Bug#925345: marked as done (unblock: libapache2-mod-auth-mellon/0.14.2-1)

Sat, 23 Mar 2019 09:00:23 -0700 

Your message dated Sat, 23 Mar 2019 15:56:40 +0000
with message-id <20190323155640.ga30...@powdarrmonkey.net>
and subject line Re: Bug#925345: unblock: libapache2-mod-auth-mellon/0.14.2-1
has caused the Debian Bug report #925345,
regarding unblock: libapache2-mod-auth-mellon/0.14.2-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
925345: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925345
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package libapache2-mod-auth-mellon

The upload contains fixes for two security issues, it is a new
upstream that only contains these fixes.

unblock libapache2-mod-auth-mellon/0.14.2-1

Thanks,
Thijs

diff -Nru libapache2-mod-auth-mellon-0.14.1/auth_mellon_util.c 
libapache2-mod-auth-mellon-0.14.2/auth_mellon_util.c
--- libapache2-mod-auth-mellon-0.14.1/auth_mellon_util.c        2018-07-25 
10:19:25.000000000 +0000
+++ libapache2-mod-auth-mellon-0.14.2/auth_mellon_util.c        2019-03-20 
07:29:16.000000000 +0000
@@ -927,6 +927,13 @@
                           "Control character detected in URL.");
             return HTTP_BAD_REQUEST;
         }
+        if (*i == '\\') {
+            /* Reject backslash character, as it can be used to bypass
+             * redirect URL validation. */
+            AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
+                          "Backslash character detected in URL.");
+            return HTTP_BAD_REQUEST;
+        }
     }
 
     return OK;
diff -Nru libapache2-mod-auth-mellon-0.14.1/configure 
libapache2-mod-auth-mellon-0.14.2/configure
--- libapache2-mod-auth-mellon-0.14.1/configure 2019-02-11 07:40:35.000000000 
+0000
+++ libapache2-mod-auth-mellon-0.14.2/configure 2019-03-21 13:58:52.000000000 
+0000
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for mod_auth_mellon 0.14.1.
+# Generated by GNU Autoconf 2.69 for mod_auth_mellon 0.14.2.
 #
 # Report bugs to <olav.mor...@uninett.no>.
 #
@@ -580,8 +580,8 @@
 # Identity of this package.
 PACKAGE_NAME='mod_auth_mellon'
 PACKAGE_TARNAME='mod_auth_mellon'
-PACKAGE_VERSION='0.14.1'
-PACKAGE_STRING='mod_auth_mellon 0.14.1'
+PACKAGE_VERSION='0.14.2'
+PACKAGE_STRING='mod_auth_mellon 0.14.2'
 PACKAGE_BUGREPORT='olav.mor...@uninett.no'
 PACKAGE_URL=''
 
@@ -1262,7 +1262,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures mod_auth_mellon 0.14.1 to adapt to many kinds of 
systems.
+\`configure' configures mod_auth_mellon 0.14.2 to adapt to many kinds of 
systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1324,7 +1324,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of mod_auth_mellon 0.14.1:";;
+     short | recursive ) echo "Configuration of mod_auth_mellon 0.14.2:";;
    esac
   cat <<\_ACEOF
 
@@ -1431,7 +1431,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-mod_auth_mellon configure 0.14.1
+mod_auth_mellon configure 0.14.2
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1779,7 +1779,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by mod_auth_mellon $as_me 0.14.1, which was
+It was created by mod_auth_mellon $as_me 0.14.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3098,7 +3098,7 @@
 
 
 
-NAMEVER=mod_auth_mellon-0.14.1
+NAMEVER=mod_auth_mellon-0.14.2
 
 
 
@@ -4879,7 +4879,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by mod_auth_mellon $as_me 0.14.1, which was
+This file was extended by mod_auth_mellon $as_me 0.14.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4941,7 +4941,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; 
s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-mod_auth_mellon config.status 0.14.1
+mod_auth_mellon config.status 0.14.2
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -Nru libapache2-mod-auth-mellon-0.14.1/configure.ac 
libapache2-mod-auth-mellon-0.14.2/configure.ac
--- libapache2-mod-auth-mellon-0.14.1/configure.ac      2019-02-11 
07:26:49.000000000 +0000
+++ libapache2-mod-auth-mellon-0.14.2/configure.ac      2019-03-21 
13:58:35.000000000 +0000
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_mellon],[0.14.1],[olav.mor...@uninett.no])
+AC_INIT([mod_auth_mellon],[0.14.2],[olav.mor...@uninett.no])
 AC_CONFIG_HEADERS([config.h])
 
