Your message dated Fri, 29 Mar 2019 01:19:50 +0000 with message-id <e1h9gbs-0007fb...@fasolo.debian.org> and subject line Bug#925197: fixed in libapache2-mod-auth-mellon 0.12.0-2+deb9u1 has caused the Debian Bug report #925197, regarding libapache2-mod-auth-mellon: CVE-2019-3878: authentication bypass in ECP flow to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 925197: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925197 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libapache2-mod-auth-mellon Version: 0.14.1-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/Uninett/mod_auth_mellon/pull/196 Control: found -1 0.12.0-2 Hi, The following vulnerability was published for libapache2-mod-auth-mellon. CVE-2019-3878[0]: authentication bypass in ECP flow If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-3878 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3878 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1576719 [2] https://github.com/Uninett/mod_auth_mellon/pull/196 [3] https://github.com/Uninett/mod_auth_mellon/commit/e09a28a30e13e5c22b481010f26b4a7743a09280 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libapache2-mod-auth-mellon Source-Version: 0.12.0-2+deb9u1 We believe that the bug you reported is fixed in the latest version of libapache2-mod-auth-mellon, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 925...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thijs Kinkhorst <th...@debian.org> (supplier of updated libapache2-mod-auth-mellon package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 23 Mar 2019 13:29:19 +0000 Source: libapache2-mod-auth-mellon Binary: libapache2-mod-auth-mellon Architecture: source amd64 Version: 0.12.0-2+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Thijs Kinkhorst <th...@debian.org> Changed-By: Thijs Kinkhorst <th...@debian.org> Description: libapache2-mod-auth-mellon - SAML 2.0 authentication module for Apache Closes: 925197 Changes: libapache2-mod-auth-mellon (0.12.0-2+deb9u1) stretch-security; urgency=high . * Upload to stable-security (closes: #925197) - Auth bypass when used with reverse proxy [CVE-2019-3878] - Open redirect vulnerability in logout [CVE-2019-3877] Checksums-Sha1: 6b58cccf0123920c81ab5ea148fbb40dc9de3487 1799 libapache2-mod-auth-mellon_0.12.0-2+deb9u1.dsc 3d5cd4137154a7c848d8f3121e6497b88dc5f23e 136754 libapache2-mod-auth-mellon_0.12.0.orig.tar.gz 15bf0a185fb83b1da0660f0bae34d3f0ddb3ab7b 6640 libapache2-mod-auth-mellon_0.12.0-2+deb9u1.debian.tar.xz 56716663f443f1301e87e84b1f00064d383c934e 163958 libapache2-mod-auth-mellon-dbgsym_0.12.0-2+deb9u1_amd64.deb 3c897efefc7ee77fa5e4cef23c5f80bacfab6388 8795 libapache2-mod-auth-mellon_0.12.0-2+deb9u1_amd64.buildinfo dd08aa9ce8213c8820d5ad6a594462a3b38c5687 60402 libapache2-mod-auth-mellon_0.12.0-2+deb9u1_amd64.deb Checksums-Sha256: 0d155da72f3497c190c829fb5296c19a774b57d9b6ac431b44e8380062263e96 1799 libapache2-mod-auth-mellon_0.12.0-2+deb9u1.dsc 981c225ee97a3c11abb0237158c5c0c9b1248031adb195ae61b0a70d5d740ff1 136754 libapache2-mod-auth-mellon_0.12.0.orig.tar.gz a95c0b69ce8cfc766feb01d66202fae7bfe9e621794d6eeee1802cc2ba291737 6640 libapache2-mod-auth-mellon_0.12.0-2+deb9u1.debian.tar.xz 26d3f7ace3badd23b40412fe5754f48082d64e20e573c5b15b35e23d96670cc7 163958 libapache2-mod-auth-mellon-dbgsym_0.12.0-2+deb9u1_amd64.deb 2666969f1ef39ef4f110b995c993b277411562297ae69b105ab93028a8d5720f 8795 libapache2-mod-auth-mellon_0.12.0-2+deb9u1_amd64.buildinfo ef256ace25c5cceec03b3e09883e54bf001ace8d44beb0cbaf46adb322ac1cdb 60402 libapache2-mod-auth-mellon_0.12.0-2+deb9u1_amd64.deb Files: ecb906559ebde9da58030606c99a1610 1799 web extra libapache2-mod-auth-mellon_0.12.0-2+deb9u1.dsc 6c1057847c06d433d4d4a4f55cca1740 136754 web extra libapache2-mod-auth-mellon_0.12.0.orig.tar.gz c2c165a74981eca6728ad62eda72fbb6 6640 web extra libapache2-mod-auth-mellon_0.12.0-2+deb9u1.debian.tar.xz 4211ae7fbcd9e0ee4417e84bfe5005fe 163958 debug extra libapache2-mod-auth-mellon-dbgsym_0.12.0-2+deb9u1_amd64.deb b02f5aeecca00dc3a16399ef6d3bb5d3 8795 web extra libapache2-mod-auth-mellon_0.12.0-2+deb9u1_amd64.buildinfo e3c73a06fa0402426d0c131b93dc7d5a 60402 web extra libapache2-mod-auth-mellon_0.12.0-2+deb9u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQFFBAEBCAAvFiEEeANVtepr/II1qZxLVvYaeUAdrAQFAlyWOB0RHHRoaWpzQGRl Ymlhbi5vcmcACgkQVvYaeUAdrAQeZwgAoBSOIfjFQfK9LD9ZNjxUMpdoZ9ejAJww idxSaNStywLkPoCWNBnIkQZX16C8/NBw8fNfNDRR85zpHDsMT2xr8txSS4TvgEi2 2DHyokBDbxOowFbckFc04cRw1G2yXveKydvjXFO2AZN/Zj5O6I6SDpAlvhO6fG7a 8M1QWxNeS4AHnQbavQg7PHa9sXyyNEL1zyU49v/RynkzwCrwA0vLh/sIddSpHVWF t5jqD4Qj/PxozY84D0kdMeGiSBfnnQxZZICMpe2XfsIYtTL/ePIWgjExdbSaAsAb CUgaYv9aNfj+QPkYm41THgyoUzG5y4IUn7y/YxsRCJBdDh9g8PswZw== =cik0 -----END PGP SIGNATURE-----
--- End Message ---
