Your message dated Mon, 27 Jan 2020 14:43:18 +0000
with message-id <[email protected]>
and subject line Bug#931265: fixed in libapache2-mod-auth-mellon 0.15.0-1
has caused the Debian Bug report #931265,
regarding libapache2-mod-auth-mellon: CVE-2019-13038
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
931265: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931265
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libapache2-mod-auth-mellon
Version: 0.14.2-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for libapache2-mod-auth-mellon.
CVE-2019-13038[0]:
| mod_auth_mellon through 0.14.2 has an Open Redirect via the
| login?ReturnTo= substring, as demonstrated by omitting the // after
| http: in the target URL.
see [1] for more information.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-13038
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13038
[1] https://github.com/Uninett/mod_auth_mellon/issues/35#issuecomment-503974885
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libapache2-mod-auth-mellon
Source-Version: 0.15.0-1
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-auth-mellon, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <[email protected]> (supplier of updated
libapache2-mod-auth-mellon package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 27 Jan 2020 10:41:36 +0000
Source: libapache2-mod-auth-mellon
Architecture: source
Version: 0.15.0-1
Distribution: unstable
Urgency: medium
Maintainer: Thijs Kinkhorst <[email protected]>
Changed-By: Thijs Kinkhorst <[email protected]>
Closes: 931265 931562
Changes:
libapache2-mod-auth-mellon (0.15.0-1) unstable; urgency=medium
.
* New upstream release.
- Fixes security issue CVE-2019-13038 (closes: #931265).
* Build with diagnostics enabled; this can be switched on at
runtime with the Apache directives MellonDiagnosticsEnable and
MellonDiagnosticsFile (closes: #931562).
* Relocated upstream, updated URLs and copyrights.
* Packaging cleanups: change section to HTTPD, bump debhelper
level to 12, standards-version to 4.5.0.
Checksums-Sha1:
062acd6bf84b8666d2b179b07e8a3d2be4afca13 1740
libapache2-mod-auth-mellon_0.15.0-1.dsc
6c11a9a43c32aead2522986017314ff81a06c76a 952000
libapache2-mod-auth-mellon_0.15.0.orig.tar.gz
09348b3f55748cd7b21700f2e7949c0c95421166 3716
libapache2-mod-auth-mellon_0.15.0-1.debian.tar.xz
ca690b63c0ed2f3d2752c4704ac6619ec4500d2f 8105
libapache2-mod-auth-mellon_0.15.0-1_source.buildinfo
Checksums-Sha256:
8ccb3970b2e3fe6b2be61e8a74408c51fe3239d1774bd7ac2d28e14e918f9a09 1740
libapache2-mod-auth-mellon_0.15.0-1.dsc
a7af75994388069720775cd9af53e3907bb938fac396160a6338c156d0ddd3ed 952000
libapache2-mod-auth-mellon_0.15.0.orig.tar.gz
c3a3a93439e1743a8993ad84f1ed7f20db5997e82090b8dd0c1233531dacb631 3716
libapache2-mod-auth-mellon_0.15.0-1.debian.tar.xz
ce27777cf340661ece191d14b32ffc3016da2ae3c4672b693b550878d1106abd 8105
libapache2-mod-auth-mellon_0.15.0-1_source.buildinfo
Files:
976ed43d7078246b3fb9915679f8fa0f 1740 httpd optional
libapache2-mod-auth-mellon_0.15.0-1.dsc
e31a8a3ec7b218417d210dd1f2be573e 952000 httpd optional
libapache2-mod-auth-mellon_0.15.0.orig.tar.gz
41c096a6d0507630a7d91af6fb75d7d8 3716 httpd optional
libapache2-mod-auth-mellon_0.15.0-1.debian.tar.xz
a57b2f799d495dfcc0d5113f70a954b3 8105 httpd optional
libapache2-mod-auth-mellon_0.15.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFFBAEBCAAvFiEEeANVtepr/II1qZxLVvYaeUAdrAQFAl4u6YQRHHRoaWpzQGRl
Ymlhbi5vcmcACgkQVvYaeUAdrATHfAf5AbUX6MNcIdtXCNoFk8nMJz06aRMzVPSb
O5hRuwV/2GGVOcvFVecFcZBsrXsngHiNan2v/sGIQng1U2I54t/yFl6DGPGgqFxT
P40ak1RC2NZTBQgcpjgJRiNNrqrc/z7m8FkUnwXh5JP8fqUF1kGEvHzJTyNJE8uR
oym003arAb4rD4FdKk6af4sYlc25kAXZKS/38XOwE7F8e4WQfFAHGRJ8sHspxW+0
FZdu+PLORxVtK0nPyBD7QiuMoS73KRuW9dsAZteM0xAAZDP2ELkTKu5u1hKQbIit
6+gUpZkf7uQ3z1J07KLK35WWCPkdBkE6TI65dTGeRio1AEqI0xIVDQ==
=wVwY
-----END PGP SIGNATURE-----
--- End Message ---
