(RHSA-2019:3421) Moderate: mod_auth_mellon security, bug fix, and enhancement update

2019-11-0517:44:06

access.redhat.com

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.002

Percentile

59.0%

JSON

The mod_auth_mellon module for the Apache HTTP Server is an authentication service that implements the SAML 2.0 federation protocol. The module grants access based on the attributes received in assertions generated by an IdP server.

Security Fix(es):

mod_auth_mellon: open redirect in logout url when using URLs with backslashes (CVE-2019-3877)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section.

OSVersionArchitecturePackageVersionFilename
RedHat8ppc64lemod_auth_mellon-debuginfo< 0.14.0-9.el8mod_auth_mellon-debuginfo-0.14.0-9.el8.ppc64le.rpm
RedHat8x86_64mod_auth_mellon-diagnostics-debuginfo< 0.14.0-9.el8mod_auth_mellon-diagnostics-debuginfo-0.14.0-9.el8.x86_64.rpm
RedHat8x86_64mod_auth_mellon-debugsource< 0.14.0-9.el8mod_auth_mellon-debugsource-0.14.0-9.el8.x86_64.rpm
RedHat8ppc64lemod_auth_mellon-debugsource< 0.14.0-9.el8mod_auth_mellon-debugsource-0.14.0-9.el8.ppc64le.rpm
RedHat8ppc64lemod_auth_mellon-diagnostics< 0.14.0-9.el8mod_auth_mellon-diagnostics-0.14.0-9.el8.ppc64le.rpm
RedHat8x86_64mod_auth_mellon-diagnostics< 0.14.0-9.el8mod_auth_mellon-diagnostics-0.14.0-9.el8.x86_64.rpm
RedHat8ppc64lemod_auth_mellon-diagnostics-debuginfo< 0.14.0-9.el8mod_auth_mellon-diagnostics-debuginfo-0.14.0-9.el8.ppc64le.rpm
RedHat8aarch64mod_auth_mellon-diagnostics-debuginfo< 0.14.0-9.el8mod_auth_mellon-diagnostics-debuginfo-0.14.0-9.el8.aarch64.rpm
RedHat8s390xmod_auth_mellon-diagnostics< 0.14.0-9.el8mod_auth_mellon-diagnostics-0.14.0-9.el8.s390x.rpm
RedHat8x86_64mod_auth_mellon< 0.14.0-9.el8mod_auth_mellon-0.14.0-9.el8.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
RedHat	8	ppc64le	mod_auth_mellon-debuginfo	< 0.14.0-9.el8	mod_auth_mellon-debuginfo-0.14.0-9.el8.ppc64le.rpm
RedHat	8	x86_64	mod_auth_mellon-diagnostics-debuginfo	< 0.14.0-9.el8	mod_auth_mellon-diagnostics-debuginfo-0.14.0-9.el8.x86_64.rpm
RedHat	8	x86_64	mod_auth_mellon-debugsource	< 0.14.0-9.el8	mod_auth_mellon-debugsource-0.14.0-9.el8.x86_64.rpm
RedHat	8	ppc64le	mod_auth_mellon-debugsource	< 0.14.0-9.el8	mod_auth_mellon-debugsource-0.14.0-9.el8.ppc64le.rpm
RedHat	8	ppc64le	mod_auth_mellon-diagnostics	< 0.14.0-9.el8	mod_auth_mellon-diagnostics-0.14.0-9.el8.ppc64le.rpm
RedHat	8	x86_64	mod_auth_mellon-diagnostics	< 0.14.0-9.el8	mod_auth_mellon-diagnostics-0.14.0-9.el8.x86_64.rpm
RedHat	8	ppc64le	mod_auth_mellon-diagnostics-debuginfo	< 0.14.0-9.el8	mod_auth_mellon-diagnostics-debuginfo-0.14.0-9.el8.ppc64le.rpm
RedHat	8	aarch64	mod_auth_mellon-diagnostics-debuginfo	< 0.14.0-9.el8	mod_auth_mellon-diagnostics-debuginfo-0.14.0-9.el8.aarch64.rpm
RedHat	8	s390x	mod_auth_mellon-diagnostics	< 0.14.0-9.el8	mod_auth_mellon-diagnostics-0.14.0-9.el8.s390x.rpm
RedHat	8	x86_64	mod_auth_mellon	< 0.14.0-9.el8	mod_auth_mellon-0.14.0-9.el8.x86_64.rpm