Debian Bug report logs -
#925197
libapache2-mod-auth-mellon: CVE-2019-3878: authentication bypass in ECP flow
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 21 Mar 2019 06:15:02 UTC
Severity: grave
Tags: security, upstream
Found in versions libapache2-mod-auth-mellon/0.12.0-2, libapache2-mod-auth-mellon/0.14.1-1
Fixed in versions libapache2-mod-auth-mellon/0.14.2-1, libapache2-mod-auth-mellon/0.12.0-2+deb9u1
Done: Thijs Kinkhorst <thijs@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://github.com/Uninett/mod_auth_mellon/pull/196
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Thijs Kinkhorst <thijs@debian.org>:
Bug#925197; Package src:libapache2-mod-auth-mellon.
(Thu, 21 Mar 2019 06:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Thijs Kinkhorst <thijs@debian.org>.
(Thu, 21 Mar 2019 06:15:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libapache2-mod-auth-mellon
Version: 0.14.1-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/Uninett/mod_auth_mellon/pull/196
Control: found -1 0.12.0-2
Hi,
The following vulnerability was published for libapache2-mod-auth-mellon.
CVE-2019-3878[0]:
authentication bypass in ECP flow
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-3878
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3878
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1576719
[2] https://github.com/Uninett/mod_auth_mellon/pull/196
[3] https://github.com/Uninett/mod_auth_mellon/commit/e09a28a30e13e5c22b481010f26b4a7743a09280
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions libapache2-mod-auth-mellon/0.12.0-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 21 Mar 2019 06:15:05 GMT) (full text, mbox, link).
Reply sent
to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(Fri, 22 Mar 2019 12:39:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 22 Mar 2019 12:39:03 GMT) (full text, mbox, link).
Message #12 received at 925197-close@bugs.debian.org (full text, mbox, reply):
Source: libapache2-mod-auth-mellon
Source-Version: 0.14.2-1
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-auth-mellon, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 925197@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated libapache2-mod-auth-mellon package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 22 Mar 2019 12:10:11 +0000
Source: libapache2-mod-auth-mellon
Binary: libapache2-mod-auth-mellon libapache2-mod-auth-mellon-dbgsym
Architecture: source amd64
Version: 0.14.2-1
Distribution: unstable
Urgency: high
Maintainer: Thijs Kinkhorst <thijs@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
libapache2-mod-auth-mellon - SAML 2.0 authentication module for Apache
Closes: 925197
Changes:
libapache2-mod-auth-mellon (0.14.2-1) unstable; urgency=high
.
* New upstream security release. (closes: #925197)
- Auth bypass when used with reverse proxy [CVE-2019-3878]
- Open redirect vulnerability in logout [CVE-2019-3877]
Checksums-Sha1:
d138d45c4fc837fff4a5488ccfff2d5f80413af7 1747 libapache2-mod-auth-mellon_0.14.2-1.dsc
35d4359487fb97e9982b501ef3581b49bf985888 950737 libapache2-mod-auth-mellon_0.14.2.orig.tar.gz
45289bbf501cc47dff7d09dea0377cca549b9df3 3572 libapache2-mod-auth-mellon_0.14.2-1.debian.tar.xz
