It was reported that users could receive a predictable session cookie in some cases. This would typically only occur if the server was under very high memory pressure. This could be used to hijack another user's session.
Red Hat would like to thank the mod_auth_mellon team for reporting this issue.
CVE-2014-8566 is not the correct CVE for this issue. In fact, this issue did not receive a CVE, and is related to the following:
It was decided that this could not be used for an attack to force a predictable session cookie to be used.
This bug may be fixed in a future, upstream mod_auth_mellon release. Closing for now.