Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
Hi, I propose this upload to bullseye to fix a relatively minor security issue (open redirect) in libapache2-mod-auth-mellon. The changes are already in sid and bookworm for a longer time. Cheers, Thijs
diff -Nru libapache2-mod-auth-mellon-0.17.0/debian/changelog libapache2-mod-auth-mellon-0.17.0/debian/changelog --- libapache2-mod-auth-mellon-0.17.0/debian/changelog 2020-09-08 12:56:41.000000000 +0200 +++ libapache2-mod-auth-mellon-0.17.0/debian/changelog 2022-12-06 20:12:37.000000000 +0100 @@ -1,3 +1,10 @@ +libapache2-mod-auth-mellon (0.17.0-1+deb11u1) bullseye; urgency=medium + + * Upload to fix security issue: + - Open redirect in logout endpoint (CVE-2021-3639) + + -- Thijs Kinkhorst <th...@debian.org> Tue, 06 Dec 2022 20:12:37 +0100 + libapache2-mod-auth-mellon (0.17.0-1) unstable; urgency=medium * New upstream release. diff -Nru libapache2-mod-auth-mellon-0.17.0/debian/patches/CVE-2021-3639.patch libapache2-mod-auth-mellon-0.17.0/debian/patches/CVE-2021-3639.patch --- libapache2-mod-auth-mellon-0.17.0/debian/patches/CVE-2021-3639.patch 1970-01-01 01:00:00.000000000 +0100 +++ libapache2-mod-auth-mellon-0.17.0/debian/patches/CVE-2021-3639.patch 2022-12-06 20:12:37.000000000 +0100 @@ -0,0 +1,44 @@ +From 42a11261b9dad2e48d70bdff7c53dd57a12db6f5 Mon Sep 17 00:00:00 2001 +From: AIMOTO Norihito <aim...@osstech.co.jp> +Date: Tue, 6 Jul 2021 22:57:24 +0200 +Subject: [PATCH] Prevent redirect to URLs that begin with '///' + +Visiting a logout URL like this: + https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html +would have redirected the user to fishing-site.example.com + +With the patch, this URL would be rejected. + +Fixes: CVE-2021-3639 +--- + auth_mellon_util.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/auth_mellon_util.c b/auth_mellon_util.c +index 2f8c9c3..6a686db 100644 +--- a/auth_mellon_util.c ++++ b/auth_mellon_util.c +@@ -927,6 +927,10 @@ int am_check_url(request_rec *r, const char *url) + { + const char *i; + ++ if (url == NULL) { ++ return HTTP_BAD_REQUEST; ++ } ++ + for (i = url; *i; i++) { + if (*i >= 0 && *i < ' ') { + /* Deny all control-characters. */ +@@ -943,6 +947,12 @@ int am_check_url(request_rec *r, const char *url) + } + } + ++ if (strstr(url, "///") == url) { ++ AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r, ++ "URL starts with '///'"); ++ return HTTP_BAD_REQUEST; ++ } ++ + return OK; + } + diff -Nru libapache2-mod-auth-mellon-0.17.0/debian/patches/series libapache2-mod-auth-mellon-0.17.0/debian/patches/series --- libapache2-mod-auth-mellon-0.17.0/debian/patches/series 2020-01-27 14:32:39.000000000 +0100 +++ libapache2-mod-auth-mellon-0.17.0/debian/patches/series 2022-12-06 20:12:37.000000000 +0100 @@ -0,0 +1 @@ +CVE-2021-3639.patch