5420e94d83f4293a7fd7059f4f8910e4ec66cb4f 206796 libapache2-mod-auth-mellon-dbgsym_0.14.2-1_amd64.deb
dfb9b0135c1990210ecfc4f81e4280a09c8ebc24 8332 libapache2-mod-auth-mellon_0.14.2-1_amd64.buildinfo
2edeee35f48286c3428b4f3caed6f87ed272de5d 70108 libapache2-mod-auth-mellon_0.14.2-1_amd64.deb
Checksums-Sha256:
1be454a1ed199dd86bf8cf130fd68e521d0ad435d8fc3a8ad2ce319ce98ba291 1747 libapache2-mod-auth-mellon_0.14.2-1.dsc
8290ba57394fb7c551b9902c32bded8711f9656e2d36e351618b952f2c162afc 950737 libapache2-mod-auth-mellon_0.14.2.orig.tar.gz
6fd03dd75d7e101eb1b6b4898d7c089e5c7eef8bf2ceb2dfd5b011faea744ae7 3572 libapache2-mod-auth-mellon_0.14.2-1.debian.tar.xz
6b2e90009a41bfdff34309cca6a79b1a2c54f543412a196bf7515c440b5cc229 206796 libapache2-mod-auth-mellon-dbgsym_0.14.2-1_amd64.deb
53602e91c3fbf920c0c9182e8259fb02fed6497d1eead3f648e11d4e69cb2256 8332 libapache2-mod-auth-mellon_0.14.2-1_amd64.buildinfo
66e387c7676a245f98820aee45af8bb1f995d43e225cba66bb697fc0b4d62f3e 70108 libapache2-mod-auth-mellon_0.14.2-1_amd64.deb
Files:
8daf82c08820a33a313bfc46a6469271 1747 web optional libapache2-mod-auth-mellon_0.14.2-1.dsc
0fe222274967a0db57cd86a03b915a6f 950737 web optional libapache2-mod-auth-mellon_0.14.2.orig.tar.gz
c29305435c13a6ddc7103a8502ad11e7 3572 web optional libapache2-mod-auth-mellon_0.14.2-1.debian.tar.xz
58660659478579d4b1202dce34fddf3f 206796 debug optional libapache2-mod-auth-mellon-dbgsym_0.14.2-1_amd64.deb
bf41b1c926ee607d48cc2e1545d293a5 8332 web optional libapache2-mod-auth-mellon_0.14.2-1_amd64.buildinfo
de27ef261925be517d5baa5d92ca7d25 70108 web optional libapache2-mod-auth-mellon_0.14.2-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQFFBAEBCAAvFiEEeANVtepr/II1qZxLVvYaeUAdrAQFAlyU0lURHHRoaWpzQGRl
Ymlhbi5vcmcACgkQVvYaeUAdrARatgf/Z2JpVjcSsHn6P/itsgVyIzeDH5nGa+VK
S1Qaw5HhRrStxDIV1wLxm2maRQC7K5rF9KnG12cmRlP1pfijWKSSUt98bpbMDw1I
mmc8XzBFohYZ7uoTQwSuLjlCSEpSpJi+cp3i6VLc8bPKp1UPMbPs9eYtH/x+ayb3
sCdCnAlMzOkYqIUuTEcL82Yoy1tSlvXhsARA/r5bS/4dEaGwZm9AiF7h4TO/UMg3
k5adlqnLirHaFlWmJ4+2HL4cg6+7+LijVK5Gv/QMCzuJKJH2HI4aHk3Y7JqIGHFh
86IgofHe3C2dYI4wM6Wo7AA9DNx9qLUdrOcWZBSE+SSnBB57QU1uWg==
=pJFx
-----END PGP SIGNATURE-----
Reply sent
to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(Fri, 29 Mar 2019 01:21:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 29 Mar 2019 01:21:15 GMT) (full text, mbox, link).
Message #17 received at 925197-close@bugs.debian.org (full text, mbox, reply):
Source: libapache2-mod-auth-mellon
Source-Version: 0.12.0-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-auth-mellon, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 925197@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated libapache2-mod-auth-mellon package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 23 Mar 2019 13:29:19 +0000
Source: libapache2-mod-auth-mellon
Binary: libapache2-mod-auth-mellon
Architecture: source amd64
Version: 0.12.0-2+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Thijs Kinkhorst <thijs@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
libapache2-mod-auth-mellon - SAML 2.0 authentication module for Apache
Closes: 925197
Changes:
libapache2-mod-auth-mellon (0.12.0-2+deb9u1) stretch-security; urgency=high
.
