Ubuntu
libapache2-mod-auth-mellon package

Bug #1820279
Activity log

Activity log for bug #1820279

Date	Who	What changed	Old value	New value	Message
2019-03-15 13:09:04	Dmitrii Shcherbakov	bug			added bug
2019-03-22 19:31:33	Launchpad Janitor	merge proposal linked		https://code.launchpad.net/~dmitriis/ubuntu/+source/libapache2-mod-auth-mellon/+git/libapache2-mod-auth-mellon/+merge/364984
2019-03-22 19:53:43	Dmitrii Shcherbakov	description	This change to mod_auth_mellon adds a very useful capability for enabling diagnostics output from the module: https://github.com/Uninett/mod_auth_mellon/commit/e8579f6387d9841ce619d836110050fb18117753 It is available as of v0.14.0 (present in Cosmic): git --no-pager tag --contains=e8579f6387d9841ce619d836110050fb18117753 v0.14.0 v0.14.1 It would be good to enable this in our builds as follows: diff --git a/debian/rules b/debian/rules index 5f81a8c..1c482e0 100755 --- a/debian/rules +++ b/debian/rules @@ -7,6 +7,8 @@ export DEB_BUILD_MAINT_OPTIONS = hardening=+all override_dh_auto_install: +override_dh_auto_configure: + dh_auto_configure -- --enable-diagnostics	[Rationale] This change to mod_auth_mellon adds a very useful capability for enabling diagnostics output from the module: https://github.com/Uninett/mod_auth_mellon/commit/e8579f6387d9841ce619d836110050fb18117753 It is available as of v0.14.0 (present in Cosmic): git --no-pager tag --contains=e8579f6387d9841ce619d836110050fb18117753 v0.14.0 v0.14.1 [Build Verification] https://paste.ubuntu.com/p/2kt3BsxJKn/ [Installation] https://paste.ubuntu.com/p/VcfcgyPHqH/ [Upgrades] No impact
2019-03-22 19:56:03	Dmitrii Shcherbakov	summary	consider building with --enable-diagnostics as of v0.14.0 (cosmic) to ease up SSO debugging	[FFe] build mellon with --enable-diagnostics to ease up SSO debugging
2019-03-22 20:20:12	Dmitrii Shcherbakov	description	[Rationale] This change to mod_auth_mellon adds a very useful capability for enabling diagnostics output from the module: https://github.com/Uninett/mod_auth_mellon/commit/e8579f6387d9841ce619d836110050fb18117753 It is available as of v0.14.0 (present in Cosmic): git --no-pager tag --contains=e8579f6387d9841ce619d836110050fb18117753 v0.14.0 v0.14.1 [Build Verification] https://paste.ubuntu.com/p/2kt3BsxJKn/ [Installation] https://paste.ubuntu.com/p/VcfcgyPHqH/ [Upgrades] No impact	[Rationale] This change to mod_auth_mellon adds a very useful capability for enabling diagnostics output from the module: https://github.com/Uninett/mod_auth_mellon/commit/e8579f6387d9841ce619d836110050fb18117753 It is available as of v0.14.0 (present in Cosmic): git --no-pager tag --contains=e8579f6387d9841ce619d836110050fb18117753 v0.14.0 v0.14.1 This is generally useful for field engineering and operations teams and other users as SAML exchanges are difficult to debug. [Build Verification] https://paste.ubuntu.com/p/2kt3BsxJKn/ [Installation] https://paste.ubuntu.com/p/VcfcgyPHqH/ [Upgrades] No impact
2019-03-22 20:20:31	Dmitrii Shcherbakov	bug			added subscriber Ubuntu Release Team
2019-03-22 21:30:42	Dmitrii Shcherbakov	description	[Rationale] This change to mod_auth_mellon adds a very useful capability for enabling diagnostics output from the module: https://github.com/Uninett/mod_auth_mellon/commit/e8579f6387d9841ce619d836110050fb18117753 It is available as of v0.14.0 (present in Cosmic): git --no-pager tag --contains=e8579f6387d9841ce619d836110050fb18117753 v0.14.0 v0.14.1 This is generally useful for field engineering and operations teams and other users as SAML exchanges are difficult to debug. [Build Verification] https://paste.ubuntu.com/p/2kt3BsxJKn/ [Installation] https://paste.ubuntu.com/p/VcfcgyPHqH/ [Upgrades] No impact	[Rationale] This change to mod_auth_mellon adds a very useful capability for enabling diagnostics output from the module: https://github.com/Uninett/mod_auth_mellon/commit/e8579f6387d9841ce619d836110050fb18117753 It is available as of v0.14.0 (present in Cosmic): git --no-pager tag --contains=e8579f6387d9841ce619d836110050fb18117753 v0.14.0 v0.14.1 This is generally useful for field engineering and operations teams and other users as SAML exchanges are difficult to debug. [Build Verification] https://paste.ubuntu.com/p/2kt3BsxJKn/ [Installation] https://paste.ubuntu.com/p/VcfcgyPHqH/ "MellonDiagnosticsEnable Off" is the default setting and it results in am_diag_open_log returning 1 which does NOT result in an error returned from am_diag_log_init. Also installed a package and verified that setting this to off explicitly or implicitly (default) does not result in errors on startup or page access. https://git.launchpad.net/ubuntu/+source/libapache2-mod-auth-mellon/tree/auth_mellon_diagnostics.c?h=ubuntu/disco&id=49c8ccfedca2db17d76348573e6daa862e104f6d#n311 int am_diag_log_init(apr_pool_t pc, apr_pool_t p, apr_pool_t pt, server_rec s) { for ( ; s ; s = s->next) { if (!am_diag_open_log(s, p)) { return HTTP_INTERNAL_SERVER_ERROR; } } // ... static int am_diag_open_log(server_rec s, apr_pool_t p) { // ... if (!(diag_cfg->flags & AM_DIAG_FLAG_ENABLED)) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mellon diagnostics disabled for %s", server_desc); return 1; // ... [Upgrades] No impact
2019-03-29 17:11:22	Corey Bryant	summary	[FFe] build mellon with --enable-diagnostics to ease up SSO debugging	[FFe] [SRU] build mellon with --enable-diagnostics to ease up SSO debugging
2019-03-29 17:50:02	Corey Bryant	description	[Rationale] This change to mod_auth_mellon adds a very useful capability for enabling diagnostics output from the module: https://github.com/Uninett/mod_auth_mellon/commit/e8579f6387d9841ce619d836110050fb18117753 It is available as of v0.14.0 (present in Cosmic): git --no-pager tag --contains=e8579f6387d9841ce619d836110050fb18117753 v0.14.0 v0.14.1 This is generally useful for field engineering and operations teams and other users as SAML exchanges are difficult to debug. [Build Verification] https://paste.ubuntu.com/p/2kt3BsxJKn/ [Installation] https://paste.ubuntu.com/p/VcfcgyPHqH/ "MellonDiagnosticsEnable Off" is the default setting and it results in am_diag_open_log returning 1 which does NOT result in an error returned from am_diag_log_init. Also installed a package and verified that setting this to off explicitly or implicitly (default) does not result in errors on startup or page access. https://git.launchpad.net/ubuntu/+source/libapache2-mod-auth-mellon/tree/auth_mellon_diagnostics.c?h=ubuntu/disco&id=49c8ccfedca2db17d76348573e6daa862e104f6d#n311 int am_diag_log_init(apr_pool_t pc, apr_pool_t p, apr_pool_t pt, server_rec s) { for ( ; s ; s = s->next) { if (!am_diag_open_log(s, p)) { return HTTP_INTERNAL_SERVER_ERROR; } } // ... static int am_diag_open_log(server_rec s, apr_pool_t p) { // ... if (!(diag_cfg->flags & AM_DIAG_FLAG_ENABLED)) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mellon diagnostics disabled for %s", server_desc); return 1; // ... [Upgrades] No impact	FFE Section ----------- [Rationale] This change to mod_auth_mellon adds a very useful capability for enabling diagnostics output from the module: https://github.com/Uninett/mod_auth_mellon/commit/e8579f6387d9841ce619d836110050fb18117753 It is available as of v0.14.0 (present in Cosmic): git --no-pager tag --contains=e8579f6387d9841ce619d836110050fb18117753 v0.14.0 v0.14.1 This is generally useful for field engineering and operations teams and other users as SAML exchanges are difficult to debug. [Build Verification] https://paste.ubuntu.com/p/2kt3BsxJKn/ [Installation] https://paste.ubuntu.com/p/VcfcgyPHqH/ "MellonDiagnosticsEnable Off" is the default setting and it results in am_diag_open_log returning 1 which does NOT result in an error returned from am_diag_log_init. Also installed a package and verified that setting this to off explicitly or implicitly (default) does not result in errors on startup or page access. https://git.launchpad.net/ubuntu/+source/libapache2-mod-auth-mellon/tree/auth_mellon_diagnostics.c?h=ubuntu/disco&id=49c8ccfedca2db17d76348573e6daa862e104f6d#n311 int am_diag_log_init(apr_pool_t pc, apr_pool_t p, apr_pool_t pt, server_rec s) { for ( ; s ; s = s->next) { if (!am_diag_open_log(s, p)) { return HTTP_INTERNAL_SERVER_ERROR; } } // ... static int am_diag_open_log(server_rec s, apr_pool_t p) { // ... if (!(diag_cfg->flags & AM_DIAG_FLAG_ENABLED)) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mellon diagnostics disabled for %s", server_desc); return 1; // ... [Upgrades] No impact SRU section ----------- [Impact] See FFE Rationale above. [Test Case] [Regression Potential] As mentioned above in the FFE section, "MellonDiagnosticsEnable Off" can be set in the apache configuration to disable diagnostics. This is also the default setting, so regression potential is certainly limited by this.
