Bug 1157955 - mod_auth_mellon: predictable session cookie in rare cases
Summary: mod_auth_mellon: predictable session cookie in rare cases
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1157958 1157959
Blocks: 1157286
TreeView+ depends on / blocked
Reported: 2014-10-28 06:09 UTC by Murray McAllister
Modified: 2021-02-17 06:03 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-11-04 01:37:12 UTC

Attachments (Terms of Use)

Description Murray McAllister 2014-10-28 06:09:56 UTC
It was reported that users could receive a predictable session cookie in some cases. This would typically only occur if the server was under very high memory pressure. This could be used to hijack another user's session.


Red Hat would like to thank the mod_auth_mellon team for reporting this issue.

Comment 2 Murray McAllister 2014-11-04 01:35:33 UTC
CVE-2014-8566 is not the correct CVE for this issue. In fact, this issue did not receive a CVE, and is related to the following:



It was decided that this could not be used for an attack to force a predictable session cookie to be used.

Comment 3 Murray McAllister 2014-11-04 01:37:12 UTC
This bug may be fixed in a future, upstream mod_auth_mellon release. Closing for now.

Note You need to log in before you can comment on or make changes to this bug.