I'm curious if anyone has investigated mod_auth_mellon to identify if the XML handling of SAML responses is vulnerable to the class of attacks outlined in these articles:

https://www.kb.cert.org/vuls/id/475445
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations

Obviously, assuming the IdP you're configured to use is not mitigating the vulnerability on their side. It sounds like mitigations on the IdP side may or may not keep you safe depending on a number of scenarios and configurable details on either side...

Thanks.

Please see this thread on the mailing list https://sympa.uninett.no/lists/uninett.no/arc/modmellon/2018-02/msg00029.html