2019-03-29 17:50:22	Corey Bryant	description	FFE Section ----------- [Rationale] This change to mod_auth_mellon adds a very useful capability for enabling diagnostics output from the module: https://github.com/Uninett/mod_auth_mellon/commit/e8579f6387d9841ce619d836110050fb18117753 It is available as of v0.14.0 (present in Cosmic): git --no-pager tag --contains=e8579f6387d9841ce619d836110050fb18117753 v0.14.0 v0.14.1 This is generally useful for field engineering and operations teams and other users as SAML exchanges are difficult to debug. [Build Verification] https://paste.ubuntu.com/p/2kt3BsxJKn/ [Installation] https://paste.ubuntu.com/p/VcfcgyPHqH/ "MellonDiagnosticsEnable Off" is the default setting and it results in am_diag_open_log returning 1 which does NOT result in an error returned from am_diag_log_init. Also installed a package and verified that setting this to off explicitly or implicitly (default) does not result in errors on startup or page access. https://git.launchpad.net/ubuntu/+source/libapache2-mod-auth-mellon/tree/auth_mellon_diagnostics.c?h=ubuntu/disco&id=49c8ccfedca2db17d76348573e6daa862e104f6d#n311 int am_diag_log_init(apr_pool_t pc, apr_pool_t p, apr_pool_t pt, server_rec s) { for ( ; s ; s = s->next) { if (!am_diag_open_log(s, p)) { return HTTP_INTERNAL_SERVER_ERROR; } } // ... static int am_diag_open_log(server_rec s, apr_pool_t p) { // ... if (!(diag_cfg->flags & AM_DIAG_FLAG_ENABLED)) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mellon diagnostics disabled for %s", server_desc); return 1; // ... [Upgrades] No impact SRU section ----------- [Impact] See FFE Rationale above. [Test Case] [Regression Potential] As mentioned above in the FFE section, "MellonDiagnosticsEnable Off" can be set in the apache configuration to disable diagnostics. This is also the default setting, so regression potential is certainly limited by this.	FFE Section for disco --------------------- [Rationale] This change to mod_auth_mellon adds a very useful capability for enabling diagnostics output from the module: https://github.com/Uninett/mod_auth_mellon/commit/e8579f6387d9841ce619d836110050fb18117753 It is available as of v0.14.0 (present in Cosmic): git --no-pager tag --contains=e8579f6387d9841ce619d836110050fb18117753 v0.14.0 v0.14.1 This is generally useful for field engineering and operations teams and other users as SAML exchanges are difficult to debug. [Build Verification] https://paste.ubuntu.com/p/2kt3BsxJKn/ [Installation] https://paste.ubuntu.com/p/VcfcgyPHqH/ "MellonDiagnosticsEnable Off" is the default setting and it results in am_diag_open_log returning 1 which does NOT result in an error returned from am_diag_log_init. Also installed a package and verified that setting this to off explicitly or implicitly (default) does not result in errors on startup or page access. https://git.launchpad.net/ubuntu/+source/libapache2-mod-auth-mellon/tree/auth_mellon_diagnostics.c?h=ubuntu/disco&id=49c8ccfedca2db17d76348573e6daa862e104f6d#n311 int am_diag_log_init(apr_pool_t pc, apr_pool_t p, apr_pool_t pt, server_rec s) { for ( ; s ; s = s->next) { if (!am_diag_open_log(s, p)) { return HTTP_INTERNAL_SERVER_ERROR; } } // ... static int am_diag_open_log(server_rec s, apr_pool_t p) { // ... if (!(diag_cfg->flags & AM_DIAG_FLAG_ENABLED)) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mellon diagnostics disabled for %s", server_desc); return 1; // ... [Upgrades] No impact SRU section ----------- [Impact] See FFE Rationale above. [Test Case] [Regression Potential] As mentioned above in the FFE section, "MellonDiagnosticsEnable Off" can be set in the apache configuration to disable diagnostics. This is also the default setting, so regression potential is certainly limited by this.
2019-03-29 17:50:36	Corey Bryant	nominated for series		Ubuntu Bionic
2019-03-29 17:50:36	Corey Bryant	bug task added		libapache2-mod-auth-mellon (Ubuntu Bionic)
2019-03-29 17:50:36	Corey Bryant	nominated for series		Ubuntu Disco
2019-03-29 17:50:36	Corey Bryant	bug task added		libapache2-mod-auth-mellon (Ubuntu Disco)
2019-03-29 17:50:36	Corey Bryant	nominated for series		Ubuntu Cosmic
2019-03-29 17:50:36	Corey Bryant	bug task added		libapache2-mod-auth-mellon (Ubuntu Cosmic)
2019-03-29 17:57:59	Corey Bryant	description	FFE Section for disco --------------------- [Rationale] This change to mod_auth_mellon adds a very useful capability for enabling diagnostics output from the module: https://github.com/Uninett/mod_auth_mellon/commit/e8579f6387d9841ce619d836110050fb18117753 It is available as of v0.14.0 (present in Cosmic): git --no-pager tag --contains=e8579f6387d9841ce619d836110050fb18117753 v0.14.0 v0.14.1 This is generally useful for field engineering and operations teams and other users as SAML exchanges are difficult to debug. [Build Verification] https://paste.ubuntu.com/p/2kt3BsxJKn/ [Installation] https://paste.ubuntu.com/p/VcfcgyPHqH/ "MellonDiagnosticsEnable Off" is the default setting and it results in am_diag_open_log returning 1 which does NOT result in an error returned from am_diag_log_init. Also installed a package and verified that setting this to off explicitly or implicitly (default) does not result in errors on startup or page access. https://git.launchpad.net/ubuntu/+source/libapache2-mod-auth-mellon/tree/auth_mellon_diagnostics.c?h=ubuntu/disco&id=49c8ccfedca2db17d76348573e6daa862e104f6d#n311 int am_diag_log_init(apr_pool_t pc, apr_pool_t p, apr_pool_t pt, server_rec s) { for ( ; s ; s = s->next) { if (!am_diag_open_log(s, p)) { return HTTP_INTERNAL_SERVER_ERROR; } } // ... static int am_diag_open_log(server_rec s, apr_pool_t p) { // ... if (!(diag_cfg->flags & AM_DIAG_FLAG_ENABLED)) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mellon diagnostics disabled for %s", server_desc); return 1; // ... [Upgrades] No impact SRU section ----------- [Impact] See FFE Rationale above. [Test Case] [Regression Potential] As mentioned above in the FFE section, "MellonDiagnosticsEnable Off" can be set in the apache configuration to disable diagnostics. This is also the default setting, so regression potential is certainly limited by this.	FFE Section for disco --------------------- [Rationale] This change to mod_auth_mellon adds a very useful capability for enabling diagnostics output from the module: https://github.com/Uninett/mod_auth_mellon/commit/e8579f6387d9841ce619d836110050fb18117753 It is available as of v0.14.0 (present in Cosmic): git --no-pager tag --contains=e8579f6387d9841ce619d836110050fb18117753 v0.14.0 v0.14.1 This is generally useful for field engineering and operations teams and other users as SAML exchanges are difficult to debug. [Build Verification] https://paste.ubuntu.com/p/2kt3BsxJKn/ [Installation] https://paste.ubuntu.com/p/VcfcgyPHqH/ "MellonDiagnosticsEnable Off" is the default setting and it results in am_diag_open_log returning 1 which does NOT result in an error returned from am_diag_log_init. Also installed a package and verified that setting this to off explicitly or implicitly (default) does not result in errors on startup or page access. https://git.launchpad.net/ubuntu/+source/libapache2-mod-auth-mellon/tree/auth_mellon_diagnostics.c?h=ubuntu/disco&id=49c8ccfedca2db17d76348573e6daa862e104f6d#n311 int am_diag_log_init(apr_pool_t pc, apr_pool_t p, apr_pool_t pt, server_rec s) { for ( ; s ; s = s->next) { if (!am_diag_open_log(s, p)) { return HTTP_INTERNAL_SERVER_ERROR; } } // ... static int am_diag_open_log(server_rec s, apr_pool_t p) { // ... if (!