Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [SECURITY] [DSA 4414-1] libapache2-mod-auth-mellon security update

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [SECURITY] [DSA 4414-1] libapache2-mod-auth-mellon security update


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: Thijs Kinkhorst <thijs AT debian.org>
  • To: <debian-security-announce AT lists.debian.org>
  • Subject: [IT-SecNots] [SECURITY] [DSA 4414-1] libapache2-mod-auth-mellon security update
  • Date: Sat, 23 Mar 2019 19:33:10 +0100
  • Autocrypt: addr=thijs AT debian.org; prefer-encrypt=mutual; keydata= xsFNBEW40xEBEACsjYy6O2QKo3TaXMial0EqM5KiJ09PsGi05grsPJS6x5OgIHdhOUFk5Bdd cyAEmXvtG5q3/JLFbUwtX3QToii7CHZ04buSGZRMgg56873E8aDPC6v06umVg1BBd/ZQX8Nx gtKyZiBruu0SOZhMAMS9WwvPEa1qy8DWj1+JOiSDsNuxptM1VUc26Ii/TJAg3AfHpV2oHA5m ZOgJgcxjPw46MiKnsTB2vvrXs1D66kCcg5OGPJYoJP5438GL++oCGb4YhDCl8GqE7FumY3pc 0uwanRgO/QIA8YoZt3j9m/UN1lq5oG8bwKIUYK5gtb8KmvCyrvdtR9xtHEFsRt3YiVWtH6Y7 ypmYnv42sfZ1qHzBJPmQd4O1dY2XvZ7nZW4YGAIbiwXpiNZnj3hyQROmsKcaCCq4C8eBjMoJ c87OADKeaLDu6ppgry1wPUEcARFd2jW2owAPapCDIUmNB+Uz4CgIAEJSZ+pfvx8nFEcfXCRY Ve+sAGvNRBXNqUBWAb2gFjDFBDm2t9IkAqIo9PPIWtealVzzuYmW70rhQVFlR+rKarvZ8neh /8yXvQ9ifCqvCovzavx0wBHqMaDk9/a7jvgeEBA855ep6TCfCkRh/fS1LnVChulCzfMZDZRP s/Dl2u3kB7akoWczlZpjX37Q5FBBt3ucbqwrTe/qGVqRzY4YMQARAQABzSVUaGlqcyBLaW5r aG9yc3QgPHRoaWpzQGtpbmtob3JzdC5jb20+wsF/BBMBCAApAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4ACGQEFAlWU4HkFCSKoEGUACgkQM5YViOHCGEU22A//ZzeNxC7DM8I7Qyp9eWSE Pj1bBjpOUubOQJU3uyNP54pzJ3341ZP3QsTwSHsph/HOpHsrx/y13GuI3+YT6FTj3gVFOh65 zjnl75iA0aM/hMwVqwsw9RMANBEFFhkGUlxUAMHhyweD7mK+Aj4qAm2EBbTHgFbskG3HWcfA /j2K6OecImVdPbG5V5g5ipFB9ztbjTDoqjPgCxC4W/nNzrByMSIatACNISiBAvpLAGfAuAj9 ib0c5WuqGxO2jBaHwEIdGFZ87kht81knp/HPL8Jt7u11iL35iQayhHXlOkOlNf247PeLatQD ei7TDm2QBtJblTlgYEwpNFOF7JhP1Pk15FowKyJt04rgR1EnwHrffjBMcLXS7z2Gx5Lmdovn d28r6LEcDbnEjpcSZ9oMApzxGz6ENncuJx+dnXkQn5ddk5Qf1z3rhGycS5Iv1Uer+EeW3ick PF5dW+oZ+VRYEFtL6WzLLC3QaVK1Hj+oQUsT9tpEYFldWDl0ZZl2s8XuqmRyeQO9mjG8aNID RhVUNDs8wr3hpu8qx0hwWYzFEKOk5jMCCOTzGHJH2aQ4I2dywA++gEj/rV12Emesnmz9YmV9 J4ljvDZAsrcxqVqxHt2uPTjLq7sMxGwxnwOiAQD0EXzefnp7b8miabLpmGcjfyexgDEjAd/F Wyi/qsz9Yl0QQA3OwE0ET9xucwEIAKajchPpzVdj5h0VYu687GCw6K2ey3kw6AGUHkbHvi82 oB2YazoZ66CpNsV/Sf9Qxbj6ra9RQrNWRbCKrzgLzr+uY73VCbXJH6KuKvneuOes7naXamcS Taml8a2stcMrObjEmy1gbQJiS0+tD87m/taYwyKKyh2sVHc/Vq2tM0MVAzB2yqd2M6evTd9E pg7PA73WYwo5Nxo6L8EBK/EkuyWhytxa0Q5jqLZ0OwvIQRfo9C89JHjNCob9CFsq9hx8w4Y3 5A521EPig50vDiGUdjYJWGYGMoX1zdGiYLNmMODyYXKjaGb/9M7ITy3c2aVolw5+17P58lxK aZSx+NUO/oMAEQEAAcLBZQQYAQIADwIbDAUCU7EQhAUJBbXVjwAKCRAzlhWI4cIYRWnQEACm yEFSnjIVJqyt+CUHIKVjc9lyZ9sBdfsIH8/fGgfbpPiPefKvEK7L/yWaG2J5MEAPlkA4DsgI 1C7n7f8KhxdlzN7E9R+L4LsSogAp7pG9USM/1t6lpqyP+L7bAUkr/EbBmAquyPZoLJ2GbWqX 0u+P8QsSd+0FQ8JGwIOf00r4c9d4SrE9dzd5QMrfFr1l+h0Mcl5GK+MhlVcYxeptAlwvQkTn