lp:debian/wheezy/webauth
- Get this branch:
- bzr branch lp:debian/wheezy/webauth
Branch information
- Owner:
- Ubuntu branches
- Status:
- Development
Recent revisions
- 18. By Russ Allbery
-
* New upstream release (no Apache 2.4 support yet; that's next).
- Fix webauth_user_info bug in interpreting login history timestamps.
- Fix login history timestamp handling in sample confirm template.
- Suppress history and token rights in sample confirm template when
those data elements are empty. (Closes: #664735)
- Add explicit HTML filters to all sample template variable
interpolations as an additional security measure.
- Update the mod_webkdc manual for changes in 4.1.0.
* If Apache is running and has the module loaded, restart Apache on
configure of libapache2-webauth or libapache2-webkdc.
* Remove the conditional around the postinst actions for
libapache2-webauth and libapache2-webkdc and just always configure the
package. This is at least arguably more correct for the various abort
cases, is simpler, and shouldn't hurt. - 17. By Russ Allbery
-
* New upstream release.
- New mod_webkdc WebKdcUserInfoTimeout option to set a network timeout
for user information service queries. The new default is 30
seconds.
- New mod_webkdc WebKdcUserInfoIgnoreFail error to allow users to
authenticate with password and use pre-existing single sign-on
cookies even if the user information service is down. Be aware that
this can allow bypassing a centrally-mandated multifactor
requirement.
- Use remctl_set_ccache instead of setting KRB5CCNAME when available
to avoid memory leaks on calling the user information service and to
not leak settings across threads.
- Fix WebLogin error handling when the password field is left blank.
- Fix WebLogin error handling of empty usernames.
- Drop library support for base64-encoded token attributes (which was
never used by WebAuth).
- Drop webauth_info_{build, version} library APIs.
- Document Apache/Tomcat security interaction around URL parsing in
the mod_webauth manual. This affects any Apache security mechanism
used in conjunction with Tomcat.
* Bump libremctl-dev build dependency to >= 3.1 for consistent builds.
* Add Build-Depends-Package to the symbols file for better dependency
handling.
* Update standards version to 3.9.3 (no changes required). - 16. By Russ Allbery
-
* New upstream release.
- Fix setting of the REMOTE_USER preference cookie in WebLogin.
- Ignore undefined cookies in WebLogin to reduce error logs.
- Document factor codes in the mod_webauth manual.
* Remove ${shlibs:Depends} from libwebauth-dev dependencies to remove a
warning. This package won't contain compiled binaries. - 15. By Russ Allbery
-
* New upstream release.
- Change user information service and WebKDC to WebLogin protocols for
conveying suspicious login information to use the IP address as the
CDATA and put the hostname in an attribute.
- Display suspicious logins in WebLogin, forcing a confirmation page.
- Log the return URL of authentication requests to the WebKDC.
- Reduce mod_webauth log level when retrieving credentials. - 14. By Russ Allbery
-
* Fix a variety of uninitialized variables and memory leaks in the
libwebauth library and the test suite. Thanks, Christoph Egger and
Aaron M. Ucko. (Closes: #640259)
* Don't attempt to chown files in libwebkdc-perl when doing a
binary-only build. Thanks, Aaron M. Ucko. (Closes: #640268) - 13. By Russ Allbery
-
* New upstream release.
- New Apache directive WebAuthOptional, which does not force the user
to authenticate if they're not already authenticated but adds the
authentication information to the environment if they are. Intended
for use with dynamic content that can manage optional authentication
through an explicit login link.
- Work around an MIT Kerberos library bug in error reporting from
password change and remove the previous cruder workaround that
mapped Kerberos errors to password strength warnings.
- Suppress certificate validation for the WebKDC in WebLogin if the
WebKDC URL is localhost, required by libwww-perl 5.837 or later.
- More robust generation of the pkg-config configuration file.
- Clearer warning from WebLogin when paired with an old WebKDC.
