Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2022:1934: Red Hat Security Advisory: mod_auth_mellon security update

An update for mod_auth_mellon is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2021-3639: mod_auth_mellon: Open Redirect vulnerability in logout URLs
Red Hat Security Data
Open in Source
#vulnerability#linux#red_hat#apache#auth#ibm#sap

Synopsis

Moderate: mod_auth_mellon security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for mod_auth_mellon is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The mod_auth_mellon module for the Apache HTTP Server is an authentication service that implements the SAML 2.0 federation protocol. The module grants access based on the attributes received in assertions generated by an IdP server.

Security Fix(es):

  • mod_auth_mellon: Open Redirect vulnerability in logout URLs (CVE-2021-3639)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.6 Release Notes linked from the References section.

Affected Products

  • Red Hat Enterprise Linux for x86_64 8 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.6 x86_64
  • Red Hat Enterprise Linux Server - AUS 8.6 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 8 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.6 s390x
  • Red Hat Enterprise Linux for Power, little endian 8 ppc64le
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.6 ppc64le
  • Red Hat Enterprise Linux Server - TUS 8.6 x86_64
  • Red Hat Enterprise Linux for ARM 64 8 aarch64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.6 aarch64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le
  • Red Hat Enterprise Linux Server for x86_64 - Update Services for SAP Solutions 8.6 x86_64

Fixes

  • BZ - 1980648 - CVE-2021-3639 mod_auth_mellon: Open Redirect vulnerability in logout URLs

References

  • https://access.redhat.com/security/updates/classification/#moderate
  • https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.6_release_notes/

