Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package libapache2-mod-auth-mellon The upload contains fixes for two security issues, it is a new upstream that only contains these fixes. unblock libapache2-mod-auth-mellon/0.14.2-1 Thanks, Thijs
diff -Nru libapache2-mod-auth-mellon-0.14.1/auth_mellon_util.c libapache2-mod-auth-mellon-0.14.2/auth_mellon_util.c --- libapache2-mod-auth-mellon-0.14.1/auth_mellon_util.c 2018-07-25 10:19:25.000000000 +0000 +++ libapache2-mod-auth-mellon-0.14.2/auth_mellon_util.c 2019-03-20 07:29:16.000000000 +0000 @@ -927,6 +927,13 @@ "Control character detected in URL."); return HTTP_BAD_REQUEST; } + if (*i == '\\') { + /* Reject backslash character, as it can be used to bypass + * redirect URL validation. */ + AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r, + "Backslash character detected in URL."); + return HTTP_BAD_REQUEST; + } } return OK; diff -Nru libapache2-mod-auth-mellon-0.14.1/configure libapache2-mod-auth-mellon-0.14.2/configure --- libapache2-mod-auth-mellon-0.14.1/configure 2019-02-11 07:40:35.000000000 +0000 +++ libapache2-mod-auth-mellon-0.14.2/configure 2019-03-21 13:58:52.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for mod_auth_mellon 0.14.1. +# Generated by GNU Autoconf 2.69 for mod_auth_mellon 0.14.2. # # Report bugs to <olav.mor...@uninett.no>. # @@ -580,8 +580,8 @@ # Identity of this package. PACKAGE_NAME='mod_auth_mellon' PACKAGE_TARNAME='mod_auth_mellon' -PACKAGE_VERSION='0.14.1' -PACKAGE_STRING='mod_auth_mellon 0.14.1' +PACKAGE_VERSION='0.14.2' +PACKAGE_STRING='mod_auth_mellon 0.14.2' PACKAGE_BUGREPORT='olav.mor...@uninett.no' PACKAGE_URL='' @@ -1262,7 +1262,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures mod_auth_mellon 0.14.1 to adapt to many kinds of systems. +\`configure' configures mod_auth_mellon 0.14.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1324,7 +1324,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of mod_auth_mellon 0.14.1:";; + short | recursive ) echo "Configuration of mod_auth_mellon 0.14.2:";; esac cat <<\_ACEOF @@ -1431,7 +1431,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -mod_auth_mellon configure 0.14.1 +mod_auth_mellon configure 0.14.2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1779,7 +1779,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by mod_auth_mellon $as_me 0.14.1, which was +It was created by mod_auth_mellon $as_me 0.14.2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3098,7 +3098,7 @@ -NAMEVER=mod_auth_mellon-0.14.1 +NAMEVER=mod_auth_mellon-0.14.2 @@ -4879,7 +4879,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by mod_auth_mellon $as_me 0.14.1, which was +This file was extended by mod_auth_mellon $as_me 0.14.2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4941,7 +4941,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -mod_auth_mellon config.status 0.14.1 +mod_auth_mellon config.status 0.14.2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -Nru libapache2-mod-auth-mellon-0.14.1/configure.ac libapache2-mod-auth-mellon-0.14.2/configure.ac --- libapache2-mod-auth-mellon-0.14.1/configure.ac 2019-02-11 07:26:49.000000000 +0000 +++ libapache2-mod-auth-mellon-0.14.2/configure.ac 2019-03-21 13:58:35.000000000 +0000 @@ -1,4 +1,4 @@ -AC_INIT([mod_auth_mellon],[0.14.1],[olav.mor...@uninett.no]) +AC_INIT([mod_auth_mellon],[0.14.2],[olav.mor...@uninett.no]) AC_CONFIG_HEADERS([config.h]) # We require support for C99. diff -Nru libapache2-mod-auth-mellon-0.14.1/debian/changelog libapache2-mod-auth-mellon-0.14.2/debian/changelog --- libapache2-mod-auth-mellon-0.14.1/debian/changelog 2019-02-11 08:44:03.000000000 +0000 +++ libapache2-mod-auth-mellon-0.14.2/debian/changelog 2019-03-22 12:10:11.000000000 +0000 @@ -1,3 +1,11 @@ +libapache2-mod-auth-mellon (0.14.2-1) unstable; urgency=high + + * New upstream security release. (closes: #925197) + - Auth bypass when used with reverse proxy [CVE-2019-3878] + - Open redirect vulnerability in logout [CVE-2019-3877] + + -- Thijs Kinkhorst <th...