mod_auth_mellon is vulnerable to an Open Redirect via the login?ReturnTo= substring which could facilitate information theft.
access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.8_release_notes/index
access.redhat.com/errata/RHSA-2020:1003
access.redhat.com/security/updates/classification/#moderate
bugzilla.redhat.com/show_bug.cgi?id=1727789
github.com/Uninett/mod_auth_mellon/issues/35#issuecomment-503974885
lists.debian.org/debian-lts-announce/2023/03/msg00010.html
lists.fedoraproject.org/archives/list/[email protected]/message/A5E3JVHURJJNDP63CKVX5O5MJAGCQV4K/
lists.fedoraproject.org/archives/list/[email protected]/message/XU5GVFZW3C2M4ZBL4F7UP7N24FNUCX4E/
usn.ubuntu.com/4291-1/
www.oracle.com/security-alerts/cpuapr2022.html