K/CNTWkhwWokvw4VtAKZ0PKb71HGWwsBbjT6bDOf+MhPr2nBhouK/rf6G+t25mOn/OiROyTx VzDf5XHSMfr2aDnDZIMzdIzRRskynSD09GW8/TNi/EG+qCIZHM8YDR0oyle1na7H8f1Jhow4 iodrp4Uw7cF+/N18EIm/9aYUOTw57mA2RSDOotEOiWXG7MTBPR+44vlpydjqD/Hq8JQWtkQV J/xTc67pijmz4Ffde8X2BJrljzr2o+QD9YNMdD0iLA3U2AQzWvVuc+ElAr25g6mLCidNIUH2 MzEcHACrLn9JJjtWsrORMYGCThcqr7OnlM3vpFychIW0lyjZ6O+y3aF1YVn75g/bkUh369CY Jf/5ir/qTZ15SIX0gwlhIOoOXc9WCMy6RxXUwdobQXEguu0x0SUHC2Jak6H4jzKpAiHqu3vn wE6AQ4yhXmBdXZQTH/qXMLRSo1vHjU6GRMLBZQQYAQgADwIbDAUCVZThQgUJB5mmTAAKCRAz lhWI4cIYRUniD/46tfqF7Y7dDA4WpQ+jMXSteuNKRogOdeC5/NnosF7GuXVrCpEnZKOXS3eS aOlbZYBH3XisTBln7Z1whW+NXD7X+VSAkg3o34YzOBdYcCj8pGFlPxbSYSgtI7b1ynu0VT0d 3xAWfXlNY4+kn0IUcYJdRPafNODweHUaDFuJ3g5VtZ80eAxzos5rfFVCHy+Yv581u6wiWDcl fk9mlrxUU+HdductmSbMfdlGUvfG2NSBJj9CGGTLA0a2Z4T9XRGA8U09Nlo35Khp1Z081PZ1 g5CiTxQ4mZcn55Htf2PSmX2X3gNrEmAZ6tX9X7LQCv+GiHlU7Ktxj4T/XdQUxK8gyEqiqT68 rJ8OOJbPvSSg6wdqPUh28CgBENd3dKxvzipwDAtiL569lYH0gCr3ZcyGocYtTT1sjUa6LYWT jWOnaeDFN6LLq7iw693hKtCDo/OlzdmETfeJgU7qUDbB/qXgHK6/9Ar0NwWLxGnCdwDxB1pB L2a28QeJABxDOLavAkAXFcni6sPOWBCXWcDC+SLRbSKLUzNDxaXxgwNhnyGNRZ5OaX06/vY5 RRq5JikhZsNCIWGeNrwENKnDLs4l+/Dohxrwit2DUzbls34PUvnU+xpIDzqVnV/z5L6dlyAC DLrB0e7Aqe23wtdBIgHwgz9asKQ8PxweXCIIifbGPmlizTWLN8LBZQQYAQgADwIbDAUCV39a WAUJFqyH4gAKCRAzlhWI4cIYRZd+EACKEKFB14mptjWXaswPTtULCi4dMfFVOfRWoi4+iQFf 5m5zztTfIq+SN9OtnfBelROM7bMvwx/qjrZ1Jipw4eKtwNlMVv3v6zrDeb+BEF/VPqbPnN7N BCcF/OeDGdY0g56TdWyOtZWcEsOqLaKrpd0XTh8Tr+VXNnyX+tHLmKksXBg3ob8utB2R9+Ch Ua4LRjOPPMJqJdHWa1jkJEuWfUEmCkJtpnYMaRZ61K46ZZ1AIxnxGT5TsTOsbURVgsu12IrU MA+P9eMsm8H1yQv2mVAjxMKk/JoE/aEeHKQf9aBT3NGEaqukvDVnFAny1klSOVx0ZtFtPih0 jAEyWsdiUHbt+ut3MT8gVq64rFXFqmwkQ2GI6U/lWRweBazXCVuLAGUNCu0MIs8dsS4sJc6S 9IyQ/xQmf8UoIT6FYOOsiLpEiyduDWxYfM9CYpKnBM+UUcrHMbvQMkkKVmXMnVeHWoOGX+Eb rtECkfGMxJFAhyBTunI0E8tiUyFT+QZiSBVv4uk5zzgkl4t+YPwaeySXdvTAF8SqnJUE2fNy FGi/jLvFoMzCRCq/G69Lq/PKYn5RPEPW/Mg3gWaEfPZszz6q5QjPnLUe1TOky2nykNRjUTtJ i62Crr1hN+GS7em7YuwtCC9u/l7PbA1BgrqNPSP+ziBI3Mxyb18ne85H9GtStOTtQA==
  • List-archive: https://lists.debian.org/msgid-search/93d6c69f-c7bd-3120-eca2-ca035801d4c5 AT debian.org
  • List-id: <debian-security-announce.lists.debian.org>
  • List-url: <http://lists.debian.org/debian-security-announce/>
  • Old-return-path: <thijs AT debian.org>
  • Openpgp: preference=signencrypt
  • Priority: urgent
  • Resent-date: Sat, 23 Mar 2019 18:33:28 +0000 (UTC)
  • Resent-from: debian-security-announce AT lists.debian.org
  • Resent-message-id: <KgIRi57s_jG.A.TvB.4vnlcB@bendel>
  • Resent-sender: debian-security-announce-request AT lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4414-1 security AT debian.org
https://www.debian.org/security/ Thijs Kinkhorst
March 23, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libapache2-mod-auth-mellon
CVE ID : CVE-2019-3877 CVE-2019-3878
Debian Bug : 925197