@debian.org> Fri, 22 Mar 2019 12:10:11 +0000 + libapache2-mod-auth-mellon (0.14.1-1) unstable; urgency=medium [ Thijs Kinkhorst ] diff -Nru libapache2-mod-auth-mellon-0.14.1/mod_auth_mellon.c libapache2-mod-auth-mellon-0.14.2/mod_auth_mellon.c --- libapache2-mod-auth-mellon-0.14.1/mod_auth_mellon.c 2018-01-18 17:32:59.000000000 +0000 +++ libapache2-mod-auth-mellon-0.14.2/mod_auth_mellon.c 2019-03-20 07:29:50.000000000 +0000 @@ -207,6 +207,12 @@ static void register_hooks(apr_pool_t *p) { + /* Our handler needs to run before mod_proxy so that it can properly + * return ECP AuthnRequest messages when running as a reverse proxy. + * See: https://github.com/Uninett/mod_auth_mellon/pull/196 + */ + static const char * const run_handler_before[]={ "mod_proxy.c", NULL }; + ap_hook_access_checker(am_auth_mellon_user, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_check_user_id(am_check_uid, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_post_config(am_global_init, NULL, NULL, APR_HOOK_MIDDLE); @@ -222,7 +228,7 @@ * Therefore this hook must run before any handler that may check * r->handler and decide that it is the only handler for this URL. */ - ap_hook_handler(am_handler, NULL, NULL, APR_HOOK_FIRST); + ap_hook_handler(am_handler, NULL, run_handler_before, APR_HOOK_FIRST); #ifdef ENABLE_DIAGNOSTICS ap_hook_open_logs(am_diag_log_init,NULL,NULL,APR_HOOK_MIDDLE); diff -Nru libapache2-mod-auth-mellon-0.14.1/NEWS libapache2-mod-auth-mellon-0.14.2/NEWS --- libapache2-mod-auth-mellon-0.14.1/NEWS 2019-02-11 07:26:04.000000000 +0000 +++ libapache2-mod-auth-mellon-0.14.2/NEWS 2019-03-21 13:58:27.000000000 +0000 @@ -1,3 +1,48 @@ +Version 0.14.2 +--------------------------------------------------------------------------- + +Security fixes: + +* [CVE-2019-3878] Authentication bypass when Apache is used as a + reverse proxy + + If Apache is configured as a reverse proxy with mod_auth_mellon for + authentication, the authentication can be bypassed by adding SAML + 2.0 ECP headers to the request. + + This vulnerability affects mod_auth_mellon 0.11.0 and newer. + + This vulnerability is due to both mod_auth_mellon and mod_proxy + registering as handlers for the requests, with the same + priority. When mod_auth_mellon handles the request first, it will + trigger a ECP authentication request. If mod_proxy handles it first, + it will forward it to the backend server. + + Which module handles it first depends on the order modules are + loaded by Apache. + + This vulnerability is fixes by specifically registering that the + mod_auth_mellon handler should run before mod_proxy. + + Thanks to Jakub Hrozek and John Dennis at RedHat for fixing this + vulnerability. + +* [CVE-2019-3877] Redirect URL validation bypass + + Version 0.14.1 and older of mod_auth_mellon allows the redirect URL + validation to be bypassed by specifying an URL with backslashes + instead of forward slashes. Browsers silently convert backslashes to + forward slashes, which allows an attacker to bypass the redirect URL + validation by using `%5c` in the ReturnTo-parameter. E.g.: + + https://sp.example.org/mellon/logout?ReturnTo=https:%5c%5cmalicious.example.org/ + + This version fixes that issue by rejecting all URLs with + backslashes. + + Thanks to Eric Chamberland for discovering this vulnerability. + + Version 0.14.1 ---------------------------------------------------------------------------