Package: libapache2-mod-auth-mellon

Package: libapache2-mod-auth-mellon / 0.17.0-1+deb11u1

Metadata

Package	Version	Patches format
libapache2-mod-auth-mellon	0.17.0-1+deb11u1	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
CVE 2021 3639.patch \| (download)	auth_mellon_util.c \| 10 10 + 0 - 0 ! 1 file changed, 10 insertions(+)	[patch] prevent redirect to urls that begin with '///' Visiting a logout URL like this: https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html would have redirected the user to fishing-site.example.com With the patch, this URL would be rejected. Fixes: CVE-2021-3639

Patch

File delta

Description

CVE 2021 3639.patch | (download)

auth_mellon_util.c | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 [patch] prevent redirect to urls that begin with '///'

Visiting a logout URL like this:
    https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html
would have redirected the user to fishing-site.example.com

With the patch, this URL would be rejected.

Fixes: CVE-2021-3639