Several issues have been discovered in Apache module auth_mellon, which
provides SAML 2.0 authentication.

CVE-2019-3877

It was possible to bypass the redirect URL checking on logout, so
the module could be used as an open redirect facility.

CVE-2019-3878

When mod_auth_mellon is used in an Apache configuration which
serves as a remote proxy with the http_proxy module, it was
possible to bypass authentication by sending SAML ECP headers.

For the stable distribution (stretch), these problems have been fixed in
version 0.12.0-2+deb9u1.

We recommend that you upgrade your libapache2-mod-auth-mellon packages.

For the detailed security status of libapache2-mod-auth-mellon please
refer to its security tracker page at:
https://security-tracker.debian.org/tracker/libapache2-mod-auth-mellon

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce AT lists.debian.org

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEeANVtepr/II1qZxLVvYaeUAdrAQFAlyWe+MACgkQVvYaeUAd
rASMEQgAlsebzAPt/bIykrBsTToTwxIlPph2FDykbdaG3rgdkminw2UjjztDz9Tl
f9Ej8hg8xPh5OAw1mU9Ap32BuLEp2uE+BJKSDHS2zfVfgFhvlA/qateSu/YluT6s
zU1JJQtLnS5x9P0N/Illw+a9582YA9dpzc8cT2SiKhDbP7ZCt/j1k+ubFeFmMszN
G+QxJ0CtC4p2XnqezZ7l6WVBi7AmW9CIJU0SGGmHILekNi0hmIlsNvXZwEqf0Xv5
jl3+L4AJtZUzdjI0wzRhj/V8FhtAKP4VEQuLRNyZGu58fjHe7vrzFXzPHuULexbI
xs8a6iMm7dehr8G6CgUqixtsZKJWcw==
=yo57
-----END PGP SIGNATURE-----


  • [IT-SecNots] [SECURITY] [DSA 4414-1] libapache2-mod-auth-mellon security update, Thijs Kinkhorst, 23.03.2019

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang