mod_auth_mellon-0.14.0-11.el8

エラータID: AXSA:2020-330:02

Release date: 
Thursday, September 10, 2020 - 14:02
Subject: 
mod_auth_mellon-0.14.0-11.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The mod_auth_mellon module for the Apache HTTP Server is an authentication service that implements the SAML 2.0 federation protocol. The module grants access based on the attributes received in assertions generated by an IdP server.

Security Fix(es):

* mod_auth_mellon: Open Redirect via the login?ReturnTo= substring which could facilitate information theft (CVE-2019-13038)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Asianux Server 8.2 Release Notes linked from the References section.

CVE-2019-13038
mod_auth_mellon through 0.14.2 has an Open Redirect via the login?ReturnTo= substring, as demonstrated by omitting the // after http: in the target URL.

Solution: 

Update packages.

CVEs: 
CVE-2019-13038
mod_auth_mellon through 0.14.2 has an Open Redirect via the login?ReturnTo= substring, as demonstrated by omitting the // after http: in the target URL.
Additional Info: 

N/A

Download: 

SRPMS
  1. mod_auth_mellon-0.14.0-11.el8.src.rpm
    MD5: b0c88cdaf2cd373b1ba914f835e3ba08
    SHA-256: a2c27cde1de80cec5ebf0872fbadfd78dc0256837c195b5156b860d623107b7e
    Size: 1.45 MB

Asianux Server 8 for x86_64
  1. mod_auth_mellon-0.14.0-11.el8.x86_64.rpm
    MD5: 74152add8457f1ae4856acee76a03bb6
    SHA-256: ad3cae8460d11b5041ba5cc381dab573d29719a6339ad92e02ed9ae364c3a7d1
    Size: 1.26 MB
  2. mod_auth_mellon-diagnostics-0.14.0-11.el8.x86_64.rpm
    MD5: dc7c36a19304ce74f580c22ebee8bc9c
    SHA-256: 1932b0e364fc4d14f92acdf760ffbde1770dfd417a8e42d57ba871b641581336
    Size: 75.97 kB