(diag_cfg->flags & AM_DIAG_FLAG_ENABLED)) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mellon diagnostics disabled for %s", server_desc); return 1; // ... [Upgrades] No impact SRU section for cosmic and bionic --------------------------------- [Impact] See FFE Rationale above. [Test Case] [Regression Potential] As mentioned above in the FFE section, "MellonDiagnosticsEnable Off" can be set in the apache configuration to disable diagnostics. This is also the default setting, so regression potential is certainly limited by this. [Discussion] For the cosmic SRU this will be a fairly straight forward and trivial update to the package to run configure with "--enable-diagnostics". Cosmic is already at version 0.14.0 which has the diagnostics support. For the bionic SRU, things are more complicated as bionic is at version 0.13.1 which does not include diagnostics support. I've analyzed the delta between 0.13.1 and 0.14.0 and I'm seeing mostly bug fixes and 2 new features (1 for diagnostics support, and 1 for MellonSignatureMethod support). Here's the full commit summary between 0.13.1 and 0.14.0: /tmp/mod_auth_mellon$ git remote -v origin https://github.com/UNINETT/mod_auth_mellon (fetch) origin https://github.com/UNINETT/mod_auth_mellon (push) /tmp/mod_auth_mellon$ git log --no-merges --date-order --pretty=oneline --format=" - [%h] %s" v0.13.1..v0.14.0 - [29d2872] Bump version to 0.14.0. - [21f78ab] Add release notes for version 0.14.0. - [262768a] NEWS: Add consistent whitespace between releases. - [7bb98cf] Fix config.h.in missing in .tar.gz. - [aee068f] Fix typos in the user guide - [8abbcf9] Update User Guide on error responses and ADFS issues - [9b17e5c] Add MellonSignatureMethod to control signature algorithm - [582f283] Log SAML status response information - [524d558] convert README to README.md - [0851045] Fix consistency, grammar, and usage in user guide - [70e8abc] Give clear error if building with diagnostics support on old Apache - [15fcbf7] Fix build error on Apache 2.2. - [fe8b978] Add example for dual auth support. - [f865919] Add clarification on using info vs auth - [5927b5c] Fix Mellon user guide typos - [86eb344] Fix conditional build of auth_mellon_diagnostics.c - [89a3c81] Add NameID discussion to User Guide - [93faba4] Update log msg for Invalid Destination and Invalid Audience to show both the expected and received values. - [de853e1] Add user_guide to distribution, use AC_DEFINE instead of CFLAGS - [8d49ab6] Replace ap_log_rerror with AM_LOG_RERROR - [e8579f6] Add diagnostic logging - [6d2ee84] Track file information - [ee97812] Add Mellon User Guide - [daa5d1e] If no IdP's are defined explicitly log that fact - [119cbdd] modify cache functions to take request_rec parameter instead of server_rec - [c291232] Make MellonUser case-insensitive. - [2c2e19d] Fix incorrect error check for many `lasso_*`-functions. - [5c5ed1d] Fix segmentation fault with POST field without a value. - [4c924d9] Fix some log message typos Of the commits above, those required for diagnostics support include: - [582f283] Log SAML status response information - [70e8abc] Give clear error if building with diagnostics support on old Apache - [86eb344] Fix conditional build of auth_mellon_diagnostics.c - [8d49ab6] Replace ap_log_rerror with AM_LOG_RERROR - [e8579f6] Add diagnostic logging - [6d2ee84] Track file information And the MellonSignatureMethod support is provided in a single commit: - [9b17e5c] Add MellonSignatureMethod to control signature algorithm
2019-03-29 18:21:36	Corey Bryant	description	FFE Section for disco --------------------- [Rationale] This change to mod_auth_mellon adds a very useful capability for enabling diagnostics output from the module: https://github.com/Uninett/mod_auth_mellon/commit/e8579f6387d9841ce619d836110050fb18117753 It is available as of v0.14.0 (present in Cosmic): git --no-pager tag --contains=e8579f6387d9841ce619d836110050fb18117753 v0.14.0 v0.14.1 This is generally useful for field engineering and operations teams and other users as SAML exchanges are difficult to debug. [Build Verification] https://paste.ubuntu.com/p/2kt3BsxJKn/ [Installation] https://paste.ubuntu.com/p/VcfcgyPHqH/ "MellonDiagnosticsEnable Off" is the default setting and it results in am_diag_open_log returning 1 which does NOT result in an error returned from am_diag_log_init. Also installed a package and verified that setting this to off explicitly or implicitly (default) does not result in errors on startup or page access. https://git.launchpad.net/ubuntu/+source/libapache2-mod-auth-mellon/tree/auth_mellon_diagnostics.c?h=ubuntu/disco&id=49c8ccfedca2db17d76348573e6daa862e104f6d#n311 int am_diag_log_init(apr_pool_t pc, apr_pool_t p, apr_pool_t pt, server_rec s) { for ( ; s ; s = s->next) { if (!am_diag_open_log(s, p)) { return HTTP_INTERNAL_SERVER_ERROR; } } // ... static int am_diag_open_log(server_rec s, apr_pool_t p) { // ... if (!(diag_cfg->flags & AM_DIAG_FLAG_ENABLED)) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mellon diagnostics disabled for %s", server_desc); return 1; // ... [Upgrades] No impact SRU section for cosmic and bionic --------------------------------- [Impact] See FFE Rationale above. [Test Case] [Regression Potential] As mentioned above in the FFE section, "MellonDiagnosticsEnable Off" can be set in the apache configuration to disable diagnostics. This is also the default setting, so regression potential is certainly limited by this. [Discussion] For the cosmic SRU this will be a fairly straight forward and trivial update to the package to run configure with "--enable-diagnostics". Cosmic is already at version 0.14.0 which has the diagnostics support. For the bionic SRU, things are more complicated as bionic is at version 0.13.1 which does not include diagnostics support. I've analyzed the delta between 0.13.1 and 0.14.0 and I'm seeing mostly bug fixes and 2 new features (1 for diagnostics support, and 1 for MellonSignatureMethod support). Here's the full commit summary between 0.13.1 and 0.14.0: /tmp/mod_auth_mellon$ git remote -v origin https://github.com/UNINETT/mod_auth_mellon (fetch) origin https://github.com/UNINETT/mod_auth_mellon (push) /tmp/mod_auth_mellon$ git log --no-merges --date-order --pretty=oneline --format=" - [%h] %s" v0.13.1..v0.14.0 - [29d2872] Bump version to 0.14.0. - [21f78ab] Add release notes for version 0.14.0. - [262768a] NEWS: Add consistent whitespace between releases. - [7bb98cf] Fix config.h.in missing in .tar.gz. - [aee068f] Fix typos in the user guide - [8abbcf9] Update User Guide on error responses and ADFS issues - [9b17e5c] Add MellonSignatureMethod to control signature algorithm - [582f283] Log SAML status response information - [524d558] convert README to README.md - [0851045] Fix consistency, grammar, and usage in user guide - [70e8abc] Give clear error if building with diagnostics support on old Apache - [15fcbf7] Fix build error on Apache 2.2. - [fe8b978] Add example for dual auth support. - [f865919] Add clarification on using info vs auth - [5927b5c] Fix Mellon user guide typos - [86eb344] Fix conditional build of auth_mellon_diagnostics.c - [89a3c81] Add NameID discussion to User Guide - [93faba4] Update log msg for Invalid Destination and Invalid Audience to show both the expected and received values. - [de853e1] Add user_guide to distribution, use AC_DEFINE instead of CFLAGS - [8d49ab6] Replace ap_log_rerror with AM_LOG_RERROR - [e8579f6] Add diagnostic logging - [6d2ee84] Track file information - [ee97812] Add Mellon User Guide - [daa5d1e] If no IdP's are defined explicitly log that fact - [119cbdd] modify cache functions to take request_rec parameter instead of server_rec - [c291232] Make MellonUser case-insensitive. - [2c2e19d] Fix incorrect error check for many `lasso_*`-functions. - [5c5ed1d] Fix segmentation fault with POST field without a value. - [4c924d9] Fix some log message typos Of the commits above, those required for diagnostics support include: - [582f283] Log SAML status response information - [70e8abc] Give clear error if building with diagnostics support on old Apache - [86eb344] Fix conditional build of auth_mellon_diagnostics.c - [8d49ab6] Replace ap_log_rerror with AM_LOG_RERROR - [e8579f6] Add diagnostic logging - [6d2ee84] Track file information And the MellonSignatureMethod support is provided in a single commit: - [9b17e5c] Add MellonSignatureMethod to control signature algorithm	FFE Section for disco --------------------- [Rationale] This change to mod_auth_mellon adds a very useful capability for enabling diagnostics output from the module: https://github.com/Uninett/mod_auth_mellon/commit/e8579f6387d9841ce619d836110050fb18117753 It is available as of v0.14.0 (present in Cosmic): git --no-pager tag --contains=e8579f6387d9841ce619d836110050fb18117753 v0.14.0 v0.14.1 This is generally useful for field engineering and operations teams and other users as SAML exchanges are difficult to debug. [Build Verification] https://paste.ubuntu.com/p/2kt3BsxJKn/ [Installation] https://paste.ubuntu.com/p/VcfcgyPHqH/ "MellonDiagnosticsEnable Off" is the default setting and it results in am_diag_open_log returning 1 which does NOT result in an error returned from am_diag_log_init. Also installed a package and verified that setting this to off explicitly or implicitly (default) does not result in errors on startup or page access. https://git.launchpad.net/ubuntu/+source/libapache2-mod-auth-mellon/tree/auth_mellon_diagnostics.c?h=ubuntu/disco&id=49c8ccfedca2db17d76348573e6daa862e104f6d#n311 int am_diag_log_init(apr_pool_t pc, apr_pool_t p, apr_pool_t pt, server_rec s) { for ( ; s ; s = s->next) { if (!am_diag_open_log(s, p)) { return HTTP_INTERNAL_SERVER_ERROR; } } // ... static int am_diag_open_log(server_rec s, apr_pool_t p) { // ... if (!