[SECURITY] [DLA 3359-1] libapache2-mod-auth-mellon security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- -----------------------------------------------------------------------
Debian LTS Advisory DLA-3359-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
March 13, 2023 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------
Package : libapache2-mod-auth-mellon
Version : 0.14.2-1+deb10u1
CVE ID : CVE-2019-13038 CVE-2021-3639
Debian Bug : 931265, 991730
libapache2-mod-auth-mellon, a SAML 2.0 authentication module for Apache,
were reported to have the following vulnerabilities.
CVE-2019-13038
mod_auth_mellon had an Open Redirect via the login?ReturnTo= substring,
as demonstrated by omitting the // after http: in the target URL.
CVE-2021-3639
mod_auth_mellon did not sanitize logout URLs properly. This issue could
be used by an attacker to facilitate phishing attacks by tricking users
into visiting a trusted web application URL that redirects to an external
and potentially malicious server.
For Debian 10 buster, these problems have been fixed in version
0.14.2-1+deb10u1.
We recommend that you upgrade your libapache2-mod-auth-mellon packages.
For the detailed security status of libapache2-mod-auth-mellon please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libapache2-mod-auth-mellon
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmQOOdkACgkQgj6WdgbD
S5Y27Q//Z6qTG2JLE/n/Wp8VocADU5YGDQFYVE+RlEcpfjGD7LaoCXPQrnh8gpWH
V/ZY9aONpoUw9isV5iwNNWaYmgJbXF6AmUAgbNVQ0eBvzlJ187XT0qttxg5g+2f6
sZZitMJbK/h/+UMZ1vZZmyhOOVHrrzMVyot+coWUpFeZs2aj4BqMYyM4iod/oRdh
hY4YpPF1e0FvrDGj3SSgFzCa0gOThSxfKJfRJ1b3KR+y/AYF9Z7+pjmTW38p6P93
7a+6Q7x7fLlr18Mcgys0O471pyXap1JfLKVFPSUMzZcUfJNhhREs7qNHEHCzG7/J
XMpJSvaCKBD8WudP+Sv5+01oO3d1KdywVV33Pe+snN8Wwd2zTe6oAzwor9ypx13A
7qOOFsQI1Xh4QxEcltA8bTiytgeAPrhlEa+H0TVHK/F8GVA2XiSmkvM39kcGx5mU
HUPmmigqYkcfDIfzbqqETtqVUUa8qfD0ONCSsvG6lCQtr29fQIFJGP4gb2+MjBEG
M+pr3ofT+XVQCdgpurqDoMKGkUrO3jd9/UHR+g7rFut+FWul82Ssrv2Mn7E+f1FH
JQ7EVpX1CqejsIpe8ZClPyRDeczrSzLPWi2FX4OH7cL03YA7pyPHZ6L50oY6lQye
bBEJUMal51nryKySb+dncdaWurJpM9FdbC5dPwsNwmosyJRqlLE=
=gzUu
-----END PGP SIGNATURE----
Reply to: