Debian Security Advisory(Debian安全报告) DSA-4414-1 libapache2-mod-auth-mellon security update
Package:libapache2-mod-auth-mellon
CVE ID::CVE-2019-3877 CVE-2019-3878
Debian Bug: 925197
在提供SAML 2.0身份验证的Apache模块auth_mellon中发现了几个问题。
cve - 2019 - 3877
可以在注销时绕过重定向URL检查,因此该模块可以用作开放重定向工具。
cve - 2019 - 3878
当在Apache配置中使用mod_auth_mellon作为http_proxy模块的远程代理时,可以通过发送SAML ECP头来绕过身份验证。
这些问题在0.12.0-2+deb9u1版本中得到了修复。
有关libapache2-mod-auto-mellon的详细安全情况,请参阅其安全跟踪器页面:https://securtracker.debian.org/tracker/libapache2 -mod- auto -mellon
--------------------
Debian Security Advisory DSA-4414-1 libapache2-mod-auth-mellon security update
Package : libapache2-mod-auth-mellon
CVE ID : CVE-2019-3877 CVE-2019-3878
Debian Bug : 925197
Several issues have been discovered in Apache module auth_mellon, which provides SAML 2.0 authentication.
CVE-2019-3877
It was possible to bypass the redirect URL checking on logout, so the module could be used as an open redirect facility.
CVE-2019-3878
When mod_auth_mellon is used in an Apache configuration which serves as a remote proxy with the http_proxy module, it was possible to bypass authentication by sending SAML ECP headers.
These problems have been fixed in version 0.12.0-2+deb9u1.
For the detailed security status of libapache2-mod-auth-mellon please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libapache2-mod-auth-mellon