(diag_cfg->flags & AM_DIAG_FLAG_ENABLED)) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mellon diagnostics disabled for %s", server_desc); return 1; // ... [Upgrades] No impact SRU section for cosmic and bionic --------------------------------- [Impact] See FFE Rationale above. [Test Case] [Regression Potential] As mentioned above in the FFE section, "MellonDiagnosticsEnable Off" can be set in the apache configuration to disable diagnostics. This is also the default setting, so regression potential is certainly limited by this. [Discussion] For the cosmic SRU this will be a fairly straight forward and trivial update to the package to run configure with "--enable-diagnostics". Cosmic is already at version 0.14.0 which has the diagnostics support. For the bionic SRU, things are more complicated as bionic is at version 0.13.1 which does not include diagnostics support. What I'd like to do is to update the bionic package to 0.14.0. I know this is not business as usual but I think the regression potential is minimized by updating to 0.14.0 rather than risking any missed code when cherry-picking various patches. For some analysis regarding updating bionic to 0.14.0, I've analyzed the delta between 0.13.1 and 0.14.0 and I'm seeing mostly bug fixes and 2 new features (1 for diagnostics support, and 1 for MellonSignatureMethod support). Here's the full commit summary between 0.13.1 and 0.14.0: /tmp/mod_auth_mellon$ git remote -v origin https://github.com/UNINETT/mod_auth_mellon (fetch) origin https://github.com/UNINETT/mod_auth_mellon (push) /tmp/mod_auth_mellon$ git log --no-merges --date-order --pretty=oneline --format=" - [%h] %s" v0.13.1..v0.14.0 - [29d2872] Bump version to 0.14.0. - [21f78ab] Add release notes for version 0.14.0. - [262768a] NEWS: Add consistent whitespace between releases. - [7bb98cf] Fix config.h.in missing in .tar.gz. - [aee068f] Fix typos in the user guide - [8abbcf9] Update User Guide on error responses and ADFS issues - [9b17e5c] Add MellonSignatureMethod to control signature algorithm - [582f283] Log SAML status response information - [524d558] convert README to README.md - [0851045] Fix consistency, grammar, and usage in user guide - [70e8abc] Give clear error if building with diagnostics support on old Apache - [15fcbf7] Fix build error on Apache 2.2. - [fe8b978] Add example for dual auth support. - [f865919] Add clarification on using info vs auth - [5927b5c] Fix Mellon user guide typos - [86eb344] Fix conditional build of auth_mellon_diagnostics.c - [89a3c81] Add NameID discussion to User Guide - [93faba4] Update log msg for Invalid Destination and Invalid Audience to show both the expected and received values. - [de853e1] Add user_guide to distribution, use AC_DEFINE instead of CFLAGS - [8d49ab6] Replace ap_log_rerror with AM_LOG_RERROR - [e8579f6] Add diagnostic logging - [6d2ee84] Track file information - [ee97812] Add Mellon User Guide - [daa5d1e] If no IdP's are defined explicitly log that fact - [119cbdd] modify cache functions to take request_rec parameter instead of server_rec - [c291232] Make MellonUser case-insensitive. - [2c2e19d] Fix incorrect error check for many `lasso_*`-functions. - [5c5ed1d] Fix segmentation fault with POST field without a value. - [4c924d9] Fix some log message typos Of the commits above, those required for diagnostics support include: - [582f283] Log SAML status response information - [70e8abc] Give clear error if building with diagnostics support on old Apache - [86eb344] Fix conditional build of auth_mellon_diagnostics.c - [8d49ab6] Replace ap_log_rerror with AM_LOG_RERROR - [e8579f6] Add diagnostic logging - [6d2ee84] Track file information And the MellonSignatureMethod support is provided in a single commit: - [9b17e5c] Add MellonSignatureMethod to control signature algorithm MellonSignatureMethod is also controlled by a config option in the apache configuration. Following is the full commit message for 9b17e5c: https://github.com/Uninett/mod_auth_mellon/commit/9b17e5c1078a9be90de1e9d03079b34ca4056e96 One upgrade consideration coming from this patch is that it changes the default sha algorithm used by Mellon from rsa-sha1 to rsa-sha256. And as the commit says, this was done because SHA1 is no longer considered safe, SHA256 is now the current recommendation. This would likely be a good update anyway.
2019-03-29 18:22:54	Corey Bryant	description	FFE Section for disco --------------------- [Rationale] This change to mod_auth_mellon adds a very useful capability for enabling diagnostics output from the module: https://github.com/Uninett/mod_auth_mellon/commit/e8579f6387d9841ce619d836110050fb18117753 It is available as of v0.14.0 (present in Cosmic): git --no-pager tag --contains=e8579f6387d9841ce619d836110050fb18117753 v0.14.0 v0.14.1 This is generally useful for field engineering and operations teams and other users as SAML exchanges are difficult to debug. [Build Verification] https://paste.ubuntu.com/p/2kt3BsxJKn/ [Installation] https://paste.ubuntu.com/p/VcfcgyPHqH/ "MellonDiagnosticsEnable Off" is the default setting and it results in am_diag_open_log returning 1 which does NOT result in an error returned from am_diag_log_init. Also installed a package and verified that setting this to off explicitly or implicitly (default) does not result in errors on startup or page access. https://git.launchpad.net/ubuntu/+source/libapache2-mod-auth-mellon/tree/auth_mellon_diagnostics.c?h=ubuntu/disco&id=49c8ccfedca2db17d76348573e6daa862e104f6d#n311 int am_diag_log_init(apr_pool_t pc, apr_pool_t p, apr_pool_t pt, server_rec s) { for ( ; s ; s = s->next) { if (!am_diag_open_log(s, p)) { return HTTP_INTERNAL_SERVER_ERROR; } } // ... static int am_diag_open_log(server_rec s, apr_pool_t p) { // ... if (!(diag_cfg->flags & AM_DIAG_FLAG_ENABLED)) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mellon diagnostics disabled for %s", server_desc); return 1; // ... [Upgrades] No impact SRU section for cosmic and bionic --------------------------------- [Impact] See FFE Rationale above. [Test Case] [Regression Potential] As mentioned above in the FFE section, "MellonDiagnosticsEnable Off" can be set in the apache configuration to disable diagnostics. This is also the default setting, so regression potential is certainly limited by this. [Discussion] For the cosmic SRU this will be a fairly straight forward and trivial update to the package to run configure with "--enable-diagnostics". Cosmic is already at version 0.14.0 which has the diagnostics support. For the bionic SRU, things are more complicated as bionic is at version 0.13.1 which does not include diagnostics support. What I'd like to do is to update the bionic package to 0.14.0. I know this is not business as usual but I think the regression potential is minimized by updating to 0.14.0 rather than risking any missed code when cherry-picking various patches. For some analysis regarding updating bionic to 0.14.0, I've analyzed the delta between 0.13.1 and 0.14.0 and I'm seeing mostly bug fixes and 2 new features (1 for diagnostics support, and 1 for MellonSignatureMethod support). Here's the full commit summary between 0.13.1 and 0.14.0: /tmp/mod_auth_mellon$ git remote -v origin https://github.com/UNINETT/mod_auth_mellon (fetch) origin https://github.com/UNINETT/mod_auth_mellon (push) /tmp/mod_auth_mellon$ git log --no-merges --date-order --pretty=oneline --format=" - [%h] %s" v0.13.1..v0.14.0 - [29d2872] Bump version to 0.14.0. - [21f78ab] Add release notes for version 0.14.0. - [262768a] NEWS: Add consistent