Issued:
2019-04-16
Updated:
2019-04-16

RHSA-2019:0766 - Security Advisory

Synopsis

Important: mod_auth_mellon security and bug fix update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for mod_auth_mellon is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The mod_auth_mellon module for the Apache HTTP Server is an authentication service that implements the SAML 2.0 federation protocol. The module grants access based on the attributes received in assertions generated by an IdP server.

Security Fix(es):

  • mod_auth_mellon: authentication bypass in ECP flow (CVE-2019-3878)
  • mod_auth_mellon: open redirect in logout url when using URLs with backslashes (CVE-2019-3877)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • mod_auth_mellon Cert files name wrong when hostname contains a number (fixed in upstream package) (BZ#1697487)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server 7 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.6 x86_64
  • Red Hat Enterprise Linux Server - AUS 7.6 x86_64
  • Red Hat Enterprise Linux Workstation 7 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 7 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.6 s390x
  • Red Hat Enterprise Linux for Power, big endian 7 ppc64
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.6 ppc64
  • Red Hat Enterprise Linux for Power, little endian 7 ppc64le
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.6 ppc64le
  • Red Hat Enterprise Linux Server - TUS 7.6 x86_64
  • Red Hat Enterprise Linux for ARM 64 7 aarch64
  • Red Hat Enterprise Linux for Power 9 7 ppc64le
  • Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.6 ppc64le
  • Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.6 x86_64
  • Red Hat Enterprise Linux for IBM System z (Structure A) 7 s390x

Fixes

  • BZ - 1691125 - CVE-2019-3877 mod_auth_mellon: open redirect in logout url when using URLs with backslashes
  • BZ - 1691126 - CVE-2019-3878 mod_auth_mellon: authentication bypass in ECP flow
  • BZ - 1697487 - mod_auth_mellon Cert files name wrong when hostname contains a number (fixed in upstream package) [rhel-7.6.z]

Red Hat Enterprise Linux Server 7

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
x86_64
mod_auth_mellon-0.14.0-2.el7_6.4.x86_64.rpm SHA-256: 3877a62d83219303048414223c56504c34067f649110549f2fbb127f7427531e
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm SHA-256: 721236b704048938286bde8122b41e92a0897754ced8222028f15650f768a53a
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm SHA-256: 721236b704048938286bde8122b41e92a0897754ced8222028f15650f768a53a
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.x86_64.rpm SHA-256: 8f1d38cb72311ad87683d19cc4506f2f556299e49df9ad427fd0ec43f06af9ff

Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.6

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
x86_64
mod_auth_mellon-0.14.0-2.el7_6.4.x86_64.rpm SHA-256: 3877a62d83219303048414223c56504c34067f649110549f2fbb127f7427531e
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm SHA-256: 721236b704048938286bde8122b41e92a0897754ced8222028f15650f768a53a
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm SHA-256: 721236b704048938286bde8122b41e92a0897754ced8222028f15650f768a53a
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.x86_64.rpm SHA-256: 8f1d38cb72311ad87683d19cc4506f2f556299e49df9ad427fd0ec43f06af9ff

Red Hat Enterprise Linux Server - AUS 7.6

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
x86_64
mod_auth_mellon-0.14.0-2.el7_6.4.x86_64.rpm SHA-256: 3877a62d83219303048414223c56504c34067f649110549f2fbb127f7427531e
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm SHA-256: 721236b704048938286bde8122b41e92a0897754ced8222028f15650f768a53a
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm SHA-256: 721236b704048938286bde8122b41e92a0897754ced8222028f15650f768a53a
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.x86_64.rpm SHA-256: 8f1d38cb72311ad87683d19cc4506f2f556299e49df9ad427fd0ec43f06af9ff

Red Hat Enterprise Linux Workstation 7

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
x86_64
mod_auth_mellon-0.14.0-2.el7_6.4.x86_64.rpm SHA-256: 3877a62d83219303048414223c56504c34067f649110549f2fbb127f7427531e
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm SHA-256: 721236b704048938286bde8122b41e92a0897754ced8222028f15650f768a53a
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm SHA-256: 721236b704048938286bde8122b41e92a0897754ced8222028f15650f768a53a
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.x86_64.rpm SHA-256: 8f1d38cb72311ad87683d19cc4506f2f556299e49df9ad427fd0ec43f06af9ff

