From 7655506afa52ec285d59f9f1fd790d75462647f9 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 28 2020 08:49:21 +0000 Subject: import mod_auth_mellon-0.14.0-11.el8 --- diff --git a/SOURCES/0004-Fix-incorrect-header-used-for-detecting-AJAX-request.patch b/SOURCES/0004-Fix-incorrect-header-used-for-detecting-AJAX-request.patch new file mode 100644 index 0000000..7f5971a --- /dev/null +++ b/SOURCES/0004-Fix-incorrect-header-used-for-detecting-AJAX-request.patch @@ -0,0 +1,49 @@ +From 6358a5169762ef7b89d8b6d0f1a99b006f0fdd2f Mon Sep 17 00:00:00 2001 +From: Olav Morken +Date: Wed, 25 Jul 2018 12:19:39 +0200 +Subject: [PATCH] Fix incorrect header used for detecting AJAX requests + +The code was looking for "X-Request-With", but the header is actually +"X-Requested-With". As far as I can tell, it has always been the +latter, at least in the jQuery source code. + +Fixes issue #174. +--- + README.md | 2 +- + auth_mellon_handler.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/README.md b/README.md +index 0a91dc5..8d85b43 100644 +--- a/README.md ++++ b/README.md +@@ -180,7 +180,7 @@ MellonDiagnosticsEnable Off + # then we will redirect him to the login page of the IdP. + # + # There is a special handling of AJAX requests, that are +- # identified by the "X-Request-With: XMLHttpRequest" HTTP ++ # identified by the "X-Requested-With: XMLHttpRequest" HTTP + # header. Since no user interaction can happen there, + # we always fail unauthenticated (not logged in) requests + # with a 403 Forbidden error without redirecting to the IdP. +diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c +index b16dc45..e33e6e9 100644 +--- a/auth_mellon_handler.c ++++ b/auth_mellon_handler.c +@@ -3658,11 +3658,11 @@ int am_auth_mellon_user(request_rec *r) + * If this is an AJAX request, we cannot proceed to the IdP, + * Just fail early to save our resources + */ +- ajax_header = apr_table_get(r->headers_in, "X-Request-With"); ++ ajax_header = apr_table_get(r->headers_in, "X-Requested-With"); + if (ajax_header != NULL && + strcmp(ajax_header, "XMLHttpRequest") == 0) { + AM_LOG_RERROR(APLOG_MARK, APLOG_INFO, 0, r, +- "Deny unauthenticated X-Request-With XMLHttpRequest " ++ "Deny unauthenticated X-Requested-With XMLHttpRequest " + "(AJAX) request"); + return HTTP_FORBIDDEN; + } +-- +2.20.1 + diff --git a/SOURCES/0005-CVE_2019_13038.patch b/SOURCES/0005-CVE_2019_13038.patch new file mode 100644 index 0000000..f04a4e4 --- /dev/null +++ b/SOURCES/0005-CVE_2019_13038.patch @@ -0,0 +1,28 @@ +From 297093e6a48a4c0fd307c2206c59a8c8eb84fb53 Mon Sep 17 00:00:00 2001 +From: Valentin +Date: Fri, 6 Sep 2019 13:30:36 +0300 +Subject: [PATCH] Update auth_mellon_mode.c + +Fix open redirect CVE-2019-13038 +--- + auth_mellon_util.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/auth_mellon_util.c b/auth_mellon_util.c +index fd442f9..7dff61e 100644 +--- a/auth_mellon_util.c ++++ b/auth_mellon_util.c +@@ -116,6 +116,10 @@ int am_validate_redirect_url(request_rec *r, const char *url) + + /* Sanity check of the scheme of the domain. We only allow http and https. */ + if (uri.scheme) { ++ /* http and https schemes without hostname are invalid. */ ++ if (!uri.hostname) { ++ return HTTP_BAD_REQUEST; ++ } + if (strcasecmp(uri.scheme, "http") + && strcasecmp(uri.scheme, "https")) { + AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r, +-- +2.21.0 + diff --git a/SPECS/mod_auth_mellon.spec b/SPECS/mod_auth_mellon.spec index d1ad732..f8398aa 100644 --- a/SPECS/mod_auth_mellon.spec +++ b/SPECS/mod_auth_mellon.spec @@ -1,7 +1,7 @@ Summary: A SAML 2.0 authentication module for the Apache Httpd Server Name: mod_auth_mellon Version: 0.14.0 -Release: 9%{?dist} +Release: 11%{?dist} Group: System Environment/Daemons Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz Source1: auth_mellon.conf @@ -25,6 +25,8 @@ Url: https://github.com/UNINETT/mod_auth_mellon Patch0001: 0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch Patch0002: 0002-Fix-redirect-URL-validation-bypass.patch Patch0003: 0003-backport-Make-the-environment-variable-prefix-configurable.patch +Patch0004: 0004-Fix-incorrect-header-used-for-detecting-AJAX-request.patch +Patch0005: 0005-CVE_2019_13038.patch # FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However, # I could not get asciidoc to render properly so instead I generated @@ -42,6 +44,8 @@ received in assertions generated by a IdP server. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 +%patch5 -p1 %build export APXS=%{_httpd_apxs} @@ -112,6 +116,15 @@ in the doc directory for instructions on using the diagnostics build. %attr(0755,apache,apache) %dir /run/%{name}/ %changelog +* Fri Oct 18 2019 Jakub Hrozek - 0.14.0-11 +- Resolves: rhbz#1731053 - CVE-2019-13038 mod_auth_mellon: an Open Redirect + via the login?ReturnTo= substring which could + facilitate information theft [rhel-8] + +* Fri Oct 18 2019 Jakub Hrozek - 0.14.0-10 +- Resolves: rhbz#1761774 - mod_auth_mellon fix for AJAX header name + X-Requested-With + * Thu Jun 13 2019 Jakub Hrozek - 0.14.0-9 - Just bump the release number - Related: rhbz#1718238 - mod_auth_mellon-diagnostics RPM not in product