* Upload to stable-security (closes: #925197)
- Auth bypass when used with reverse proxy [CVE-2019-3878]
- Open redirect vulnerability in logout [CVE-2019-3877]
Checksums-Sha1:
6b58cccf0123920c81ab5ea148fbb40dc9de3487 1799 libapache2-mod-auth-mellon_0.12.0-2+deb9u1.dsc
3d5cd4137154a7c848d8f3121e6497b88dc5f23e 136754 libapache2-mod-auth-mellon_0.12.0.orig.tar.gz
15bf0a185fb83b1da0660f0bae34d3f0ddb3ab7b 6640 libapache2-mod-auth-mellon_0.12.0-2+deb9u1.debian.tar.xz
56716663f443f1301e87e84b1f00064d383c934e 163958 libapache2-mod-auth-mellon-dbgsym_0.12.0-2+deb9u1_amd64.deb
3c897efefc7ee77fa5e4cef23c5f80bacfab6388 8795 libapache2-mod-auth-mellon_0.12.0-2+deb9u1_amd64.buildinfo
dd08aa9ce8213c8820d5ad6a594462a3b38c5687 60402 libapache2-mod-auth-mellon_0.12.0-2+deb9u1_amd64.deb
Checksums-Sha256:
0d155da72f3497c190c829fb5296c19a774b57d9b6ac431b44e8380062263e96 1799 libapache2-mod-auth-mellon_0.12.0-2+deb9u1.dsc
981c225ee97a3c11abb0237158c5c0c9b1248031adb195ae61b0a70d5d740ff1 136754 libapache2-mod-auth-mellon_0.12.0.orig.tar.gz
a95c0b69ce8cfc766feb01d66202fae7bfe9e621794d6eeee1802cc2ba291737 6640 libapache2-mod-auth-mellon_0.12.0-2+deb9u1.debian.tar.xz
26d3f7ace3badd23b40412fe5754f48082d64e20e573c5b15b35e23d96670cc7 163958 libapache2-mod-auth-mellon-dbgsym_0.12.0-2+deb9u1_amd64.deb
2666969f1ef39ef4f110b995c993b277411562297ae69b105ab93028a8d5720f 8795 libapache2-mod-auth-mellon_0.12.0-2+deb9u1_amd64.buildinfo
ef256ace25c5cceec03b3e09883e54bf001ace8d44beb0cbaf46adb322ac1cdb 60402 libapache2-mod-auth-mellon_0.12.0-2+deb9u1_amd64.deb
Files:
ecb906559ebde9da58030606c99a1610 1799 web extra libapache2-mod-auth-mellon_0.12.0-2+deb9u1.dsc
6c1057847c06d433d4d4a4f55cca1740 136754 web extra libapache2-mod-auth-mellon_0.12.0.orig.tar.gz
c2c165a74981eca6728ad62eda72fbb6 6640 web extra libapache2-mod-auth-mellon_0.12.0-2+deb9u1.debian.tar.xz
4211ae7fbcd9e0ee4417e84bfe5005fe 163958 debug extra libapache2-mod-auth-mellon-dbgsym_0.12.0-2+deb9u1_amd64.deb
b02f5aeecca00dc3a16399ef6d3bb5d3 8795 web extra libapache2-mod-auth-mellon_0.12.0-2+deb9u1_amd64.buildinfo
e3c73a06fa0402426d0c131b93dc7d5a 60402 web extra libapache2-mod-auth-mellon_0.12.0-2+deb9u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQFFBAEBCAAvFiEEeANVtepr/II1qZxLVvYaeUAdrAQFAlyWOB0RHHRoaWpzQGRl
Ymlhbi5vcmcACgkQVvYaeUAdrAQeZwgAoBSOIfjFQfK9LD9ZNjxUMpdoZ9ejAJww
idxSaNStywLkPoCWNBnIkQZX16C8/NBw8fNfNDRR85zpHDsMT2xr8txSS4TvgEi2
2DHyokBDbxOowFbckFc04cRw1G2yXveKydvjXFO2AZN/Zj5O6I6SDpAlvhO6fG7a
8M1QWxNeS4AHnQbavQg7PHa9sXyyNEL1zyU49v/RynkzwCrwA0vLh/sIddSpHVWF
t5jqD4Qj/PxozY84D0kdMeGiSBfnnQxZZICMpe2XfsIYtTL/ePIWgjExdbSaAsAb
CUgaYv9aNfj+QPkYm41THgyoUzG5y4IUn7y/YxsRCJBdDh9g8PswZw==
=cik0
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 28 Apr 2019 07:39:31 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:30:59 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon