From d5cfa396f69ba2ee0d1048fe59c2f0f4a6d077ef Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jakub.hrozek@posteo.se>
Date: Fri, 30 Jul 2021 21:20:22 +0200
Subject: [PATCH] Prepare mellon release 0.18.0 (#72)

Resolves: #71
---
 NEWS         | 31 +++++++++++++++++++++++++++++++
 configure.ac |  2 +-
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index fa14926..351d0f5 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,34 @@
+Version 0.18.0
+---------------------------------------------------------------------------
+
+Security fixes:
+
+* [CVE-2019-13038] Redirect URL validation bypass
+
+  Version 0.17.0 and older of mod_auth_mellon allows the redirect URL
+  validation to be bypassed by specifying an URL formatted as
+  "///fishing-site.example.com/logout.html". In this case, the browser
+  would interpret the URL differently than the APR parsing utility
+  mellon uses and redirect to fishing-site.example.com.
+  This could be reproduced with:
+     https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html
+
+  This version fixes that issue by rejecting all URLs that start with "///".
+
+Enhancements:
+
+* A new option MellonSessionIdleTimeout that represents the amount of time
+  a user can be inactive before the user's session times out in seconds.
+
+Bug fixes:
+
+* Several build-time fixes
+
+* The CookieTest SameSite attribute was only set to None if mellon configure
+  option MellonCookieSameSite was set to something other than default.
+  This is now fixed.
+
+
 Version 0.17.0
 ---------------------------------------------------------------------------
 
diff --git a/configure.ac b/configure.ac
index 06c9915..5d0ab3a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_mellon],[0.17.0],[https://github.com/latchset/mod_auth_mellon/issues])
+AC_INIT([mod_auth_mellon],[0.18.0],[https://github.com/latchset/mod_auth_mellon/issues])
 AC_CONFIG_HEADERS([config.h])
 
 # We require support for C99.