RedHat: RHSA-2019-0766-01 Important: mod_auth_mellon Authentication Issue

red hat

April 16, 2019

An update for mod_auth_mellon is now available for Red Hat Enterprise Linux 7

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Summary

The mod_auth_mellon module for the Apache HTTP Server is an authentication service that implements the SAML 2.0 federation protocol. The module grants access based on the attributes received in assertions generated by an IdP server.
Security Fix(es):
* mod_auth_mellon: authentication bypass in ECP flow (CVE-2019-3878)
* mod_auth_mellon: open redirect in logout url when using URLs with backslashes (CVE-2019-3877)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* mod_auth_mellon Cert files name wrong when hostname contains a number (fixed in upstream package) (BZ#1697487)

Topics Covered

security advisory Red Hat bug fix important authentication mod_auth_mellon open redirect

References

https://access.redhat.com/security/cve/CVE-2019-3877 https://access.redhat.com/security/cve/CVE-2019-3878 https://access.redhat.com/security/updates/classification#important

Package List

Red Hat Enterprise Linux Server (v. 7):
Source: mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm
ppc64: mod_auth_mellon-0.14.0-2.el7_6.4.ppc64.rpm mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64.rpm
ppc64le: mod_auth_mellon-0.14.0-2.el7_6.4.ppc64le.rpm mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64le.rpm
s390x: mod_auth_mellon-0.14.0-2.el7_6.4.s390x.rpm mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.s390x.rpm
x86_64: mod_auth_mellon-0.14.0-2.el7_6.4.x86_64.rpm mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm
Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7):
Source: mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm
aarch64: mod_auth_mellon-0.14.0-2.el7_6.4.aarch64.rpm mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.aarch64.rpm
ppc64le: mod_auth_mellon-0.14.0-2.el7_6.4.ppc64le.rpm mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64le.rpm
s390x: mod_auth_mellon-0.14.0-2.el7_6.4.s390x.rpm mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.s390x.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64: mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64.rpm mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.ppc64.rpm
ppc64le: mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64le.rpm mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.ppc64le.rpm
s390x:

Read the Full Advisory

Severity

important

Lowest

Low

Medium

High

Critical

Advisory ID: RHSA-2019:0766-01

Product: Red Hat Enterprise Linux

Advisory URL: https://access.redhat.com/errata/RHSA-2019:0766

Issue date: 2019-04-16

Topic

An update for mod_auth_mellon is now available for Red Hat Enterprise Linux7.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Topics Covered

security advisory Red Hat bug fix important authentication mod_auth_mellon open redirect

Relevant Releases Architectures

Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Workstation (v. 7) - x86_64

Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) - aarch64, ppc64le, s390x

Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7) - aarch64, ppc64le, s390x

Bugs Fixed

1691125 - CVE-2019-3877 mod_auth_mellon: open redirect in logout url when using URLs with backslashes

1691126 - CVE-2019-3878 mod_auth_mellon: authentication bypass in ECP flow

1697487 - mod_auth_mellon Cert files name wrong when hostname contains a number (fixed in upstream package) [rhel-7.6.z]

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

RedHat: RHSA-2019-0766-01 Important: mod_auth_mellon Authentication Issue

Solution

Summary

Topics Covered

References

Package List

Topic

Topics Covered

Relevant Releases Architectures

Bugs Fixed

Get the latest News and Insights

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

RedHat: RHSA-2019-0766-01 Important: mod_auth_mellon Authentication Issue

Solution

Summary

Topics Covered

References

Package List

Topic

Topics Covered

Relevant Releases Architectures

Bugs Fixed

Get the latest News and Insights

Related Articles

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!