Red Hat Enterprise Linux for IBM z Systems 7

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
s390x
mod_auth_mellon-0.14.0-2.el7_6.4.s390x.rpm SHA-256: e4eb79d3ee21aa7b82732387fd97e4b0d309d95dd6bbc7244a9f2b73018db15d
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.s390x.rpm SHA-256: e993f7ac666a84469373095ff9c49f982ff0caf808bc7d7323fee4e48c15b547
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.s390x.rpm SHA-256: e993f7ac666a84469373095ff9c49f982ff0caf808bc7d7323fee4e48c15b547
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.s390x.rpm SHA-256: 2568cf489b8c4cdd3f062645dfedffcaf270eb92e7b2bbbb5b986f41b470a6a2

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.6

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
s390x
mod_auth_mellon-0.14.0-2.el7_6.4.s390x.rpm SHA-256: e4eb79d3ee21aa7b82732387fd97e4b0d309d95dd6bbc7244a9f2b73018db15d
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.s390x.rpm SHA-256: e993f7ac666a84469373095ff9c49f982ff0caf808bc7d7323fee4e48c15b547
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.s390x.rpm SHA-256: e993f7ac666a84469373095ff9c49f982ff0caf808bc7d7323fee4e48c15b547
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.s390x.rpm SHA-256: 2568cf489b8c4cdd3f062645dfedffcaf270eb92e7b2bbbb5b986f41b470a6a2

Red Hat Enterprise Linux for Power, big endian 7

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
ppc64
mod_auth_mellon-0.14.0-2.el7_6.4.ppc64.rpm SHA-256: b1ba3a67fa3b50cde76070fbc02502e1a983cf8c0366e006552bc0fecdc41738
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64.rpm SHA-256: 3be876260836968ce4cc68e4ae60c45920c1675167ae48fd89ba88a9ab3d6888
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64.rpm SHA-256: 3be876260836968ce4cc68e4ae60c45920c1675167ae48fd89ba88a9ab3d6888
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.ppc64.rpm SHA-256: 2d5ad897cdab16bb85998461afde83711a6e074b713bd3bcd5c3d57f654f6948

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.6

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
ppc64
mod_auth_mellon-0.14.0-2.el7_6.4.ppc64.rpm SHA-256: b1ba3a67fa3b50cde76070fbc02502e1a983cf8c0366e006552bc0fecdc41738
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64.rpm SHA-256: 3be876260836968ce4cc68e4ae60c45920c1675167ae48fd89ba88a9ab3d6888
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64.rpm SHA-256: 3be876260836968ce4cc68e4ae60c45920c1675167ae48fd89ba88a9ab3d6888
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.ppc64.rpm SHA-256: 2d5ad897cdab16bb85998461afde83711a6e074b713bd3bcd5c3d57f654f6948

Red Hat Enterprise Linux for Power, little endian 7

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
ppc64le
mod_auth_mellon-0.14.0-2.el7_6.4.ppc64le.rpm SHA-256: f863f5c303836eb12ae1f7e52f099237bae3950a79c0ab5ce1b9cf8ea7aa69f7
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64le.rpm SHA-256: 1ef22f0de45e3b2df6f8b3b26e89a3d99b09c3ea3f57766aa64d47dfbc129e3d
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64le.rpm SHA-256: 1ef22f0de45e3b2df6f8b3b26e89a3d99b09c3ea3f57766aa64d47dfbc129e3d
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.ppc64le.rpm SHA-256: efb21c78914b2c556e4fce2df6f887e0417fbcca4a9e9f3076d810cc963d6137

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.6

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
ppc64le
mod_auth_mellon-0.14.0-2.el7_6.4.ppc64le.rpm SHA-256: f863f5c303836eb12ae1f7e52f099237bae3950a79c0ab5ce1b9cf8ea7aa69f7
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64le.rpm SHA-256: 1ef22f0de45e3b2df6f8b3b26e89a3d99b09c3ea3f57766aa64d47dfbc129e3d
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64le.rpm SHA-256: 1ef22f0de45e3b2df6f8b3b26e89a3d99b09c3ea3f57766aa64d47dfbc129e3d
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.ppc64le.rpm SHA-256: efb21c78914b2c556e4fce2df6f887e0417fbcca4a9e9f3076d810cc963d6137

