mod_auth_mellon-0.14.0-8.el7

エラータID: AXSA:2020-4541:01

Release date: 
Thursday, April 2, 2020 - 04:52
Subject: 
mod_auth_mellon-0.14.0-8.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

The mod_auth_mellon module for the Apache HTTP Server is an authentication service that implements the SAML 2.0 federation protocol. The module grants access based on the attributes received in assertions generated by an IdP server.

Security Fix(es):

* mod_auth_mellon: Open Redirect via the login?ReturnTo= substring which could facilitate information theft (CVE-2019-13038)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Asianux Server 7.8 Release Notes linked from the References section.

CVE-2019-13038
mod_auth_mellon through 0.14.2 has an Open Redirect via the login?ReturnTo= substring, as demonstrated by omitting the // after http: in the target URL.

Solution: 

Update packages.

CVEs: 
CVE-2019-13038
mod_auth_mellon through 0.14.2 has an Open Redirect via the login?ReturnTo= substring, as demonstrated by omitting the // after http: in the target URL.
Additional Info: 

N/A

Download: 

SRPMS
  1. mod_auth_mellon-0.14.0-8.el7.src.rpm
    MD5: 28ed49d3120797b79c9f548ec99296c4
    SHA-256: 12c68980eb1750173423e07c37a609feda920b7a1df75c3250d142d4cce2717b
    Size: 1.44 MB

Asianux Server 7 for x86_64
  1. mod_auth_mellon-0.14.0-8.el7.x86_64.rpm
    MD5: 3189c93cb06f054e70807ff348a105e5
    SHA-256: 3044a4aa6b0fbf3d275320f111e144f14e30823e30c43091ffc1cb5c4ef330db
    Size: 1.25 MB