whitespace between releases. - [7bb98cf] Fix config.h.in missing in .tar.gz. - [aee068f] Fix typos in the user guide - [8abbcf9] Update User Guide on error responses and ADFS issues - [9b17e5c] Add MellonSignatureMethod to control signature algorithm - [582f283] Log SAML status response information - [524d558] convert README to README.md - [0851045] Fix consistency, grammar, and usage in user guide - [70e8abc] Give clear error if building with diagnostics support on old Apache - [15fcbf7] Fix build error on Apache 2.2. - [fe8b978] Add example for dual auth support. - [f865919] Add clarification on using info vs auth - [5927b5c] Fix Mellon user guide typos - [86eb344] Fix conditional build of auth_mellon_diagnostics.c - [89a3c81] Add NameID discussion to User Guide - [93faba4] Update log msg for Invalid Destination and Invalid Audience to show both the expected and received values. - [de853e1] Add user_guide to distribution, use AC_DEFINE instead of CFLAGS - [8d49ab6] Replace ap_log_rerror with AM_LOG_RERROR - [e8579f6] Add diagnostic logging - [6d2ee84] Track file information - [ee97812] Add Mellon User Guide - [daa5d1e] If no IdP's are defined explicitly log that fact - [119cbdd] modify cache functions to take request_rec parameter instead of server_rec - [c291232] Make MellonUser case-insensitive. - [2c2e19d] Fix incorrect error check for many `lasso_*`-functions. - [5c5ed1d] Fix segmentation fault with POST field without a value. - [4c924d9] Fix some log message typos Of the commits above, those required for diagnostics support include: - [582f283] Log SAML status response information - [70e8abc] Give clear error if building with diagnostics support on old Apache - [86eb344] Fix conditional build of auth_mellon_diagnostics.c - [8d49ab6] Replace ap_log_rerror with AM_LOG_RERROR - [e8579f6] Add diagnostic logging - [6d2ee84] Track file information And the MellonSignatureMethod support is provided in a single commit: - [9b17e5c] Add MellonSignatureMethod to control signature algorithm MellonSignatureMethod is also controlled by a config option in the apache configuration. Following is the full commit message for 9b17e5c: https://github.com/Uninett/mod_auth_mellon/commit/9b17e5c1078a9be90de1e9d03079b34ca4056e96 One upgrade consideration coming from this patch is that it changes the default sha algorithm used by Mellon from rsa-sha1 to rsa-sha256. And as the commit says, this was done because SHA1 is no longer considered safe, SHA256 is now the current recommendation. This would likely be a good update anyway.	FFE Section for disco --------------------- [Rationale] This change to mod_auth_mellon adds a very useful capability for enabling diagnostics output from the module: https://github.com/Uninett/mod_auth_mellon/commit/e8579f6387d9841ce619d836110050fb18117753 It is available as of v0.14.0 (present in Cosmic): git --no-pager tag --contains=e8579f6387d9841ce619d836110050fb18117753 v0.14.0 v0.14.1 This is generally useful for field engineering and operations teams and other users as SAML exchanges are difficult to debug. [Build Verification] https://paste.ubuntu.com/p/2kt3BsxJKn/ [Installation] https://paste.ubuntu.com/p/VcfcgyPHqH/ "MellonDiagnosticsEnable Off" is the default setting and it results in am_diag_open_log returning 1 which does NOT result in an error returned from am_diag_log_init. Also installed a package and verified that setting this to off explicitly or implicitly (default) does not result in errors on startup or page access. https://git.launchpad.net/ubuntu/+source/libapache2-mod-auth-mellon/tree/auth_mellon_diagnostics.c?h=ubuntu/disco&id=49c8ccfedca2db17d76348573e6daa862e104f6d#n311 int am_diag_log_init(apr_pool_t pc, apr_pool_t p, apr_pool_t pt, server_rec s) { for ( ; s ; s = s->next) { if (!am_diag_open_log(s, p)) { return HTTP_INTERNAL_SERVER_ERROR; } } // ... static int am_diag_open_log(server_rec s, apr_pool_t p) { // ... if (!(diag_cfg->flags & AM_DIAG_FLAG_ENABLED)) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mellon diagnostics disabled for %s", server_desc); return 1; // ... [Upgrades] No impact SRU section for cosmic and bionic --------------------------------- [Impact] See FFE Rationale above. [Test Case] [Regression Potential] As mentioned above in the FFE section, "MellonDiagnosticsEnable Off" can be set in the apache configuration to disable diagnostics. This is also the default setting, so regression potential is certainly limited by this. [Discussion] cosmic SRU For the cosmic SRU this will be a fairly straight forward and trivial update to the package to run configure with "--enable-diagnostics". Cosmic is already at version 0.14.0 which has the diagnostics support. bionic SRU For the bionic SRU, things are more complicated as bionic is at version 0.13.1 which does not include diagnostics support. What I'd like to do is to update the bionic package to 0.14.0. I know this is not business as usual but I think the regression potential is minimized by updating to 0.14.0 rather than risking any missed code when cherry-picking various patches. For some analysis regarding updating bionic to 0.14.0, I've analyzed the delta between 0.13.1 and 0.14.0 and I'm seeing mostly bug fixes and 2 new features (1 for diagnostics support, and 1 for MellonSignatureMethod support). Here's the full commit summary between 0.13.1 and 0.14.0: /tmp/mod_auth_mellon$ git remote -v origin https://github.com/UNINETT/mod_auth_mellon (fetch) origin https://github.com/UNINETT/mod_auth_mellon (push) /tmp/mod_auth_mellon$ git log --no-merges --date-order --pretty=oneline --format=" - [%h] %s" v0.13.1..v0.14.0 - [29d2872] Bump version to 0.14.0. - [21f78ab] Add release notes for version 0.14.0. - [262768a] NEWS: Add consistent whitespace between releases. - [7bb98cf] Fix config.h.in missing in .tar.gz. - [aee068f] Fix typos in the user guide - [8abbcf9] Update User Guide on error responses and ADFS issues - [9b17e5c] Add MellonSignatureMethod to control signature algorithm - [582f283] Log SAML status response information - [524d558] convert README to README.md - [0851045] Fix consistency, grammar, and usage in user guide - [70e8abc] Give clear error if building with diagnostics support on old Apache - [15fcbf7] Fix build error on Apache 2.2. - [fe8b978] Add example for dual auth support. - [f865919] Add clarification on using info vs auth - [5927b5c] Fix Mellon user guide typos - [86eb344] Fix conditional build of auth_mellon_diagnostics.c - [89a3c81] Add NameID discussion to User Guide - [93faba4] Update log msg for Invalid Destination and Invalid Audience to show both the expected and received values. - [de853e1] Add user_guide to distribution, use AC_DEFINE instead of CFLAGS - [8d49ab6] Replace ap_log_rerror with AM_LOG_RERROR - [e8579f6] Add diagnostic logging - [6d2ee84] Track file information - [ee97812] Add Mellon User Guide - [daa5d1e] If no IdP's are defined explicitly log that fact - [119cbdd] modify cache functions to take request_rec parameter instead of server_rec - [c291232] Make MellonUser case-insensitive. - [2c2e19d] Fix incorrect error check for many `lasso_*`-functions. - [5c5ed1d] Fix segmentation fault with POST field without a value. - [4c924d9] Fix some log message typos Of the commits above, those required for diagnostics support include: - [582f283] Log SAML status response information - [70e8abc] Give clear error if building with diagnostics support on old Apache - [86eb344] Fix conditional build of auth_mellon_diagnostics.c - [8d49ab6] Replace ap_log_rerror with AM_LOG_RERROR - [e8579f6] Add diagnostic logging - [6d2ee84] Track file information And the MellonSignatureMethod support is provided in a single commit: - [9b17e5c] Add MellonSignatureMethod to control signature algorithm MellonSignatureMethod is also controlled by a config option in the apache configuration. Following is the full commit message for 9b17e5c: https://github.com/Uninett/mod_auth_mellon/commit/9b17e5c1078a9be90de1e9d03079b34ca4056e96 One upgrade consideration coming from this patch is that it changes the default sha algorithm used by Mellon from rsa-sha1 to rsa-sha256. And as the commit says, this was done because SHA1 is no longer considered safe, SHA256 is now the current recommendation. This would likely be a good update anyway.