Red Hat Enterprise Linux for x86_64 8

SRPM

mod_auth_mellon-0.14.0-12.el8.1.src.rpm

SHA-256: 9801cd0001e8984cddd739513443851b08d774335b41bc9c8308b3d7467452d7

x86_64

mod_auth_mellon-0.14.0-12.el8.1.x86_64.rpm

SHA-256: ece5b4e2defe7789125c833a529e441325c9e4cc4e3696af38f4a706f67fb2cd

mod_auth_mellon-debuginfo-0.14.0-12.el8.1.x86_64.rpm

SHA-256: 890f5a235bd5fc1f1199142b5279b87e36c3c1e2f42c854af7f8f9c937cd4185

mod_auth_mellon-debugsource-0.14.0-12.el8.1.x86_64.rpm

SHA-256: 986c598df55cd48769665a92797ae45da372546aba971a11d13679d0e376df1d

mod_auth_mellon-diagnostics-0.14.0-12.el8.1.x86_64.rpm

SHA-256: e46e394c8f27fd7a79d0fdc1b8cf93bc107ee3311fad14ab22d61527eae99c09

mod_auth_mellon-diagnostics-debuginfo-0.14.0-12.el8.1.x86_64.rpm

SHA-256: d9db42e520c69093e4531f422967429eb341e4ae606b7a128f097226b6d9fd81

Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.6

SRPM

mod_auth_mellon-0.14.0-12.el8.1.src.rpm

SHA-256: 9801cd0001e8984cddd739513443851b08d774335b41bc9c8308b3d7467452d7

x86_64

mod_auth_mellon-0.14.0-12.el8.1.x86_64.rpm

SHA-256: ece5b4e2defe7789125c833a529e441325c9e4cc4e3696af38f4a706f67fb2cd

mod_auth_mellon-debuginfo-0.14.0-12.el8.1.x86_64.rpm

SHA-256: 890f5a235bd5fc1f1199142b5279b87e36c3c1e2f42c854af7f8f9c937cd4185

mod_auth_mellon-debugsource-0.14.0-12.el8.1.x86_64.rpm

SHA-256: 986c598df55cd48769665a92797ae45da372546aba971a11d13679d0e376df1d

mod_auth_mellon-diagnostics-0.14.0-12.el8.1.x86_64.rpm

SHA-256: e46e394c8f27fd7a79d0fdc1b8cf93bc107ee3311fad14ab22d61527eae99c09

mod_auth_mellon-diagnostics-debuginfo-0.14.0-12.el8.1.x86_64.rpm

SHA-256: d9db42e520c69093e4531f422967429eb341e4ae606b7a128f097226b6d9fd81

Red Hat Enterprise Linux Server - AUS 8.6

SRPM

mod_auth_mellon-0.14.0-12.el8.1.src.rpm

SHA-256: 9801cd0001e8984cddd739513443851b08d774335b41bc9c8308b3d7467452d7

x86_64

mod_auth_mellon-0.14.0-12.el8.1.x86_64.rpm

SHA-256: ece5b4e2defe7789125c833a529e441325c9e4cc4e3696af38f4a706f67fb2cd

mod_auth_mellon-debuginfo-0.14.0-12.el8.1.x86_64.rpm

SHA-256: 890f5a235bd5fc1f1199142b5279b87e36c3c1e2f42c854af7f8f9c937cd4185

mod_auth_mellon-debugsource-0.14.0-12.el8.1.x86_64.rpm

SHA-256: 986c598df55cd48769665a92797ae45da372546aba971a11d13679d0e376df1d

mod_auth_mellon-diagnostics-0.14.0-12.el8.1.x86_64.rpm

SHA-256: e46e394c8f27fd7a79d0fdc1b8cf93bc107ee3311fad14ab22d61527eae99c09

mod_auth_mellon-diagnostics-debuginfo-0.14.0-12.el8.1.x86_64.rpm

SHA-256: d9db42e520c69093e4531f422967429eb341e4ae606b7a128f097226b6d9fd81

Red Hat Enterprise Linux for IBM z Systems 8

SRPM

mod_auth_mellon-0.14.0-12.el8.1.src.rpm

SHA-256: 9801cd0001e8984cddd739513443851b08d774335b41bc9c8308b3d7467452d7

s390x

mod_auth_mellon-0.14.0-12.el8.1.s390x.rpm

SHA-256: 34146956c5a308fdfff5d84f9cebac0dd486727b5fe6ebc3254a79a7dfc23294

mod_auth_mellon-debuginfo-0.14.0-12.el8.1.s390x.rpm

SHA-256: 32be902deb094101c456a64b672e7aa4304e55f4d157c90a48dd0abda785d0da

mod_auth_mellon-debugsource-0.14.0-12.el8.1.s390x.rpm

SHA-256: 9d78db238d63514d1ba10e789d8e7d276f89744d76ab99b202aa7e9e09ede499

mod_auth_mellon-diagnostics-0.14.0-12.el8.1.s390x.rpm

SHA-256: 676f3b01ee4d3796441ca3e5a3d87838a3edec0790e5b91976ff8452098b0102

mod_auth_mellon-diagnostics-debuginfo-0.14.0-12.el8.1.s390x.rpm

SHA-256: d3a9d1bcc8061204689e067c09f0a2fcf1eb29dde1bdf8313b2c8141e991333e

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.6

SRPM

mod_auth_mellon-0.14.0-12.el8.1.src.rpm

SHA-256: 9801cd0001e8984cddd739513443851b08d774335b41bc9c8308b3d7467452d7

s390x

mod_auth_mellon-0.14.0-12.el8.1.s390x.rpm

SHA-256: 34146956c5a308fdfff5d84f9cebac0dd486727b5fe6ebc3254a79a7dfc23294

mod_auth_mellon-debuginfo-0.14.0-12.el8.1.s390x.rpm

SHA-256: 32be902deb094101c456a64b672e7aa4304e55f4d157c90a48dd0abda785d0da

mod_auth_mellon-debugsource-0.14.0-12.el8.1.s390x.rpm

SHA-256: 9d78db238d63514d1ba10e789d8e7d276f89744d76ab99b202aa7e9e09ede499

