Debian Local Security Checks : Debian: Security Advisory (DSA-4414-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.704414

Category: Debian Local Security Checks

Title: Debian: Security Advisory (DSA-4414-1)

Summary: The remote host is missing an update for the Debian 'libapache2-mod-auth-mellon' package(s) announced via the DSA-4414-1 advisory.

Description: Summary:
The remote host is missing an update for the Debian 'libapache2-mod-auth-mellon' package(s) announced via the DSA-4414-1 advisory.

Vulnerability Insight:
Several issues have been discovered in Apache module auth_mellon, which provides SAML 2.0 authentication.

CVE-2019-3877

It was possible to bypass the redirect URL checking on logout, so the module could be used as an open redirect facility.

CVE-2019-3878

When mod_auth_mellon is used in an Apache configuration which serves as a remote proxy with the http_proxy module, it was possible to bypass authentication by sending SAML ECP headers.

For the stable distribution (stretch), these problems have been fixed in version 0.12.0-2+deb9u1.

We recommend that you upgrade your libapache2-mod-auth-mellon packages.

For the detailed security status of libapache2-mod-auth-mellon please refer to its security tracker page at: [link moved to references]

Affected Software/OS:
'libapache2-mod-auth-mellon' package(s) on Debian 9.

Solution:
Please install the updated package(s).

CVSS Score:
6.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2019-3877
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X7NLAU7KROWNTHAYSA2S67X347F42L2I/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CNW5YMC5TLWVWNJEY6AIWNSNPRAMWPQJ/
RedHat Security Advisories: RHSA-2019:0766
https://access.redhat.com/errata/RHSA-2019:0766
RedHat Security Advisories: RHSA-2019:3421
https://access.redhat.com/errata/RHSA-2019:3421
https://usn.ubuntu.com/3924-1/
Common Vulnerability Exposure (CVE) ID: CVE-2019-3878
RedHat Security Advisories: RHBA-2019:0959
https://access.redhat.com/errata/RHBA-2019:0959
RedHat Security Advisories: RHSA-2019:0746
https://access.redhat.com/errata/RHSA-2019:0746
RedHat Security Advisories: RHSA-2019:0985
https://access.redhat.com/errata/RHSA-2019:0985

Copyright Copyright (C) 2019 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.704414
Category:	Debian Local Security Checks
Title:	Debian: Security Advisory (DSA-4414-1)
Summary:	The remote host is missing an update for the Debian 'libapache2-mod-auth-mellon' package(s) announced via the DSA-4414-1 advisory.
Description:	Summary: The remote host is missing an update for the Debian 'libapache2-mod-auth-mellon' package(s) announced via the DSA-4414-1 advisory. Vulnerability Insight: Several issues have been discovered in Apache module auth_mellon, which provides SAML 2.0 authentication. CVE-2019-3877 It was possible to bypass the redirect URL checking on logout, so the module could be used as an open redirect facility. CVE-2019-3878 When mod_auth_mellon is used in an Apache configuration which serves as a remote proxy with the http_proxy module, it was possible to bypass authentication by sending SAML ECP headers. For the stable distribution (stretch), these problems have been fixed in version 0.12.0-2+deb9u1. We recommend that you upgrade your libapache2-mod-auth-mellon packages. For the detailed security status of libapache2-mod-auth-mellon please refer to its security tracker page at: [link moved to references] Affected Software/OS: 'libapache2-mod-auth-mellon' package(s) on Debian 9. Solution: Please install the updated package(s). CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2019-3877 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X7NLAU7KROWNTHAYSA2S67X347F42L2I/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CNW5YMC5TLWVWNJEY6AIWNSNPRAMWPQJ/ RedHat Security Advisories: RHSA-2019:0766 https://access.redhat.com/errata/RHSA-2019:0766 RedHat Security Advisories: RHSA-2019:3421 https://access.redhat.com/errata/RHSA-2019:3421 https://usn.ubuntu.com/3924-1/ Common Vulnerability Exposure (CVE) ID: CVE-2019-3878 RedHat Security Advisories: RHBA-2019:0959 https://access.redhat.com/errata/RHBA-2019:0959 RedHat Security Advisories: RHSA-2019:0746 https://access.redhat.com/errata/RHSA-2019:0746 RedHat Security Advisories: RHSA-2019:0985 https://access.redhat.com/errata/RHSA-2019:0985
Copyright	Copyright (C) 2019 Greenbone AG