 # We require support for C99.
diff -Nru libapache2-mod-auth-mellon-0.14.1/debian/changelog 
libapache2-mod-auth-mellon-0.14.2/debian/changelog
--- libapache2-mod-auth-mellon-0.14.1/debian/changelog  2019-02-11 
08:44:03.000000000 +0000
+++ libapache2-mod-auth-mellon-0.14.2/debian/changelog  2019-03-22 
12:10:11.000000000 +0000
@@ -1,3 +1,11 @@
+libapache2-mod-auth-mellon (0.14.2-1) unstable; urgency=high
+
+  * New upstream security release. (closes: #925197)
+    - Auth bypass when used with reverse proxy [CVE-2019-3878]
+    - Open redirect vulnerability in logout [CVE-2019-3877]
+
+ -- Thijs Kinkhorst <th...@debian.org>  Fri, 22 Mar 2019 12:10:11 +0000
+
 libapache2-mod-auth-mellon (0.14.1-1) unstable; urgency=medium
 
   [ Thijs Kinkhorst ]
diff -Nru libapache2-mod-auth-mellon-0.14.1/mod_auth_mellon.c 
libapache2-mod-auth-mellon-0.14.2/mod_auth_mellon.c
--- libapache2-mod-auth-mellon-0.14.1/mod_auth_mellon.c 2018-01-18 
17:32:59.000000000 +0000
+++ libapache2-mod-auth-mellon-0.14.2/mod_auth_mellon.c 2019-03-20 
07:29:50.000000000 +0000
@@ -207,6 +207,12 @@
 
 static void register_hooks(apr_pool_t *p)
 {
+    /* Our handler needs to run before mod_proxy so that it can properly
+     * return ECP AuthnRequest messages when running as a reverse proxy.
+     * See: https://github.com/Uninett/mod_auth_mellon/pull/196
+     */
+    static const char * const run_handler_before[]={ "mod_proxy.c", NULL };
+
     ap_hook_access_checker(am_auth_mellon_user, NULL, NULL, APR_HOOK_MIDDLE);
     ap_hook_check_user_id(am_check_uid, NULL, NULL, APR_HOOK_MIDDLE);
     ap_hook_post_config(am_global_init, NULL, NULL, APR_HOOK_MIDDLE);
@@ -222,7 +228,7 @@
      * Therefore this hook must run before any handler that may check
      * r->handler and decide that it is the only handler for this URL.
      */
-    ap_hook_handler(am_handler, NULL, NULL, APR_HOOK_FIRST);
+    ap_hook_handler(am_handler, NULL, run_handler_before, APR_HOOK_FIRST);
 
 #ifdef ENABLE_DIAGNOSTICS
     ap_hook_open_logs(am_diag_log_init,NULL,NULL,APR_HOOK_MIDDLE);
diff -Nru libapache2-mod-auth-mellon-0.14.1/NEWS 
libapache2-mod-auth-mellon-0.14.2/NEWS
--- libapache2-mod-auth-mellon-0.14.1/NEWS      2019-02-11 07:26:04.000000000 
+0000
+++ libapache2-mod-auth-mellon-0.14.2/NEWS      2019-03-21 13:58:27.000000000 
+0000
@@ -1,3 +1,48 @@
+Version 0.14.2
+---------------------------------------------------------------------------
+
+Security fixes:
+
+* [CVE-2019-3878] Authentication bypass when Apache is used as a
+  reverse proxy
+
+  If Apache is configured as a reverse proxy with mod_auth_mellon for
+  authentication, the authentication can be bypassed by adding SAML
+  2.0 ECP headers to the request.
+
+  This vulnerability affects mod_auth_mellon 0.11.0 and newer.
+
+  This vulnerability is due to both mod_auth_mellon and mod_proxy
+  registering as handlers for the requests, with the same
+  priority. When mod_auth_mellon handles the request first, it will
+  trigger a ECP authentication request. If mod_proxy handles it first,
+  it will forward it to the backend server.
+
+  Which module handles it first depends on the order modules are
+  loaded by Apache.
+
+  This vulnerability is fixes by specifically registering that the
+  mod_auth_mellon handler should run before mod_proxy.
+
+  Thanks to Jakub Hrozek and John Dennis at RedHat for fixing this
+  vulnerability.
+
+* [CVE-2019-3877] Redirect URL validation bypass
+
+  Version 0.14.1 and older of mod_auth_mellon allows the redirect URL
+  validation to be bypassed by specifying an URL with backslashes
+  instead of forward slashes. Browsers silently convert backslashes to
+  forward slashes, which allows an attacker to bypass the redirect URL
+  validation by using `%5c` in the ReturnTo-parameter. E.g.:
+
+    
https://sp.example.org/mellon/logout?ReturnTo=https:%5c%5cmalicious.example.org/
+
+  This version fixes that issue by rejecting all URLs with
+  backslashes.
+
+  Thanks to Eric Chamberland for discovering this vulnerability.
+
+
 Version 0.14.1
 ---------------------------------------------------------------------------

--- End Message ---
--- Begin Message --- 
On Sat, Mar 23, 2019 at 03:00:06PM +0100, Thijs Kinkhorst wrote:
> Please unblock package libapache2-mod-auth-mellon
> 
> The upload contains fixes for two security issues, it is a new
> upstream that only contains these fixes.

Unblocked; thanks.


-- 
Jonathan Wiltshire                                      j...@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

--- End Message ---

Reply via email to