- Document the pt and sa key/value pairs in WebKDC logging.
* Drop the transitional libwebauth1-dev package, required to smooth
upgrades from lenny. squeeze released with libwebauth-dev.
* Update to debhelper compatibility level V8.
- Use debhelper rule minimization with overrides.
- Do more work in *.install files and less work in debian/rules.
* Switch to 3.0 (quilt) source format. Force a single Debian patch and
include a custom patch header explaining that it is a rollup of any
fixes cherry-picked from upstream and breaking those patches out
separately would be work for no gain.
* Update standards version to 3.9.2 (no changes required). - 11. By Russ Allbery
-
* Apply upstream deltas:
- [49ad22d2] Fix wa_keyring option parsing and verbose mode bugs
* Update standards version to 3.9.1 (no changes required). - 10. By Russ Allbery
-
* New upstream release.
- Password change in WebLogin now forces re-entry of the old password
on the same screen as the new password even if the user had just
authenticated, with a configuration option to disable this.
- The default proxy token lifetime is now the lifetime of the
underlying Kerberos credential, matching the documentation, instead
of ten hours.
- Improve error reporting in WebLogin for password change failures. - 9. By Russ Allbery
-
* New upstream release.
- WebAuthLdapAuthRule in mod_webauthldap now sets environment
variables to the value "privgroup <privgroup>" rather than the
previous behavior of just "<privgroup>".
- New WebAuthLdapPrivgroup directive for mod_webauthldap which probes
user's membership in multiple privgroups and sets an environment
variable to the list of those they're in.
- WebAuthLdapAttribute can now take multiple attributes on one line.
- WebLogin includes a password change script and template.
- WebLogin now supports password expiration handling.
- WebLogin may be configured to warn users of expiring passwords.
- WebLogin catches SIGTERM in login.fcgi and finishes the current
request, fixing some problems with unclean shutdown when FastCGI
restarts the running scripts.
- WebLogin correctly encodes RT and ST in the URL when redirecting to
an alternate URL when attempting REMOTE_USER authentication.
- wa_keyring now uses ISO format for timestamps.
- Various changes and cleanup to the WebAuth library API.
- Link wa_keyring with libcrypto properly. (Closes: #556674)
- Avoid importing isa from UNIVERSAL. (Closes: #578632)
- Lower the log level of some mod_webauth diagnostics.
* The default help.html file is now installed into
/usr/share/weblogin/ generic/ templates instead of one level higher.
* Upstream now no longer uses apxs to install modules, so upstream
supports DESTDIR and debian/rules can use make install instead of
rewriting all the installation rules.
* Drop the SONAME version from libwebauth-dev. We'll never need to
maintain development packages for more than one version of the ABI in
Debian at the same time. Add a transitional package to assist with
upgrades.
* Move Perl module dependencies from webauth-weblogin to libwebkdc-perl
since the supporting modules now load the other required Perl modules.
* Bump the versioned dependencies from webauth-weblogin and
libwebkc-perl on libwebauth-perl and in webauth-weblogin on
libwebkdc-perl.
* Add an explicit dependency on liburi-perl to libwebkdc-perl.
* Fix Perl dependencies in webauth-weblogin and webauth-tests.
* Add a Suggests of libapache2-mod-php5 to webauth-tests.
* Add Suggests of libtimedate-perl, libtime-duration- perl, and
libnet-remctl- perl to libwebkdc-perl, required for now for expiring
password warning support.
* Downgrade the libwebauth-dev dependency on libkrb5-dev to Suggests
since it's only required for static linking.
* Update build dependency to libcurl4-openssl- dev.
* Add additional build dependencies so that the Perl module test suite
can run.
* Force source format 1.0 for right now to make backporting easier.
* Update to debhelper compatibility level V7.
- Add ${misc:Depends} to all dependencies.
- Use dh_prep instead of dh_clean -k.
* Update standards version to 3.9.0 (no changes required).
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:debian/webauth