Red Hat Product Errata RHSA-2019:0766 - Security Advisory

Issued:: 2019-04-16
Updated:: 2019-04-16

RHSA-2019:0766 - Security Advisory

Overview
Updated Packages

Synopsis

Important: mod_auth_mellon security and bug fix update

Type/Severity

Security Advisory: Important

Topic

An update for mod_auth_mellon is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The mod_auth_mellon module for the Apache HTTP Server is an authentication service that implements the SAML 2.0 federation protocol. The module grants access based on the attributes received in assertions generated by an IdP server.

Security Fix(es):

mod_auth_mellon: authentication bypass in ECP flow (CVE-2019-3878)
mod_auth_mellon: open redirect in logout url when using URLs with backslashes (CVE-2019-3877)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

mod_auth_mellon Cert files name wrong when hostname contains a number (fixed in upstream package) (BZ#1697487)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Enterprise Linux Server 7 x86_64
Red Hat Enterprise Linux Server - Extended Update Support 7.6 x86_64
Red Hat Enterprise Linux Server - AUS 7.6 x86_64
Red Hat Enterprise Linux Workstation 7 x86_64
Red Hat Enterprise Linux for IBM z Systems 7 s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.6 s390x
Red Hat Enterprise Linux for Power, big endian 7 ppc64
Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.6 ppc64
Red Hat Enterprise Linux for Power, little endian 7 ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.6 ppc64le
Red Hat Enterprise Linux Server - TUS 7.6 x86_64
Red Hat Enterprise Linux for ARM 64 7 aarch64
Red Hat Enterprise Linux for Power 9 7 ppc64le
Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.6 ppc64le
Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.6 x86_64
Red Hat Enterprise Linux for IBM System z (Structure A) 7 s390x

Fixes

BZ - 1691125 - CVE-2019-3877 mod_auth_mellon: open redirect in logout url when using URLs with backslashes
BZ - 1691126 - CVE-2019-3878 mod_auth_mellon: authentication bypass in ECP flow
BZ - 1697487 - mod_auth_mellon Cert files name wrong when hostname contains a number (fixed in upstream package) [rhel-7.6.z]

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 7

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm	SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
x86_64
mod_auth_mellon-0.14.0-2.el7_6.4.x86_64.rpm	SHA-256: 3877a62d83219303048414223c56504c34067f649110549f2fbb127f7427531e
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm	SHA-256: 721236b704048938286bde8122b41e92a0897754ced8222028f15650f768a53a
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm	SHA-256: 721236b704048938286bde8122b41e92a0897754ced8222028f15650f768a53a
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.x86_64.rpm	SHA-256: 8f1d38cb72311ad87683d19cc4506f2f556299e49df9ad427fd0ec43f06af9ff

Red Hat Enterprise Linux Server - Extended Update Support 7.6

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm	SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
x86_64
mod_auth_mellon-0.14.0-2.el7_6.4.x86_64.rpm	SHA-256: 3877a62d83219303048414223c56504c34067f649110549f2fbb127f7427531e
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm	SHA-256: 721236b704048938286bde8122b41e92a0897754ced8222028f15650f768a53a
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm	SHA-256: 721236b704048938286bde8122b41e92a0897754ced8222028f15650f768a53a
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.x86_64.rpm	SHA-256: 8f1d38cb72311ad87683d19cc4506f2f556299e49df9ad427fd0ec43f06af9ff

Red Hat Enterprise Linux Server - AUS 7.6

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm	SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
x86_64
mod_auth_mellon-0.14.0-2.el7_6.4.x86_64.rpm	SHA-256: 3877a62d83219303048414223c56504c34067f649110549f2fbb127f7427531e
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm	SHA-256: 721236b704048938286bde8122b41e92a0897754ced8222028f15650f768a53a
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm	SHA-256: 721236b704048938286bde8122b41e92a0897754ced8222028f15650f768a53a
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.x86_64.rpm	SHA-256: 8f1d38cb72311ad87683d19cc4506f2f556299e49df9ad427fd0ec43f06af9ff

Red Hat Enterprise Linux Workstation 7

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm	SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
x86_64
mod_auth_mellon-0.14.0-2.el7_6.4.x86_64.rpm	SHA-256: 3877a62d83219303048414223c56504c34067f649110549f2fbb127f7427531e
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm	SHA-256: 721236b704048938286bde8122b41e92a0897754ced8222028f15650f768a53a
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm	SHA-256: 721236b704048938286bde8122b41e92a0897754ced8222028f15650f768a53a
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.x86_64.rpm	SHA-256: 8f1d38cb72311ad87683d19cc4506f2f556299e49df9ad427fd0ec43f06af9ff

