Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

oracle-oval логотип

ELSA-2019-0766

Опубликовано: 16 апр. 2019
Источник: oracle-oval
Платформа: Oracle Linux 7

Описание

ELSA-2019-0766: mod_auth_mellon security and bug fix update (IMPORTANT)

[0.14.0-2.4]

  • Actually apply the patch in the previous build
  • Resolves: rhbz#1697488 - CVE-2019-3877 mod_auth_mellon: open redirect in logout url when using URLs with backslashes

[0.14.0-2.3]

  • Resolves: rhbz#1697488 - CVE-2019-3877 mod_auth_mellon: open redirect in logout url when using URLs with backslashes [rhel-7] [rhel-7.6.z]

[0.14.0-2.2]

  • Resolves: rhbz#1697487 - mod_auth_mellon Cert files name wrong when hostname contains a number

[0.14.0-2.1]

  • Resolves: rhbz#1692455 - CVE-2019-3878 mod_auth_mellon: authentication bypass in ECP flow [rhel-7.6.z]

Обновленные пакеты

Oracle Linux 7

Oracle Linux aarch64

mod_auth_mellon

0.14.0-2.el7_6.4

mod_auth_mellon-diagnostics

0.14.0-2.el7_6.4

Oracle Linux x86_64

mod_auth_mellon

0.14.0-2.el7_6.4

mod_auth_mellon-diagnostics

0.14.0-2.el7_6.4

Связанные CVE

CVE-2019-3877
CVE-2019-3878

Ссылки на источники

Связанные уязвимости

ubuntu логотип

CVE-2019-3878

CVSS3: 8.1
ubuntu
больше 6 лет назад

A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users (with the require valid-user directive), adding special HTTP headers that are normally used to start the special SAML ECP (non-browser based) can be used to bypass authentication.

redhat логотип

CVE-2019-3878

CVSS3: 8.1
redhat
больше 7 лет назад

A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users (with the require valid-user directive), adding special HTTP headers that are normally used to start the special SAML ECP (non-browser based) can be used to bypass authentication.

nvd логотип

CVE-2019-3878

CVSS3: 8.1
nvd
больше 6 лет назад

A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users (with the require valid-user directive), adding special HTTP headers that are normally used to start the special SAML ECP (non-browser based) can be used to bypass authentication.

debian логотип

CVE-2019-3878

CVSS3: 8.1
debian
больше 6 лет назад

A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache ...

ubuntu логотип

CVE-2019-3877

CVSS3: 5.8
ubuntu
больше 6 лет назад

A vulnerability was found in mod_auth_mellon before v0.14.2. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes treating them as an absolute URL. This mismatch allows an attacker to bypass the redirect URL validation logic in apr_uri_parse function.