New Search

RHSA-2014:1803 -- mod_auth_mellon security update (Important)

oval:org.mitre.oval:def:28374

mod_auth_mellon provides a SAML 2.0 authentication module for the Apache HTTP Server. An information disclosure flaw was found in mod_auth_mellon's session handling that could lead to sessions overlapping in memory. A remote attacker could potentially use this flaw to obtain data from another user's session. (CVE-2014-8566) It was found that uninitialized data could be read when processing a user's logout request. By attempting to log out a user could possibly cause the Apache HTTP Server to crash. (CVE-2014-8567) Red Hat would like to thank the mod_auth_mellon team for reporting these issues. Upstream acknowledges Matthew Slowe as the original reporter of CVE-2014-8566. All users of mod_auth_mellon are advised to upgrade to this updated package which contains a backported patch to correct these issues.

Family:
unix
Status:
ACCEPTED
Platform(s):
  • CentOS Linux 6
  • Red Hat Enterprise Linux 6
Class:
patch
Reference(s):
  • RHSA-2014:1803
  • CESA-2014:1803
  • CVE-2014-8566
  • CVE-2014-8567
Product(s):
  • mod_auth_mellon