Apache
  FastCGI module now included in Debian and the alternative in
  non-free.

16. By Russ Allbery on 2011-05-11

* New upstream release.
  - New Apache directive WebAuthOptional, which does not force the user
    to authenticate if they're not already authenticated but adds the
    authentication information to the environment if they are. Intended
    for use with dynamic content that can manage optional authentication
    through an explicit login link.
  - Work around an MIT Kerberos library bug in error reporting from
    password change and remove the previous cruder workaround that
    mapped Kerberos errors to password strength warnings.
  - Suppress certificate validation for the WebKDC in WebLogin if the
    WebKDC URL is localhost, required by libwww-perl 5.837 or later.
  - More robust generation of the pkg-config configuration file.
  - Clearer warning from WebLogin when paired with an old WebKDC.
  - Document the pt and sa key/value pairs in WebKDC logging.
* Drop the transitional libwebauth1-dev package, required to smooth
  upgrades from lenny. squeeze released with libwebauth-dev.
* Update to debhelper compatibility level V8.
  - Use debhelper rule minimization with overrides.
  - Do more work in *.install files and less work in debian/rules.
* Switch to 3.0 (quilt) source format. Force a single Debian patch and
  include a custom patch header explaining that it is a rollup of any
  fixes cherry-picked from upstream and breaking those patches out
  separately would be work for no gain.
* Update standards version to 3.9.2 (no changes required).

15. By Colin Watson on 2011-05-12

Rebuild for Perl 5.12.

14. By Russ Allbery on 2011-03-02

Upload to unstable.

13. By Russ Allbery on 2010-08-12

* Apply upstream deltas:
  - [49ad22d2] Fix wa_keyring option parsing and verbose mode bugs
* Update standards version to 3.9.1 (no changes required).