Red Hat Enterprise Linux for IBM z Systems 7

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm	SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
s390x
mod_auth_mellon-0.14.0-2.el7_6.4.s390x.rpm	SHA-256: e4eb79d3ee21aa7b82732387fd97e4b0d309d95dd6bbc7244a9f2b73018db15d
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.s390x.rpm	SHA-256: e993f7ac666a84469373095ff9c49f982ff0caf808bc7d7323fee4e48c15b547
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.s390x.rpm	SHA-256: e993f7ac666a84469373095ff9c49f982ff0caf808bc7d7323fee4e48c15b547
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.s390x.rpm	SHA-256: 2568cf489b8c4cdd3f062645dfedffcaf270eb92e7b2bbbb5b986f41b470a6a2

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.6

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm	SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
s390x
mod_auth_mellon-0.14.0-2.el7_6.4.s390x.rpm	SHA-256: e4eb79d3ee21aa7b82732387fd97e4b0d309d95dd6bbc7244a9f2b73018db15d
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.s390x.rpm	SHA-256: e993f7ac666a84469373095ff9c49f982ff0caf808bc7d7323fee4e48c15b547
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.s390x.rpm	SHA-256: e993f7ac666a84469373095ff9c49f982ff0caf808bc7d7323fee4e48c15b547
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.s390x.rpm	SHA-256: 2568cf489b8c4cdd3f062645dfedffcaf270eb92e7b2bbbb5b986f41b470a6a2

Red Hat Enterprise Linux for Power, big endian 7

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm	SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
ppc64
mod_auth_mellon-0.14.0-2.el7_6.4.ppc64.rpm	SHA-256: b1ba3a67fa3b50cde76070fbc02502e1a983cf8c0366e006552bc0fecdc41738
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64.rpm	SHA-256: 3be876260836968ce4cc68e4ae60c45920c1675167ae48fd89ba88a9ab3d6888
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64.rpm	SHA-256: 3be876260836968ce4cc68e4ae60c45920c1675167ae48fd89ba88a9ab3d6888
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.ppc64.rpm	SHA-256: 2d5ad897cdab16bb85998461afde83711a6e074b713bd3bcd5c3d57f654f6948

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.6

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm	SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
ppc64
mod_auth_mellon-0.14.0-2.el7_6.4.ppc64.rpm	SHA-256: b1ba3a67fa3b50cde76070fbc02502e1a983cf8c0366e006552bc0fecdc41738
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64.rpm	SHA-256: 3be876260836968ce4cc68e4ae60c45920c1675167ae48fd89ba88a9ab3d6888
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64.rpm	SHA-256: 3be876260836968ce4cc68e4ae60c45920c1675167ae48fd89ba88a9ab3d6888
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.ppc64.rpm	SHA-256: 2d5ad897cdab16bb85998461afde83711a6e074b713bd3bcd5c3d57f654f6948

Red Hat Enterprise Linux for Power, little endian 7

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm	SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
ppc64le
mod_auth_mellon-0.14.0-2.el7_6.4.ppc64le.rpm	SHA-256: f863f5c303836eb12ae1f7e52f099237bae3950a79c0ab5ce1b9cf8ea7aa69f7
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64le.rpm	SHA-256: 1ef22f0de45e3b2df6f8b3b26e89a3d99b09c3ea3f57766aa64d47dfbc129e3d
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64le.rpm	SHA-256: 1ef22f0de45e3b2df6f8b3b26e89a3d99b09c3ea3f57766aa64d47dfbc129e3d
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.ppc64le.rpm	SHA-256: efb21c78914b2c556e4fce2df6f887e0417fbcca4a9e9f3076d810cc963d6137

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.6

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm	SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
ppc64le
mod_auth_mellon-0.14.0-2.el7_6.4.ppc64le.rpm	SHA-256: f863f5c303836eb12ae1f7e52f099237bae3950a79c0ab5ce1b9cf8ea7aa69f7
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64le.rpm	SHA-256: 1ef22f0de45e3b2df6f8b3b26e89a3d99b09c3ea3f57766aa64d47dfbc129e3d
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64le.rpm	SHA-256: 1ef22f0de45e3b2df6f8b3b26e89a3d99b09c3ea3f57766aa64d47dfbc129e3d
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.ppc64le.rpm	SHA-256: efb21c78914b2c556e4fce2df6f887e0417fbcca4a9e9f3076d810cc963d6137

