RedHat: RHSA-2019-3421:01 Moderate: mod_auth_mellon security, bug fix,

    Date05 Nov 2019
    CategoryRed Hat
    36
    Posted ByLinuxSecurity Advisories
    An update for mod_auth_mellon is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Moderate: mod_auth_mellon security, bug fix, and enhancement update
    Advisory ID:       RHSA-2019:3421-01
    Product:           Red Hat Enterprise Linux
    Advisory URL:      https://access.redhat.com/errata/RHSA-2019:3421
    Issue date:        2019-11-05
    CVE Names:         CVE-2019-3877 
    =====================================================================
    
    1. Summary:
    
    An update for mod_auth_mellon is now available for Red Hat Enterprise Linux
    8.
    
    Red Hat Product Security has rated this update as having a security impact
    of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
    gives a detailed severity rating, is available for each vulnerability from
    the CVE link(s) in the References section.
    
    2. Relevant releases/architectures:
    
    Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64
    
    3. Description:
    
    The mod_auth_mellon module for the Apache HTTP Server is an authentication
    service that implements the SAML 2.0 federation protocol. The module grants
    access based on the attributes received in assertions generated by an IdP
    server.
    
    Security Fix(es):
    
    * mod_auth_mellon: open redirect in logout url when using URLs with
    backslashes (CVE-2019-3877)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, acknowledgments, and other related information, refer to the CVE
    page(s) listed in the References section.
    
    Additional Changes:
    
    For detailed information on changes in this release, see the Red Hat
    Enterprise Linux 8.1 Release Notes linked from the References section.
    
    4. Solution:
    
    For details on how to apply this update, which includes the changes
    described in this advisory, refer to:
    
    https://access.redhat.com/articles/11258
    
    5. Bugs fixed (https://bugzilla.redhat.com/):
    
    1691125 - CVE-2019-3877 mod_auth_mellon: open redirect in logout url when using URLs with backslashes
    1691894 - [RFE] Config option to change mod_auth_mellon prefix
    1702695 - fresh install of mod_auth_mellon shows rpm verification warnings
    
    6. Package List:
    
    Red Hat Enterprise Linux AppStream (v. 8):
    
    Source:
    mod_auth_mellon-0.14.0-9.el8.src.rpm
    
    aarch64:
    mod_auth_mellon-0.14.0-9.el8.aarch64.rpm
    mod_auth_mellon-debuginfo-0.14.0-9.el8.aarch64.rpm
    mod_auth_mellon-debugsource-0.14.0-9.el8.aarch64.rpm
    mod_auth_mellon-diagnostics-0.14.0-9.el8.aarch64.rpm
    mod_auth_mellon-diagnostics-debuginfo-0.14.0-9.el8.aarch64.rpm
    
    ppc64le:
    mod_auth_mellon-0.14.0-9.el8.ppc64le.rpm
    mod_auth_mellon-debuginfo-0.14.0-9.el8.ppc64le.rpm
    mod_auth_mellon-debugsource-0.14.0-9.el8.ppc64le.rpm
    mod_auth_mellon-diagnostics-0.14.0-9.el8.ppc64le.rpm
    mod_auth_mellon-diagnostics-debuginfo-0.14.0-9.el8.ppc64le.rpm
    
    s390x:
    mod_auth_mellon-0.14.0-9.el8.s390x.rpm
    mod_auth_mellon-debuginfo-0.14.0-9.el8.s390x.rpm
    mod_auth_mellon-debugsource-0.14.0-9.el8.s390x.rpm
    mod_auth_mellon-diagnostics-0.14.0-9.el8.s390x.rpm
    mod_auth_mellon-diagnostics-debuginfo-0.14.0-9.el8.s390x.rpm
    
    x86_64:
    mod_auth_mellon-0.14.0-9.el8.x86_64.rpm
    mod_auth_mellon-debuginfo-0.14.0-9.el8.x86_64.rpm
    mod_auth_mellon-debugsource-0.14.0-9.el8.x86_64.rpm
    mod_auth_mellon-diagnostics-0.14.0-9.el8.x86_64.rpm
    mod_auth_mellon-diagnostics-debuginfo-0.14.0-9.el8.x86_64.rpm
    
    These packages are GPG signed by Red Hat for security.  Our key and
    details on how to verify the signature are available from
    https://access.redhat.com/security/team/key/
    
    7. References:
    
    https://access.redhat.com/security/cve/CVE-2019-3877
    https://access.redhat.com/security/updates/classification/#moderate
    https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/
    
    8. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2019 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXcHqjtzjgjWX9erEAQjTjg/+NL4lIZyw4ErfkSFpRY009ZFy+wmlkhKO
    J1rEkqs+l3k1Ld1ZH/xF71Fro1NxseudPQ5EwT2R8DvEWOEMG6l6eCPvT5IGGYa+
    FM8bFHwzrwdv+iC+KKWr+VxF8/mtKup0S1e4yqA+784IGeNB00SWlykTk9yHgpoi
    4MT6T6BYpB6Z79bq2j+O5e7+ChT/8ZHcRpl3KFNy7IGETJOHfWqeNqe92J3RKwxw
    SxliJejIn8F385GVFay2KYvLXnKkqU0RkbtrsHHNlblUQrC0b0cXK+FqnP5XhNd+
    VYSFNikRGULAGgcEazg0328KY3CBcaT8m7aIFsw4qv1uaVp1JSqUcqlPuHMl2xEd
    XgVX9l4SMSeah4FwrPrEsjrth4wszv/aGOjSZuihLQVWjtevtHF+xS89qhhgzUVg
    MJqDXNlYHN9HljNvDzDp6XxsDNxepcIrNM8QWnzs3uEvcE1LC76FElZ39EtuzAvL
    uvBN8mIE5zC+Q8qO/B/s/Ku/Iz9OCSp1olE4oizlRyvu9VHDpL5fNhHSE+bINjlB
    IL3eCD+fjTFrANhsvX35ounOEkK09fGOlTbi8r0qRrfGX6tv7TJwDtgdOv5jCI2a
    o2w51OFxYr1RfJpYkDMORtc6Z5KU13cTDvhjoPPZ2CQrafOrDpMMhK7BrGDQvYm/
    oGt5zZMkLUU=
    =8mn9
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"64","type":"x","order":"1","pct":57.14,"resources":[]},{"id":"88","title":"Should be more technical","votes":"15","type":"x","order":"2","pct":13.39,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"33","type":"x","order":"3","pct":29.46,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.