Debian Security Advisory(Debian安全报告) DSA-4414-1 libapache2-mod-auth-mellon security update

Debian Security Advisory(Debian安全报告) DSA-4414-1 libapache2-mod-auth-mellon security update

Package：libapache2-mod-auth-mellon

CVE ID:：CVE-2019-3877 CVE-2019-3878

Debian Bug： 925197

　　在提供SAML 2.0身份验证的Apache模块auth_mellon中发现了几个问题。

cve - 2019 - 3877

　　可以在注销时绕过重定向URL检查，因此该模块可以用作开放重定向工具。

cve - 2019 - 3878

　　当在Apache配置中使用mod_auth_mellon作为http_proxy模块的远程代理时，可以通过发送SAML ECP头来绕过身份验证。

 

　　这些问题在0.12.0-2+deb9u1版本中得到了修复。

　　有关libapache2-mod-auto-mellon的详细安全情况，请参阅其安全跟踪器页面:https://securtracker.debian.org/tracker/libapache2 -mod- auto -mellon

--------------------

Debian Security Advisory DSA-4414-1 libapache2-mod-auth-mellon security update

Package        : libapache2-mod-auth-mellon
CVE ID         : CVE-2019-3877 CVE-2019-3878
Debian Bug     : 925197

Several issues have been discovered in Apache module auth_mellon, which provides SAML 2.0 authentication.

 

CVE-2019-3877
    It was possible to bypass the redirect URL checking on logout, so the module could be used as an open redirect facility.

CVE-2019-3878
    When mod_auth_mellon is used in an Apache configuration which serves as a remote proxy with the http_proxy module, it was possible to bypass authentication by sending SAML ECP headers.

 

These problems have been fixed in version 0.12.0-2+deb9u1.

For the detailed security status of libapache2-mod-auth-mellon please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libapache2-mod-auth-mellon