Berlin
From François Kooman to ~fkooman/php-saml-sp
Hi all, Recently we released a security update for php-saml-sp, this applies to both 1.x and 2.x. CVE-2023-26267 https://www.cve.org/CVERecord?id=CVE-2023-26267 Make sure you update to at least 2.1.1 (for 2.x) or 1.1.1 (for 1.x) and you are good. Regards, François
From François Kooman to ~fkooman/php-saml-sp
On 09.11.22 21:42, Peter Brand wrote: > Signing AuthnRequests is only useful if there's information included in the > AuthnRequest that must not be tampered with, e.g. to prevend someone from > sending an alternative AuthnRequest that's missing a required > AuthnContextClassRef or has disabled ForceAuthn when that's required. You are correct. However, providing a toggle to admins increases the risk they'll shoot themselves in the foot in a possible future where ACR or "ForceAuthn" is enabled and they forget to (re)enable signatures. Also having signatures always enabled makes it less likely the IdP will stop working when signatures are (all of a sudden) enabled. > While it not always being useful may still be good enough to always keep signing,
From François Kooman to ~sircmpwn/sr.ht-discuss
Hi! For my Debian packages I point `debian/watch` file to the "refs" page in order to download sources (attached artifacts). However, the "/refs" page is using pagination which is an issue for older tags that are no longer "in view". My current `debian/watch` file: ## cut ## version=4 opts="pgpmode=auto,downloadurlmangle=s%/~fkooman/@PACKAGE@/archive/@ANY_VERSION@@ARCHIVE_EXT@%/~fkooman/@PACKAGE@/refs/download/$1/@PACKAGE@-$1.tar.xz%" \
From François Kooman to ~sircmpwn/sr.ht-dev
On 07/25/2018 12:26 AM, Drew DeVault wrote:
> Thanks for the patch! I've applied it and will be deploying it shortly.
Thanks so much! It works now!
Cheers,
François
From François Kooman to ~sircmpwn/sr.ht-dev
For QR code readers built in to TOTP applications like FreeOTP, the "label" needs to be URL encoded [0]. FreeOTP for iOS was unable to import the TOTP QR code generated by meta.sr.ht. This is a fix for [1]. [0] https://github.com/google/google-authenticator/wiki/Key-Uri-Format [1] https://todo.sr.ht/%7Esircmpwn/meta.sr.ht/47 --- metasrht/blueprints/security.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) [message trimmed]