2019-03-29 18:23:02	Corey Bryant	libapache2-mod-auth-mellon (Ubuntu Bionic): status	New	Triaged
2019-03-29 18:23:04	Corey Bryant	libapache2-mod-auth-mellon (Ubuntu Cosmic): status	New	Triaged
2019-03-29 18:23:08	Corey Bryant	libapache2-mod-auth-mellon (Ubuntu Bionic): importance	Undecided	High
2019-03-29 18:23:09	Corey Bryant	libapache2-mod-auth-mellon (Ubuntu Cosmic): importance	Undecided	High
2019-03-29 18:23:10	Corey Bryant	libapache2-mod-auth-mellon (Ubuntu Disco): status	New	Triaged
2019-03-29 18:23:11	Corey Bryant	libapache2-mod-auth-mellon (Ubuntu Disco): importance	Undecided	High
2019-03-29 18:24:52	Corey Bryant	description	FFE Section for disco --------------------- [Rationale] This change to mod_auth_mellon adds a very useful capability for enabling diagnostics output from the module: https://github.com/Uninett/mod_auth_mellon/commit/e8579f6387d9841ce619d836110050fb18117753 It is available as of v0.14.0 (present in Cosmic): git --no-pager tag --contains=e8579f6387d9841ce619d836110050fb18117753 v0.14.0 v0.14.1 This is generally useful for field engineering and operations teams and other users as SAML exchanges are difficult to debug. [Build Verification] https://paste.ubuntu.com/p/2kt3BsxJKn/ [Installation] https://paste.ubuntu.com/p/VcfcgyPHqH/ "MellonDiagnosticsEnable Off" is the default setting and it results in am_diag_open_log returning 1 which does NOT result in an error returned from am_diag_log_init. Also installed a package and verified that setting this to off explicitly or implicitly (default) does not result in errors on startup or page access. https://git.launchpad.net/ubuntu/+source/libapache2-mod-auth-mellon/tree/auth_mellon_diagnostics.c?h=ubuntu/disco&id=49c8ccfedca2db17d76348573e6daa862e104f6d#n311 int am_diag_log_init(apr_pool_t pc, apr_pool_t p, apr_pool_t pt, server_rec s) { for ( ; s ; s = s->next) { if (!am_diag_open_log(s, p)) { return HTTP_INTERNAL_SERVER_ERROR; } } // ... static int am_diag_open_log(server_rec s, apr_pool_t p) { // ... if (!(diag_cfg->flags & AM_DIAG_FLAG_ENABLED)) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mellon diagnostics disabled for %s", server_desc); return 1; // ... [Upgrades] No impact SRU section for cosmic and bionic --------------------------------- [Impact] See FFE Rationale above. [Test Case] [Regression Potential] As mentioned above in the FFE section, "MellonDiagnosticsEnable Off" can be set in the apache configuration to disable diagnostics. This is also the default setting, so regression potential is certainly limited by this. [Discussion] cosmic SRU For the cosmic SRU this will be a fairly straight forward and trivial update to the package to run configure with "--enable-diagnostics". Cosmic is already at version 0.14.0 which has the diagnostics support. bionic SRU For the bionic SRU, things are more complicated as bionic is at version 0.13.1 which does not include diagnostics support. What I'd like to do is to update the bionic package to 0.14.0. I know this is not business as usual but I think the regression potential is minimized by updating to 0.14.0 rather than risking any missed code when cherry-picking various patches. For some analysis regarding updating bionic to 0.14.0, I've analyzed the delta between 0.13.1 and 0.14.0 and I'm seeing mostly bug fixes and 2 new features (1 for diagnostics support, and 1 for MellonSignatureMethod support). Here's the full commit summary between 0.13.1 and 0.14.0: /tmp/mod_auth_mellon$ git remote -v origin https://github.com/UNINETT/mod_auth_mellon (fetch) origin https://github.com/UNINETT/mod_auth_mellon (push) /tmp/mod_auth_mellon$ git log --no-merges --date-order --pretty=oneline --format=" - [%h] %s" v0.13.1..v0.14.0 - [29d2872] Bump version to 0.14.0. - [21f78ab] Add release notes for version 0.14.0. - [262768a] NEWS: Add consistent whitespace between releases. - [7bb98cf] Fix config.h.in missing in .tar.gz. - [aee068f] Fix typos in the user guide - [8abbcf9] Update User Guide on error responses and ADFS issues - [9b17e5c] Add MellonSignatureMethod to control signature algorithm - [582f283] Log SAML status response information - [524d558] convert README to README.md - [0851045] Fix consistency, grammar, and usage in user guide - [70e8abc] Give clear error if building with diagnostics support on old Apache - [15fcbf7] Fix build error on Apache 2.2. - [fe8b978] Add example for dual auth support. - [f865919] Add clarification on using info vs auth - [5927b5c] Fix Mellon user guide typos - [86eb344] Fix conditional build of auth_mellon_diagnostics.c - [89a3c81] Add NameID discussion to User Guide - [93faba4] Update log msg for Invalid Destination and Invalid Audience to show both the expected and received values. - [de853e1] Add user_guide to distribution, use AC_DEFINE instead of CFLAGS - [8d49ab6] Replace ap_log_rerror with AM_LOG_RERROR - [e8579f6] Add diagnostic logging - [6d2ee84] Track file information - [ee97812] Add Mellon User Guide - [daa5d1e] If no IdP's are defined explicitly log that fact - [119cbdd] modify cache functions to take request_rec parameter instead of server_rec - [c291232] Make MellonUser case-insensitive. - [2c2e19d] Fix incorrect error check for many `lasso_*`-functions. - [5c5ed1d] Fix segmentation fault with POST field without a value. - [4c924d9] Fix some log message typos Of the commits above, those required for diagnostics support include: - [582f283] Log SAML status response information - [70e8abc] Give clear error if building with diagnostics support on old Apache - [86eb344] Fix conditional build of auth_mellon_diagnostics.c - [8d49ab6] Replace ap_log_rerror with AM_LOG_RERROR - [e8579f6] Add diagnostic logging - [6d2ee84] Track file information And the MellonSignatureMethod support is provided in a single commit: - [9b17e5c] Add MellonSignatureMethod to control signature algorithm MellonSignatureMethod is also controlled by a config option in the apache configuration. Following is the full commit message for 9b17e5c: https://github.com/Uninett/mod_auth_mellon/commit/9b17e5c1078a9be90de1e9d03079b34ca4056e96 One upgrade consideration coming from this patch is that it changes the default sha algorithm used by Mellon from rsa-sha1 to rsa-sha256. And as the commit says, this was done because SHA1 is no longer considered safe, SHA256 is now the current recommendation. This would likely be a good update anyway.	FFE Section for disco --------------------- [Rationale] This change to mod_auth_mellon adds a very useful capability for enabling diagnostics output from the module: https://github.com/Uninett/mod_auth_mellon/commit/e8579f6387d9841ce619d836110050fb18117753 It is available as of v0.14.0 (present in Cosmic): git --no-pager tag --contains=e8579f6387d9841ce619d836110050fb18117753 v0.14.0 v0.14.1 This is generally useful for field engineering and operations teams and other users as SAML exchanges are difficult to debug. [Build Verification] https://paste.ubuntu.com/p/2kt3BsxJKn/ [Installation] https://paste.ubuntu.com/p/VcfcgyPHqH/ "MellonDiagnosticsEnable Off" is the default setting and it results in am_diag_open_log returning 1 which does NOT result in an error returned from am_diag_log_init. Also installed a package and verified that setting this to off explicitly or implicitly (default) does not result in errors on startup or page access. https://git.launchpad.net/ubuntu/+source/libapache2-mod-auth-mellon/tree/auth_mellon_diagnostics.c?h=ubuntu/disco&id=49c8ccfedca2db17d76348573e6daa862e104f6d#n311 int am_diag_log_init(apr_pool_t pc, apr_pool_t p, apr_pool_t pt, server_rec s) { for ( ; s ; s = s->next) { if (!am_diag_open_log(s, p)) { return HTTP_INTERNAL_SERVER_ERROR; } } // ... static int am_diag_open_log(server_rec s, apr_pool_t p) { // ... if (!(diag_cfg->flags & AM_DIAG_FLAG_ENABLED)) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mellon diagnostics disabled for %s", server_desc); return 1; // ... [Upgrades] No impact SRU section for cosmic and bionic --------------------------------- [Impact] See FFE Rationale above. [Test Case] [Regression Potential] As mentioned above in the FFE section, "MellonDiagnosticsEnable Off" can be set in the apache configuration to disable diagnostics. This is also the default setting, so regression potential is certainly limited by this. In particular the cosmic regression potential is much lower than the bionic potential since there is much less involved. For bionic please see [Discussion] below. [Discussion] cosmic SRU For the cosmic SRU this will be a fairly straight forward and trivial update to the package to run configure with "--enable-diagnostics". Cosmic is already at version 0.14.0 which has the diagnostics support. bionic SRU For the bionic SRU, things are more complicated as bionic is at version 0.13.1 which does not include diagnostics support. What I'd like to do is to update the bionic package to 0.14.0. I know this is not business as usual but I think the regression potential is minimized by updating to 0.14.0 rather than risking any missed code when cherry-picking various patches. For some analysis regarding updating bionic to 0.14.0, I've analyzed the delta between 0.13.1 and 0.14.0 and I'm seeing mostly bug fixes and 2 new features (1 for diagnostics support, and 1 for MellonSignatureMethod support). Here's the full commit summary between 0.13.1 and 0.14.0: /tmp/mod_auth_mellon$ git remote -v origin https://github.com/UNINETT/mod_auth_mellon (fetch) origin https://github.com/UNINETT/mod_auth_mellon (push) /tmp/mod_auth_mellon$ git log --no-merges --date-order --pretty=oneline --format=" - [%h] %s" v0.13.1..v0.14.0 - [29d2872] Bump version to 0.14.0. - [21f78ab] Add release notes for version 0.14.0. - [262768a] NEWS: Add consistent whitespace between releases. - [7bb98cf] Fix config.h.in missing in .tar.gz. - [aee068f] Fix typos in the user guide - [8abbcf9] Update User Guide on error responses and ADFS issues - [9b17e5c] Add MellonSignatureMethod to control signature algorithm - [582f283] Log SAML status response information - [524d558] convert README to README.md - [0851045] Fix consistency, grammar, and usage in user guide - [70e8abc] Give clear error if building with diagnostics support on old Apache - [15fcbf7] Fix build error on Apache 2.2. - [fe8b978] Add example for dual auth support. - [f865919] Add clarification on using info vs auth - [5927b5c] Fix Mellon user guide typos - [86eb344] Fix conditional build of auth_mellon_diagnostics.c - [89a3c81] Add NameID discussion to User Guide - [93faba4] Update log msg for Invalid Destination and Invalid Audience to show both the expected and received values. - [de853e1] Add user_guide to distribution, use AC_DEFINE instead of CFLAGS - [8d49ab6] Replace ap_log_rerror with AM_LOG_RERROR - [e8579f6] Add diagnostic logging - [6d2ee84] Track file information - [ee97812] Add Mellon User Guide - [daa5d1e] If no IdP's are defined explicitly log that fact - [119cbdd] modify cache functions to take request_rec parameter instead of server_rec - [c291232] Make MellonUser case-insensitive. - [2c2e19d] Fix incorrect error check for many `lasso_*`-functions. - [5c5ed1d] Fix segmentation fault with POST field without a value. - [4c924d9] Fix some log message typos Of the commits above, those required for diagnostics support include: - [582f283] Log SAML status response information - [70e8abc] Give clear error if building with diagnostics support on old Apache - [86eb344] Fix conditional build of auth_mellon_diagnostics.c - [8d49ab6] Replace ap_log_rerror with AM_LOG_RERROR - [e8579f6] Add diagnostic logging - [6d2ee84] Track file information And the MellonSignatureMethod support is provided in a single commit: - [9b17e5c] Add MellonSignatureMethod to control signature algorithm MellonSignatureMethod is also controlled by a config option in the apache configuration. Following is the full commit message for 9b17e5c: https://github.com/Uninett/mod_auth_mellon/commit/9b17e5c1078a9be90de1e9d03079b34ca4056e96 One upgrade consideration coming from this patch is that it changes the default sha algorithm used by Mellon from rsa-sha1 to rsa-sha256. And as the commit says, this was done because SHA1 is no longer considered safe, SHA256 is now the current recommendation. This would likely be a good update anyway.