mod_auth_mellon-diagnostics-0.14.0-12.el8.1.s390x.rpm

SHA-256: 676f3b01ee4d3796441ca3e5a3d87838a3edec0790e5b91976ff8452098b0102

mod_auth_mellon-diagnostics-debuginfo-0.14.0-12.el8.1.s390x.rpm

SHA-256: d3a9d1bcc8061204689e067c09f0a2fcf1eb29dde1bdf8313b2c8141e991333e

Red Hat Enterprise Linux for Power, little endian 8

SRPM

mod_auth_mellon-0.14.0-12.el8.1.src.rpm

SHA-256: 9801cd0001e8984cddd739513443851b08d774335b41bc9c8308b3d7467452d7

ppc64le

mod_auth_mellon-0.14.0-12.el8.1.ppc64le.rpm

SHA-256: 3a532d43886ddc1546e1902e4fb71a98d290ec752a0b0ae640c6d8ed6d788a60

mod_auth_mellon-debuginfo-0.14.0-12.el8.1.ppc64le.rpm

SHA-256: 6a6e86b02acf12eddfcdaeb2b2fbafb3593d279b94e8e9273c7f7d2c713a2351

mod_auth_mellon-debugsource-0.14.0-12.el8.1.ppc64le.rpm

SHA-256: 942fbda79941c6a57e959d65cae3502206ecd04cbc5e2be98115506b46948067

mod_auth_mellon-diagnostics-0.14.0-12.el8.1.ppc64le.rpm

SHA-256: d0e6bd56a26c09a1eb841a76f0dda4244a1898d42f892dac0cf57cbb7a1cea56

mod_auth_mellon-diagnostics-debuginfo-0.14.0-12.el8.1.ppc64le.rpm

SHA-256: c0e7a58aa0ec093cf79586d950c919df69e99e7f0d7fa9fff458bbbc4183f10b

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.6

SRPM

mod_auth_mellon-0.14.0-12.el8.1.src.rpm

SHA-256: 9801cd0001e8984cddd739513443851b08d774335b41bc9c8308b3d7467452d7

ppc64le

mod_auth_mellon-0.14.0-12.el8.1.ppc64le.rpm

SHA-256: 3a532d43886ddc1546e1902e4fb71a98d290ec752a0b0ae640c6d8ed6d788a60

mod_auth_mellon-debuginfo-0.14.0-12.el8.1.ppc64le.rpm

SHA-256: 6a6e86b02acf12eddfcdaeb2b2fbafb3593d279b94e8e9273c7f7d2c713a2351

mod_auth_mellon-debugsource-0.14.0-12.el8.1.ppc64le.rpm

SHA-256: 942fbda79941c6a57e959d65cae3502206ecd04cbc5e2be98115506b46948067

mod_auth_mellon-diagnostics-0.14.0-12.el8.1.ppc64le.rpm

SHA-256: d0e6bd56a26c09a1eb841a76f0dda4244a1898d42f892dac0cf57cbb7a1cea56

mod_auth_mellon-diagnostics-debuginfo-0.14.0-12.el8.1.ppc64le.rpm

SHA-256: c0e7a58aa0ec093cf79586d950c919df69e99e7f0d7fa9fff458bbbc4183f10b

Red Hat Enterprise Linux Server - TUS 8.6

SRPM

mod_auth_mellon-0.14.0-12.el8.1.src.rpm

SHA-256: 9801cd0001e8984cddd739513443851b08d774335b41bc9c8308b3d7467452d7

x86_64

mod_auth_mellon-0.14.0-12.el8.1.x86_64.rpm

SHA-256: ece5b4e2defe7789125c833a529e441325c9e4cc4e3696af38f4a706f67fb2cd

mod_auth_mellon-debuginfo-0.14.0-12.el8.1.x86_64.rpm

SHA-256: 890f5a235bd5fc1f1199142b5279b87e36c3c1e2f42c854af7f8f9c937cd4185

mod_auth_mellon-debugsource-0.14.0-12.el8.1.x86_64.rpm

SHA-256: 986c598df55cd48769665a92797ae45da372546aba971a11d13679d0e376df1d

mod_auth_mellon-diagnostics-0.14.0-12.el8.1.x86_64.rpm

SHA-256: e46e394c8f27fd7a79d0fdc1b8cf93bc107ee3311fad14ab22d61527eae99c09

mod_auth_mellon-diagnostics-debuginfo-0.14.0-12.el8.1.x86_64.rpm

SHA-256: d9db42e520c69093e4531f422967429eb341e4ae606b7a128f097226b6d9fd81

Red Hat Enterprise Linux for ARM 64 8

SRPM

mod_auth_mellon-0.14.0-12.el8.1.src.rpm

SHA-256: 9801cd0001e8984cddd739513443851b08d774335b41bc9c8308b3d7467452d7

aarch64

mod_auth_mellon-0.14.0-12.el8.1.aarch64.rpm

SHA-256: 0928b4482714e0e0de9433f678d0b5d714cc4278c7e5a0a596c23e8d3c31932d

mod_auth_mellon-debuginfo-0.14.0-12.el8.1.aarch64.rpm

SHA-256: 95a11e4d00596bca359651fd8b4fddae79e76da190d5bf07e73c099cac20fea2

mod_auth_mellon-debugsource-0.14.0-12.el8.1.aarch64.rpm

SHA-256: 2d33afaa84b3ed18dfc1865e0b2a7cc7626edf61cca10c7267bc3994c9981a62

mod_auth_mellon-diagnostics-0.14.0-12.el8.1.aarch64.rpm

SHA-256: e067e8ae3059575c89493675f1c5fe337c8f0b50a8639e919683391fa0974eec

mod_auth_mellon-diagnostics-debuginfo-0.14.0-12.el8.1.aarch64.rpm

SHA-256: 8c26430f69b3f2072dae60a06bc268b43255e7b3a3073a11afe905ee92eb15ef

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.6

SRPM

mod_auth_mellon-0.14.0-12.el8.1.src.rpm

SHA-256: 9801cd0001e8984cddd739513443851b08d774335b41bc9c8308b3d7467452d7

aarch64

mod_auth_mellon-0.14.0-12.el8.1.aarch64.rpm