Red Hat Enterprise Linux Server - TUS 7.6

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm	SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
x86_64
mod_auth_mellon-0.14.0-2.el7_6.4.x86_64.rpm	SHA-256: 3877a62d83219303048414223c56504c34067f649110549f2fbb127f7427531e
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm	SHA-256: 721236b704048938286bde8122b41e92a0897754ced8222028f15650f768a53a
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm	SHA-256: 721236b704048938286bde8122b41e92a0897754ced8222028f15650f768a53a
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.x86_64.rpm	SHA-256: 8f1d38cb72311ad87683d19cc4506f2f556299e49df9ad427fd0ec43f06af9ff

Red Hat Enterprise Linux for ARM 64 7

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm	SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
aarch64
mod_auth_mellon-0.14.0-2.el7_6.4.aarch64.rpm	SHA-256: 2db8f938f2ebe24fc9dd8824f4968c7b7794673e28cd08b49cd13f68ed6f86ea
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.aarch64.rpm	SHA-256: c9bac388bcce589a3a4c3d4cbe9e1c1278d91588cf598e7b616e3d3f37a0c9e4
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.aarch64.rpm	SHA-256: c9bac388bcce589a3a4c3d4cbe9e1c1278d91588cf598e7b616e3d3f37a0c9e4
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.aarch64.rpm	SHA-256: 80bc078e276519c0b4a6afa920f344e08827bf1a04e6597ac821c0d54b747d7c

Red Hat Enterprise Linux for Power 9 7

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm	SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
ppc64le
mod_auth_mellon-0.14.0-2.el7_6.4.ppc64le.rpm	SHA-256: f863f5c303836eb12ae1f7e52f099237bae3950a79c0ab5ce1b9cf8ea7aa69f7
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64le.rpm	SHA-256: 1ef22f0de45e3b2df6f8b3b26e89a3d99b09c3ea3f57766aa64d47dfbc129e3d
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64le.rpm	SHA-256: 1ef22f0de45e3b2df6f8b3b26e89a3d99b09c3ea3f57766aa64d47dfbc129e3d
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.ppc64le.rpm	SHA-256: efb21c78914b2c556e4fce2df6f887e0417fbcca4a9e9f3076d810cc963d6137

Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.6

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm	SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
ppc64le
mod_auth_mellon-0.14.0-2.el7_6.4.ppc64le.rpm	SHA-256: f863f5c303836eb12ae1f7e52f099237bae3950a79c0ab5ce1b9cf8ea7aa69f7
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64le.rpm	SHA-256: 1ef22f0de45e3b2df6f8b3b26e89a3d99b09c3ea3f57766aa64d47dfbc129e3d
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64le.rpm	SHA-256: 1ef22f0de45e3b2df6f8b3b26e89a3d99b09c3ea3f57766aa64d47dfbc129e3d
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.ppc64le.rpm	SHA-256: efb21c78914b2c556e4fce2df6f887e0417fbcca4a9e9f3076d810cc963d6137

Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.6

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm	SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
x86_64
mod_auth_mellon-0.14.0-2.el7_6.4.x86_64.rpm	SHA-256: 3877a62d83219303048414223c56504c34067f649110549f2fbb127f7427531e
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm	SHA-256: 721236b704048938286bde8122b41e92a0897754ced8222028f15650f768a53a
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm	SHA-256: 721236b704048938286bde8122b41e92a0897754ced8222028f15650f768a53a
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.x86_64.rpm	SHA-256: 8f1d38cb72311ad87683d19cc4506f2f556299e49df9ad427fd0ec43f06af9ff

Red Hat Enterprise Linux for IBM System z (Structure A) 7

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm	SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
s390x
mod_auth_mellon-0.14.0-2.el7_6.4.s390x.rpm	SHA-256: e4eb79d3ee21aa7b82732387fd97e4b0d309d95dd6bbc7244a9f2b73018db15d
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.s390x.rpm	SHA-256: e993f7ac666a84469373095ff9c49f982ff0caf808bc7d7323fee4e48c15b547
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.s390x.rpm	SHA-256: e993f7ac666a84469373095ff9c49f982ff0caf808bc7d7323fee4e48c15b547
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.s390x.rpm	SHA-256: 2568cf489b8c4cdd3f062645dfedffcaf270eb92e7b2bbbb5b986f41b470a6a2

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.