mod_auth_mellon provides a SAML 2.0 authentication module for the Apache HTTP Server. A flaw was found that could result in sessions overlapping in memory. A remote attacker could use this flaw to leak memory that possibly contains sensitive information.
Note that it is not totally clear to me that memory is disclosed remotely, it certainly is discolosed to local applications in apache variables.
However such a leak could result in disclosures if the right vartiables are affect, also segfaults have been reported, so perhaps even exploitable in some cases.
Red Hat would like to thank the mod_auth_mellon team for reporting this issue. Upstream acknowledges Matthew Slowe as the original reporter.
Issue is public now:
(In reply to Murray McAllister from comment #0)
> mod_auth_mellon provides a SAML 2.0 authentication module for the Apache
> HTTP Server. A flaw was found that could result in sessions overlapping in
> memory. A remote attacker could use this flaw to leak memory that possibly
> contains sensitive information.
Upstream describes this issue as:
It turned out that session overflow bugs fixes in version 0.9.0 and
0.9.1 can lead to information disclosure, where data from one session
is leaked to another session. Depending on how this data is used by the
web application, this may lead to data from one session being disclosed
to an user in a different session. (CVE-2014-8566)
An information disclosure flaw was found in mod_auth_mellon's session handling that could lead to session overlapping in memory. A remote attacker could potentially use this flaw to obtain data from another user's session.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2014:1803 https://rhn.redhat.com/errata/RHSA-2014-1803.html
Fedora 21 already ships mod_auth_mellon-0.9.1-1.fc21 and therefore is not affected by this issue.