Red Hat Enterprise Linux Server - TUS 7.6

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
x86_64
mod_auth_mellon-0.14.0-2.el7_6.4.x86_64.rpm SHA-256: 3877a62d83219303048414223c56504c34067f649110549f2fbb127f7427531e
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm SHA-256: 721236b704048938286bde8122b41e92a0897754ced8222028f15650f768a53a
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm SHA-256: 721236b704048938286bde8122b41e92a0897754ced8222028f15650f768a53a
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.x86_64.rpm SHA-256: 8f1d38cb72311ad87683d19cc4506f2f556299e49df9ad427fd0ec43f06af9ff

Red Hat Enterprise Linux for ARM 64 7

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
aarch64
mod_auth_mellon-0.14.0-2.el7_6.4.aarch64.rpm SHA-256: 2db8f938f2ebe24fc9dd8824f4968c7b7794673e28cd08b49cd13f68ed6f86ea
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.aarch64.rpm SHA-256: c9bac388bcce589a3a4c3d4cbe9e1c1278d91588cf598e7b616e3d3f37a0c9e4
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.aarch64.rpm SHA-256: c9bac388bcce589a3a4c3d4cbe9e1c1278d91588cf598e7b616e3d3f37a0c9e4
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.aarch64.rpm SHA-256: 80bc078e276519c0b4a6afa920f344e08827bf1a04e6597ac821c0d54b747d7c

Red Hat Enterprise Linux for Power 9 7

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
ppc64le
mod_auth_mellon-0.14.0-2.el7_6.4.ppc64le.rpm SHA-256: f863f5c303836eb12ae1f7e52f099237bae3950a79c0ab5ce1b9cf8ea7aa69f7
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64le.rpm SHA-256: 1ef22f0de45e3b2df6f8b3b26e89a3d99b09c3ea3f57766aa64d47dfbc129e3d
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64le.rpm SHA-256: 1ef22f0de45e3b2df6f8b3b26e89a3d99b09c3ea3f57766aa64d47dfbc129e3d
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.ppc64le.rpm SHA-256: efb21c78914b2c556e4fce2df6f887e0417fbcca4a9e9f3076d810cc963d6137

Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.6

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
ppc64le
mod_auth_mellon-0.14.0-2.el7_6.4.ppc64le.rpm SHA-256: f863f5c303836eb12ae1f7e52f099237bae3950a79c0ab5ce1b9cf8ea7aa69f7
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64le.rpm SHA-256: 1ef22f0de45e3b2df6f8b3b26e89a3d99b09c3ea3f57766aa64d47dfbc129e3d
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.ppc64le.rpm SHA-256: 1ef22f0de45e3b2df6f8b3b26e89a3d99b09c3ea3f57766aa64d47dfbc129e3d
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.ppc64le.rpm SHA-256: efb21c78914b2c556e4fce2df6f887e0417fbcca4a9e9f3076d810cc963d6137

Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.6

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
x86_64
mod_auth_mellon-0.14.0-2.el7_6.4.x86_64.rpm SHA-256: 3877a62d83219303048414223c56504c34067f649110549f2fbb127f7427531e
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm SHA-256: 721236b704048938286bde8122b41e92a0897754ced8222028f15650f768a53a
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.x86_64.rpm SHA-256: 721236b704048938286bde8122b41e92a0897754ced8222028f15650f768a53a
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.x86_64.rpm SHA-256: 8f1d38cb72311ad87683d19cc4506f2f556299e49df9ad427fd0ec43f06af9ff

Red Hat Enterprise Linux for IBM System z (Structure A) 7

SRPM
mod_auth_mellon-0.14.0-2.el7_6.4.src.rpm SHA-256: 4c06720c0307320e102af15a72608fc680b01178b86135d48447878e4c2d3ccb
s390x
mod_auth_mellon-0.14.0-2.el7_6.4.s390x.rpm SHA-256: e4eb79d3ee21aa7b82732387fd97e4b0d309d95dd6bbc7244a9f2b73018db15d
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.s390x.rpm SHA-256: e993f7ac666a84469373095ff9c49f982ff0caf808bc7d7323fee4e48c15b547
mod_auth_mellon-debuginfo-0.14.0-2.el7_6.4.s390x.rpm SHA-256: e993f7ac666a84469373095ff9c49f982ff0caf808bc7d7323fee4e48c15b547
mod_auth_mellon-diagnostics-0.14.0-2.el7_6.4.s390x.rpm SHA-256: 2568cf489b8c4cdd3f062645dfedffcaf270eb92e7b2bbbb5b986f41b470a6a2

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.