SHA-256: 0928b4482714e0e0de9433f678d0b5d714cc4278c7e5a0a596c23e8d3c31932d

mod_auth_mellon-debuginfo-0.14.0-12.el8.1.aarch64.rpm

SHA-256: 95a11e4d00596bca359651fd8b4fddae79e76da190d5bf07e73c099cac20fea2

mod_auth_mellon-debugsource-0.14.0-12.el8.1.aarch64.rpm

SHA-256: 2d33afaa84b3ed18dfc1865e0b2a7cc7626edf61cca10c7267bc3994c9981a62

mod_auth_mellon-diagnostics-0.14.0-12.el8.1.aarch64.rpm

SHA-256: e067e8ae3059575c89493675f1c5fe337c8f0b50a8639e919683391fa0974eec

mod_auth_mellon-diagnostics-debuginfo-0.14.0-12.el8.1.aarch64.rpm

SHA-256: 8c26430f69b3f2072dae60a06bc268b43255e7b3a3073a11afe905ee92eb15ef

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6

SRPM

mod_auth_mellon-0.14.0-12.el8.1.src.rpm

SHA-256: 9801cd0001e8984cddd739513443851b08d774335b41bc9c8308b3d7467452d7

ppc64le

mod_auth_mellon-0.14.0-12.el8.1.ppc64le.rpm

SHA-256: 3a532d43886ddc1546e1902e4fb71a98d290ec752a0b0ae640c6d8ed6d788a60

mod_auth_mellon-debuginfo-0.14.0-12.el8.1.ppc64le.rpm

SHA-256: 6a6e86b02acf12eddfcdaeb2b2fbafb3593d279b94e8e9273c7f7d2c713a2351

mod_auth_mellon-debugsource-0.14.0-12.el8.1.ppc64le.rpm

SHA-256: 942fbda79941c6a57e959d65cae3502206ecd04cbc5e2be98115506b46948067

mod_auth_mellon-diagnostics-0.14.0-12.el8.1.ppc64le.rpm

SHA-256: d0e6bd56a26c09a1eb841a76f0dda4244a1898d42f892dac0cf57cbb7a1cea56

mod_auth_mellon-diagnostics-debuginfo-0.14.0-12.el8.1.ppc64le.rpm

SHA-256: c0e7a58aa0ec093cf79586d950c919df69e99e7f0d7fa9fff458bbbc4183f10b

Red Hat Enterprise Linux Server for x86_64 - Update Services for SAP Solutions 8.6

SRPM

mod_auth_mellon-0.14.0-12.el8.1.src.rpm

SHA-256: 9801cd0001e8984cddd739513443851b08d774335b41bc9c8308b3d7467452d7

x86_64

mod_auth_mellon-0.14.0-12.el8.1.x86_64.rpm

SHA-256: ece5b4e2defe7789125c833a529e441325c9e4cc4e3696af38f4a706f67fb2cd

mod_auth_mellon-debuginfo-0.14.0-12.el8.1.x86_64.rpm

SHA-256: 890f5a235bd5fc1f1199142b5279b87e36c3c1e2f42c854af7f8f9c937cd4185

mod_auth_mellon-debugsource-0.14.0-12.el8.1.x86_64.rpm

SHA-256: 986c598df55cd48769665a92797ae45da372546aba971a11d13679d0e376df1d

mod_auth_mellon-diagnostics-0.14.0-12.el8.1.x86_64.rpm

SHA-256: e46e394c8f27fd7a79d0fdc1b8cf93bc107ee3311fad14ab22d61527eae99c09

mod_auth_mellon-diagnostics-debuginfo-0.14.0-12.el8.1.x86_64.rpm

SHA-256: d9db42e520c69093e4531f422967429eb341e4ae606b7a128f097226b6d9fd81

Related news

CVE-2021-3639: Invalid Bug ID

A flaw was found in mod_auth_mellon where it does not sanitize logout URLs properly. This issue could be used by an attacker to facilitate phishing attacks by tricking users into visiting a trusted web application URL that redirects to an external and potentially malicious server. The highest threat from this liability is to confidentiality and integrity.

Red Hat Security Advisory 2022-4690-01

Red Hat Security Advisory 2022-4690-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Issues addressed include a spoofing vulnerability.

RHSA-2022:4690: Red Hat Security Advisory: Red Hat OpenShift GitOps security update

An update is now available for Red Hat OpenShift GitOps 1.5 in openshift-gitops-argocd container. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24904: argocd: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server * CVE-2022-24905: argocd: Login screen allows message spoofing if SSO is enabled * CVE-2022-29165: argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled

Red Hat Security Advisory 2022-1934-01

Red Hat Security Advisory 2022-1934-01 - The mod_auth_mellon module for the Apache HTTP Server is an authentication service that implements the SAML 2.0 federation protocol. The module grants access based on the attributes received in assertions generated by an IdP server. Issues addressed include an open redirection vulnerability.

Red Hat Security Data: Latest News

RHSA-2023:5627: Red Hat Security Advisory: kernel security, bug fix, and enhancement update
Red Hat Security Data