Your message dated Fri, 22 Mar 2019 12:34:15 +0000 with message-id <e1h7jnh-000178...@fasolo.debian.org> and subject line Bug#925197: fixed in libapache2-mod-auth-mellon 0.14.2-1 has caused the Debian Bug report #925197, regarding libapache2-mod-auth-mellon: CVE-2019-3878: authentication bypass in ECP flow to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 925197: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925197 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libapache2-mod-auth-mellon Version: 0.14.1-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/Uninett/mod_auth_mellon/pull/196 Control: found -1 0.12.0-2 Hi, The following vulnerability was published for libapache2-mod-auth-mellon. CVE-2019-3878[0]: authentication bypass in ECP flow If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-3878 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3878 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1576719 [2] https://github.com/Uninett/mod_auth_mellon/pull/196 [3] https://github.com/Uninett/mod_auth_mellon/commit/e09a28a30e13e5c22b481010f26b4a7743a09280 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libapache2-mod-auth-mellon Source-Version: 0.14.2-1 We believe that the bug you reported is fixed in the latest version of libapache2-mod-auth-mellon, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 925...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thijs Kinkhorst <th...@debian.org> (supplier of updated libapache2-mod-auth-mellon package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 22 Mar 2019 12:10:11 +0000 Source: libapache2-mod-auth-mellon Binary: libapache2-mod-auth-mellon libapache2-mod-auth-mellon-dbgsym Architecture: source amd64 Version: 0.14.2-1 Distribution: unstable Urgency: high Maintainer: Thijs Kinkhorst <th...@debian.org> Changed-By: Thijs Kinkhorst <th...@debian.org> Description: libapache2-mod-auth-mellon - SAML 2.0 authentication module for Apache Closes: 925197 Changes: libapache2-mod-auth-mellon (0.14.2-1) unstable; urgency=high . * New upstream security release. (closes: #925197) - Auth bypass when used with reverse proxy [CVE-2019-3878] - Open redirect vulnerability in logout [CVE-2019-3877] Checksums-Sha1: d138d45c4fc837fff4a5488ccfff2d5f80413af7 1747 libapache2-mod-auth-mellon_0.14.2-1.dsc 35d4359487fb97e9982b501ef3581b49bf985888 950737 libapache2-mod-auth-mellon_0.14.2.orig.tar.gz 45289bbf501cc47dff7d09dea0377cca549b9df3 3572 libapache2-mod-auth-mellon_0.14.2-1.debian.tar.xz 5420e94d83f4293a7fd7059f4f8910e4ec66cb4f 206796 libapache2-mod-auth-mellon-dbgsym_0.14.2-1_amd64.deb dfb9b0135c1990210ecfc4f81e4280a09c8ebc24 8332 libapache2-mod-auth-mellon_0.14.2-1_amd64.buildinfo 2edeee35f48286c3428b4f3caed6f87ed272de5d 70108 libapache2-mod-auth-mellon_0.14.2-1_amd64.deb Checksums-Sha256: 1be454a1ed199dd86bf8cf130fd68e521d0ad435d8fc3a8ad2ce319ce98ba291 1747 libapache2-mod-auth-mellon_0.14.2-1.dsc 8290ba57394fb7c551b9902c32bded8711f9656e2d36e351618b952f2c162afc 950737 libapache2-mod-auth-mellon_0.14.2.orig.tar.gz 6fd03dd75d7e101eb1b6b4898d7c089e5c7eef8bf2ceb2dfd5b011faea744ae7 3572 libapache2-mod-auth-mellon_0.14.2-1.debian.tar.xz 6b2e90009a41bfdff34309cca6a79b1a2c54f543412a196bf7515c440b5cc229 206796 libapache2-mod-auth-mellon-dbgsym_0.14.2-1_amd64.deb 53602e91c3fbf920c0c9182e8259fb02fed6497d1eead3f648e11d4e69cb2256 8332 libapache2-mod-auth-mellon_0.14.2-1_amd64.buildinfo 66e387c7676a245f98820aee45af8bb1f995d43e225cba66bb697fc0b4d62f3e 70108 libapache2-mod-auth-mellon_0.14.2-1_amd64.deb Files: 8daf82c08820a33a313bfc46a6469271 1747 web optional libapache2-mod-auth-mellon_0.14.2-1.dsc 0fe222274967a0db57cd86a03b915a6f 950737 web optional libapache2-mod-auth-mellon_0.14.2.orig.tar.gz c29305435c13a6ddc7103a8502ad11e7 3572 web optional libapache2-mod-auth-mellon_0.14.2-1.debian.tar.xz 58660659478579d4b1202dce34fddf3f 206796 debug optional libapache2-mod-auth-mellon-dbgsym_0.14.2-1_amd64.deb bf41b1c926ee607d48cc2e1545d293a5 8332 web optional libapache2-mod-auth-mellon_0.14.2-1_amd64.buildinfo de27ef261925be517d5baa5d92ca7d25 70108 web optional libapache2-mod-auth-mellon_0.14.2-1_amd64.deb -----BEGIN PGP SIGNATURE----- iQFFBAEBCAAvFiEEeANVtepr/II1qZxLVvYaeUAdrAQFAlyU0lURHHRoaWpzQGRl Ymlhbi5vcmcACgkQVvYaeUAdrARatgf/Z2JpVjcSsHn6P/itsgVyIzeDH5nGa+VK S1Qaw5HhRrStxDIV1wLxm2maRQC7K5rF9KnG12cmRlP1pfijWKSSUt98bpbMDw1I mmc8XzBFohYZ7uoTQwSuLjlCSEpSpJi+cp3i6VLc8bPKp1UPMbPs9eYtH/x+ayb3 sCdCnAlMzOkYqIUuTEcL82Yoy1tSlvXhsARA/r5bS/4dEaGwZm9AiF7h2TO/UMg3 k5adlqnLirHaFlWmJ4+2HL4cg6+7+LijVK5Gv/QMCzuJKJH2HI4aHk3Y7JqIGHFh 86IgofHe3C2dYI4wM6Wo7AA9DNx9qLUdrOcWZBSE+SSnBB57QU1uWg== =pJFx -----END PGP SIGNATURE-----
--- End Message ---
