drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Zwei Probleme in libapache2-mod-auth-mellon
Name: |
Zwei Probleme in libapache2-mod-auth-mellon |
|
ID: |
DSA-4414-1 |
|
Distribution: |
Debian |
|
Plattformen: |
Debian stretch |
|
Datum: |
So, 24. März 2019, 08:57 |
|
Referenzen: |
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3878
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3877 |
|
Applikationen: |
libapache2-mod-auth-mellon |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
- ------------------------------------------------------------------------- Debian Security Advisory DSA-4414-1 security@debian.org https://www.debian.org/security/ Thijs Kinkhorst March 23, 2019 https://www.debian.org/security/faq - -------------------------------------------------------------------------
Package : libapache2-mod-auth-mellon CVE ID : CVE-2019-3877 CVE-2019-3878 Debian Bug : 925197
Several issues have been discovered in Apache module auth_mellon, which provides SAML 2.0 authentication.
CVE-2019-3877
It was possible to bypass the redirect URL checking on logout, so the module could be used as an open redirect facility.
CVE-2019-3878
When mod_auth_mellon is used in an Apache configuration which serves as a remote proxy with the http_proxy module, it was possible to bypass authentication by sending SAML ECP headers.
For the stable distribution (stretch), these problems have been fixed in version 0.12.0-2+deb9u1.
We recommend that you upgrade your libapache2-mod-auth-mellon packages.
For the detailed security status of libapache2-mod-auth-mellon please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libapache2-mod-auth-mellon
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEeANVtepr/II1qZxLVvYaeUAdrAQFAlyWe+MACgkQVvYaeUAd rASMEQgAlsebzAPt/bIykrBsTToTwxIlPph2FDykbdaG3rgdkminw2UjjztDz9Tl f9Ej8hg8xPh5OAw1mU9Ap32BuLEp2uE+BJKSDHS2zfVfgFhvlA/qateSu/YluT6s zU1JJQtLnS5x9P0N/Illw+a9582YA9dpzc8cT2SiKhDbP7ZCt/j1k+ubFeFmMszN G+QxJ0CtC4p2XnqezZ7l6WVBi7AmW9CIJU0SGGmHILekNi0hmIlsNvXZwEqf0Xv5 jl3+L4AJtZUzdjI0wzRhj/V8FhtAKP4VEQuLRNyZGu58fjHe7vrzFXzPHuULexbI xs8a6iMm7dehr8G6CgUqixtsZKJWcw== =yo57 -----END PGP SIGNATURE-----
|
|
|
|