[SECURITY] [DLA 3359-1] libapache2-mod-auth-mellon security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3359-1] libapache2-mod-auth-mellon security update
From: Utkarsh Gupta <guptautkarsh2102@gmail.com>
Date: Mon, 13 Mar 2023 02:15:57 +0530
Message-id: <[🔎] CAPP0f97LYn1eqwMSoCQh8aAx77uTRWXhSfqNssQqiZKka_-QDw@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-3359-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
March 13, 2023                              https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : libapache2-mod-auth-mellon
Version        : 0.14.2-1+deb10u1
CVE ID         : CVE-2019-13038 CVE-2021-3639
Debian Bug     : 931265, 991730

libapache2-mod-auth-mellon, a SAML 2.0 authentication module for Apache,
were reported to have the following vulnerabilities.

CVE-2019-13038

    mod_auth_mellon had an Open Redirect via the login?ReturnTo= substring,
    as demonstrated by omitting the // after http: in the target URL.

CVE-2021-3639

    mod_auth_mellon did not sanitize logout URLs properly. This issue could
    be used by an attacker to facilitate phishing attacks by tricking users
    into visiting a trusted web application URL that redirects to an external
    and potentially malicious server.

For Debian 10 buster, these problems have been fixed in version
0.14.2-1+deb10u1.

We recommend that you upgrade your libapache2-mod-auth-mellon packages.

For the detailed security status of libapache2-mod-auth-mellon please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libapache2-mod-auth-mellon

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmQOOdkACgkQgj6WdgbD
S5Y27Q//Z6qTG2JLE/n/Wp8VocADU5YGDQFYVE+RlEcpfjGD7LaoCXPQrnh8gpWH
V/ZY9aONpoUw9isV5iwNNWaYmgJbXF6AmUAgbNVQ0eBvzlJ187XT0qttxg5g+2f6
sZZitMJbK/h/+UMZ1vZZmyhOOVHrrzMVyot+coWUpFeZs2aj4BqMYyM4iod/oRdh
hY4YpPF1e0FvrDGj3SSgFzCa0gOThSxfKJfRJ1b3KR+y/AYF9Z7+pjmTW38p6P93
7a+6Q7x7fLlr18Mcgys0O471pyXap1JfLKVFPSUMzZcUfJNhhREs7qNHEHCzG7/J
XMpJSvaCKBD8WudP+Sv5+01oO3d1KdywVV33Pe+snN8Wwd2zTe6oAzwor9ypx13A
7qOOFsQI1Xh4QxEcltA8bTiytgeAPrhlEa+H0TVHK/F8GVA2XiSmkvM39kcGx5mU
HUPmmigqYkcfDIfzbqqETtqVUUa8qfD0ONCSsvG6lCQtr29fQIFJGP4gb2+MjBEG
M+pr3ofT+XVQCdgpurqDoMKGkUrO3jd9/UHR+g7rFut+FWul82Ssrv2Mn7E+f1FH
JQ7EVpX1CqejsIpe8ZClPyRDeczrSzLPWi2FX4OH7cL03YA7pyPHZ6L50oY6lQye
bBEJUMal51nryKySb+dncdaWurJpM9FdbC5dPwsNwmosyJRqlLE=
=gzUu
-----END PGP SIGNATURE----

Reply to:

Prev by Date: [SECURITY] [DLA 3358-1] mpv security update
Next by Date: [SECURITY] [DLA 3360-1] ruby-sidekiq security update
Previous by thread: [SECURITY] [DLA 3358-1] mpv security update
Next by thread: [SECURITY] [DLA 3360-1] ruby-sidekiq security update
Index(es):
- Date
- Thread