2019-03-29 20:18:58	David Ames	description	FFE Section for disco --------------------- [Rationale] This change to mod_auth_mellon adds a very useful capability for enabling diagnostics output from the module: https://github.com/Uninett/mod_auth_mellon/commit/e8579f6387d9841ce619d836110050fb18117753 It is available as of v0.14.0 (present in Cosmic): git --no-pager tag --contains=e8579f6387d9841ce619d836110050fb18117753 v0.14.0 v0.14.1 This is generally useful for field engineering and operations teams and other users as SAML exchanges are difficult to debug. [Build Verification] https://paste.ubuntu.com/p/2kt3BsxJKn/ [Installation] https://paste.ubuntu.com/p/VcfcgyPHqH/ "MellonDiagnosticsEnable Off" is the default setting and it results in am_diag_open_log returning 1 which does NOT result in an error returned from am_diag_log_init. Also installed a package and verified that setting this to off explicitly or implicitly (default) does not result in errors on startup or page access. https://git.launchpad.net/ubuntu/+source/libapache2-mod-auth-mellon/tree/auth_mellon_diagnostics.c?h=ubuntu/disco&id=49c8ccfedca2db17d76348573e6daa862e104f6d#n311 int am_diag_log_init(apr_pool_t pc, apr_pool_t p, apr_pool_t pt, server_rec s) { for ( ; s ; s = s->next) { if (!am_diag_open_log(s, p)) { return HTTP_INTERNAL_SERVER_ERROR; } } // ... static int am_diag_open_log(server_rec s, apr_pool_t p) { // ... if (!(diag_cfg->flags & AM_DIAG_FLAG_ENABLED)) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mellon diagnostics disabled for %s", server_desc); return 1; // ... [Upgrades] No impact SRU section for cosmic and bionic --------------------------------- [Impact] See FFE Rationale above. [Test Case] [Regression Potential] As mentioned above in the FFE section, "MellonDiagnosticsEnable Off" can be set in the apache configuration to disable diagnostics. This is also the default setting, so regression potential is certainly limited by this. In particular the cosmic regression potential is much lower than the bionic potential since there is much less involved. For bionic please see [Discussion] below. [Discussion] cosmic SRU For the cosmic SRU this will be a fairly straight forward and trivial update to the package to run configure with "--enable-diagnostics". Cosmic is already at version 0.14.0 which has the diagnostics support. bionic SRU For the bionic SRU, things are more complicated as bionic is at version 0.13.1 which does not include diagnostics support. What I'd like to do is to update the bionic package to 0.14.0. I know this is not business as usual but I think the regression potential is minimized by updating to 0.14.0 rather than risking any missed code when cherry-picking various patches. For some analysis regarding updating bionic to 0.14.0, I've analyzed the delta between 0.13.1 and 0.14.0 and I'm seeing mostly bug fixes and 2 new features (1 for diagnostics support, and 1 for MellonSignatureMethod support). Here's the full commit summary between 0.13.1 and 0.14.0: /tmp/mod_auth_mellon$ git remote -v origin https://github.com/UNINETT/mod_auth_mellon (fetch) origin https://github.com/UNINETT/mod_auth_mellon (push) /tmp/mod_auth_mellon$ git log --no-merges --date-order --pretty=oneline --format=" - [%h] %s" v0.13.1..v0.14.0 - [29d2872] Bump version to 0.14.0. - [21f78ab] Add release notes for version 0.14.0. - [262768a] NEWS: Add consistent whitespace between releases. - [7bb98cf] Fix config.h.in missing in .tar.gz. - [aee068f] Fix typos in the user guide - [8abbcf9] Update User Guide on error responses and ADFS issues - [9b17e5c] Add MellonSignatureMethod to control signature algorithm - [582f283] Log SAML status response information - [524d558] convert README to README.md - [0851045] Fix consistency, grammar, and usage in user guide - [70e8abc] Give clear error if building with diagnostics support on old Apache - [15fcbf7] Fix build error on Apache 2.2. - [fe8b978] Add example for dual auth support. - [f865919] Add clarification on using info vs auth - [5927b5c] Fix Mellon user guide typos - [86eb344] Fix conditional build of auth_mellon_diagnostics.c - [89a3c81] Add NameID discussion to User Guide - [93faba4] Update log msg for Invalid Destination and Invalid Audience to show both the expected and received values. - [de853e1] Add user_guide to distribution, use AC_DEFINE instead of CFLAGS - [8d49ab6] Replace ap_log_rerror with AM_LOG_RERROR - [e8579f6] Add diagnostic logging - [6d2ee84] Track file information - [ee97812] Add Mellon User Guide - [daa5d1e] If no IdP's are defined explicitly log that fact - [119cbdd] modify cache functions to take request_rec parameter instead of server_rec - [c291232] Make MellonUser case-insensitive. - [2c2e19d] Fix incorrect error check for many `lasso_*`-functions. - [5c5ed1d] Fix segmentation fault with POST field without a value. - [4c924d9] Fix some log message typos Of the commits above, those required for diagnostics support include: - [582f283] Log SAML status response information - [70e8abc] Give clear error if building with diagnostics support on old Apache - [86eb344] Fix conditional build of auth_mellon_diagnostics.c - [8d49ab6] Replace ap_log_rerror with AM_LOG_RERROR - [e8579f6] Add diagnostic logging - [6d2ee84] Track file information And the MellonSignatureMethod support is provided in a single commit: - [9b17e5c] Add MellonSignatureMethod to control signature algorithm MellonSignatureMethod is also controlled by a config option in the apache configuration. Following is the full commit message for 9b17e5c: https://github.com/Uninett/mod_auth_mellon/commit/9b17e5c1078a9be90de1e9d03079b34ca4056e96 One upgrade consideration coming from this patch is that it changes the default sha algorithm used by Mellon from rsa-sha1 to rsa-sha256. And as the commit says, this was done because SHA1 is no longer considered safe, SHA256 is now the current recommendation. This would likely be a good update anyway.	FFE Section for disco --------------------- [Rationale] This change to mod_auth_mellon adds a very useful capability for enabling diagnostics output from the module: https://github.com/Uninett/mod_auth_mellon/commit/e8579f6387d9841ce619d836110050fb18117753 It is available as of v0.14.0 (present in Cosmic): git --no-pager tag --contains=e8579f6387d9841ce619d836110050fb18117753 v0.14.0 v0.14.1 This is generally useful for field engineering and operations teams and other users as SAML exchanges are difficult to debug. [Build Verification] https://paste.ubuntu.com/p/2kt3BsxJKn/ [Installation] https://paste.ubuntu.com/p/VcfcgyPHqH/ "MellonDiagnosticsEnable Off" is the default setting and it results in am_diag_open_log returning 1 which does NOT result in an error returned from am_diag_log_init. Also installed a package and verified that setting this to off explicitly or implicitly (default) does not result in errors on startup or page access. https://git.launchpad.net/ubuntu/+source/libapache2-mod-auth-mellon/tree/auth_mellon_diagnostics.c?h=ubuntu/disco&id=49c8ccfedca2db17d76348573e6daa862e104f6d#n311 int am_diag_log_init(apr_pool_t pc, apr_pool_t p, apr_pool_t pt, server_rec s) { for ( ; s ; s = s->next) { if (!am_diag_open_log(s, p)) { return HTTP_INTERNAL_SERVER_ERROR; } } // ... static int am_diag_open_log(server_rec s, apr_pool_t p) { // ... if (!(diag_cfg->flags & AM_DIAG_FLAG_ENABLED)) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mellon diagnostics disabled for %s", server_desc); return 1; // ... [Upgrades] No impact SRU section for cosmic and bionic --------------------------------- [Impact] See FFE Rationale above. [Test Case] To test Add the following to /etc/apache2/conf-available/mellon.conf MellonDiagnosticsFile /var/log/apache2/mellon_diagnostics.log MellonDiagnosticsEnable On a2enconf mellon systemctl reload apache2 After browsing to a location that is mod_auth_mellon enabled (see the keystone-saml-mellon charm) logging from the mellon module including environment variables in the SAML messages will be found in /var/log/apache2/mellon_diagnostics.log. Regression testing can be done using the keystone-saml-mellon charm's functional tests. https://github.com/openstack-charmers/charm-keystone-saml-mellon At the time of this writing the functional tests are not fully automated and still require some manual configuration: https://github.com/openstack-charmers/charm-keystone-saml-mellon/blob/master/src/README.md#configuration [Regression Potential] As mentioned above in the FFE section, "MellonDiagnosticsEnable Off" can be set in the apache configuration to disable diagnostics. This is also the default setting, so regression potential is certainly limited by this. In particular the cosmic regression potential is much lower than the bionic potential since there is much less involved. For bionic please see [Discussion] below. [Discussion] cosmic SRU For the cosmic SRU this will be a fairly straight forward and trivial update to the package to run configure with "--enable-diagnostics". Cosmic is already at version 0.14.0 which has the diagnostics support. bionic SRU For the bionic SRU, things are more complicated as bionic is at version 0.13.1 which does not include diagnostics support. What I'd like to do is to update the bionic package to 0.14.0. I know this is not business as usual but I think the regression potential is minimized by updating to 0.14.0 rather than risking any missed code when cherry-picking various patches. For some analysis regarding updating bionic to 0.14.0, I've analyzed the delta between 0.13.1 and 0.14.0 and I'm seeing mostly bug fixes and 2 new features (1 for diagnostics support, and 1 for MellonSignatureMethod support). Here's the full commit summary between 0.13.1 and 0.14.0: /tmp/mod_auth_mellon$ git remote -v origin https://github.com/UNINETT/mod_auth_mellon (fetch) origin https://github.com/UNINETT/mod_auth_mellon (push) /tmp/mod_auth_mellon$ git log --no-merges --date-order --pretty=oneline --format=" - [%h] %s" v0.13.1..v0.14.0 - [29d2872] Bump version to 0.14.0. - [21f78ab] Add release notes for version 0.14.0. - [262768a] NEWS: Add consistent whitespace between releases. - [7bb98cf] Fix config.h.in missing in .tar.gz. - [aee068f] Fix typos in the user guide - [8abbcf9] Update User Guide on error responses and ADFS issues - [9b17e5c] Add MellonSignatureMethod to control signature algorithm - [582f283] Log SAML status response information - [524d558] convert README to README.md - [0851045] Fix consistency, grammar, and usage in user guide - [70e8abc] Give clear error if building with diagnostics support on old Apache - [15fcbf7] Fix build error on Apache 2.2. - [fe8b978] Add example for dual auth support. - [f865919] Add clarification on using info vs auth - [5927b5c] Fix Mellon user guide typos - [86eb344] Fix conditional build of auth_mellon_diagnostics.c - [89a3c81] Add NameID discussion to User Guide - [93faba4] Update log msg for Invalid Destination and Invalid Audience to show both the expected and received values. - [de853e1] Add user_guide to distribution, use AC_DEFINE instead of CFLAGS - [8d49ab6] Replace ap_log_rerror with AM_LOG_RERROR - [e8579f6] Add diagnostic logging - [6d2ee84] Track file information - [ee97812] Add Mellon User Guide - [daa5d1e] If no IdP's are defined explicitly log that fact - [119cbdd] modify cache functions to take request_rec parameter instead of server_rec - [c291232] Make MellonUser case-insensitive. - [2c2e19d] Fix incorrect error check for many `lasso_*`-functions. - [5c5ed1d] Fix segmentation fault with POST field without a value. - [4c924d9] Fix some log message typos Of the commits above, those required for diagnostics support include: - [582f283] Log SAML status response information - [70e8abc] Give clear error if building with diagnostics support on old Apache - [86eb344] Fix conditional build of auth_mellon_diagnostics.c - [8d49ab6] Replace ap_log_rerror with AM_LOG_RERROR - [e8579f6] Add diagnostic logging - [6d2ee84] Track file information And the MellonSignatureMethod support is provided in a single commit: - [9b17e5c] Add MellonSignatureMethod to control signature algorithm MellonSignatureMethod is also controlled by a config option in the apache configuration. Following is the full commit message for 9b17e5c: https://github.com/Uninett/mod_auth_mellon/commit/9b17e5c1078a9be90de1e9d03079b34ca4056e96 One upgrade consideration coming from this patch is that it changes the default sha algorithm used by Mellon from rsa-sha1 to rsa-sha256. And as the commit says, this was done because SHA1 is no longer considered safe, SHA256 is now the current recommendation. This would likely be a good update anyway.
2019-03-31 21:07:26	Launchpad Janitor	libapache2-mod-auth-mellon (Ubuntu Disco): status	Triaged	Fix Released
2019-04-02 19:44:00	Corey Bryant	bug			added subscriber Ubuntu Stable Release Updates Team
2019-04-02 21:18:27	Brian Murray	libapache2-mod-auth-mellon (Ubuntu Cosmic): status	Triaged	Fix Committed
2019-04-02 21:18:30	Brian Murray	bug			added subscriber SRU Verification
2019-04-02 21:18:33	Brian Murray	tags	cpe-onsite	cpe-onsite verification-needed verification-needed-cosmic
2019-05-04 15:58:09	Corey Bryant	bug task added		cloud-archive
2019-05-04 15:58:51	Corey Bryant	nominated for series		cloud-archive/stein
2019-05-04 15:58:51	Corey Bryant	bug task added		cloud-archive/stein
2019-05-04 15:58:51	Corey Bryant	nominated for series		cloud-archive/rocky
2019-05-04 15:58:51	Corey Bryant	bug task added		cloud-archive/rocky
2019-05-04 15:58:58	Corey Bryant	cloud-archive/rocky: status	New	Triaged
2019-05-04 15:59:01	Corey Bryant	cloud-archive/stein: status	New	Triaged
2019-05-04 15:59:04	Corey Bryant	cloud-archive/stein: importance	Undecided	High
2019-05-04 15:59:06	Corey Bryant	cloud-archive/rocky: importance	Undecided	High
2019-05-04 16:01:01	Corey Bryant	libapache2-mod-auth-mellon (Ubuntu Bionic): status	Triaged	Won't Fix
2019-05-04 16:14:34	Corey Bryant	cloud-archive: status	Triaged	Fix Committed
2019-05-04 16:19:09	Corey Bryant	cloud-archive/rocky: status	Triaged	Fix Committed
2019-05-04 16:19:10	Corey Bryant	tags	cpe-onsite verification-needed verification-needed-cosmic	cpe-onsite verification-needed verification-needed-cosmic verification-rocky-needed
2019-05-04 16:20:50	Corey Bryant	tags	cpe-onsite verification-needed verification-needed-cosmic verification-rocky-needed	cpe-onsite verification-needed verification-needed-cosmic verification-rocky-needed verification-stein-needed
2019-06-18 13:39:27	Dmitrii Shcherbakov	tags	cpe-onsite verification-needed verification-needed-cosmic verification-rocky-needed verification-stein-needed	cpe-onsite verification-needed verification-needed-cosmic verification-rocky-done verification-stein-needed
2019-06-27 19:49:07	Dmitrii Shcherbakov	tags	cpe-onsite verification-needed verification-needed-cosmic verification-rocky-done verification-stein-needed	cpe-onsite verification-done verification-needed-cosmic verification-rocky-done verification-stein-done
2019-06-28 10:03:13	Dmitrii Shcherbakov	tags	cpe-onsite verification-done verification-needed-cosmic verification-rocky-done verification-stein-done	cpe-onsite verification-done verification-done-cosmic verification-rocky-done verification-stein-done
2019-07-01 08:02:52	Launchpad Janitor	libapache2-mod-auth-mellon (Ubuntu Cosmic): status	Fix Committed	Fix Released
2019-07-01 08:02:56	Łukasz Zemczak	removed subscriber Ubuntu Stable Release Updates Team
2019-07-02 15:16:23	James Page	cloud-archive/stein: status	Fix Committed	Fix Released
2019-07-02 15:17:20	James Page	cve linked		2019-3877
2019-07-02 15:17:20	James Page	cve linked		2019-3878
2019-07-02 15:17:22	James Page	cloud-archive/rocky: status	Fix Committed	Fix Released

Ubuntulibapache2-mod-auth-mellon package

Activity log for bug #1820279

Ubuntu
libapache2-mod-auth-mellon package