Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apache2-mod_auth_openidc.16271 for
openSUSE:Leap:15.2:Update checked in at 2021-05-16 06:04:58
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2:Update/apache2-mod_auth_openidc.16271
(Old)
and
/work/SRC/openSUSE:Leap:15.2:Update/.apache2-mod_auth_openidc.16271.new.2988
(New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_auth_openidc.16271"
Sun May 16 06:04:58 2021 rev:1 rq:892598 version:2.3.8
Changes:
--------
New Changes file:
--- /dev/null 2021-04-29 10:03:23.520854754 +0200
+++
/work/SRC/openSUSE:Leap:15.2:Update/.apache2-mod_auth_openidc.16271.new.2988/apache2-mod_auth_openidc.changes
2021-05-16 06:04:59.417382422 +0200
@@ -0,0 +1,88 @@
+-------------------------------------------------------------------
+Thu Apr 1 13:09:02 UTC 2021 - pgaj...@suse.com
+
+- require hiredis only for newer distros than SLE-15 [jsc#SLE-11726]
+
+-------------------------------------------------------------------
+Wed Mar 4 14:07:52 UTC 2020 - Kristyna Streitova <kstreit...@suse.com>
+
+- add apache2-mod_auth_openidc-2.3.8-CVE-2019-20479.patch to fix
+ open redirect issue that exists in URLs with a slash and
+ backslash at the beginning [bsc#1164459], [CVE-2019-20479]
+
+-------------------------------------------------------------------
+Wed Oct 30 11:35:12 UTC 2019 - Kristyna Streitova <kstreit...@suse.com>
+
+- add apache2-mod_auth_openidc-2.3.8-CVE-2019-14857.patch to fix
+ open redirect issue that exists in URLs with trailing slashes
+ [bsc#1153666], [CVE-2019-14857]
+
+-------------------------------------------------------------------
+Fri Nov 9 16:38:07 UTC 2018 - kstreit...@suse.com
+
+- submission to SLE15SP1 because of fate#324447
+- build with hiredis only for openSUSE where hiredis is available
+- add a version for jansson BuildRequires
+
+-------------------------------------------------------------------
+Tue Oct 30 11:04:27 UTC 2018 - kstreit...@suse.com
+
+- update to 2.3.8
+- changes in 2.3.8
+ * fix return result FALSE when JWT payload parsing fails
+ * add LGTM code quality badges
+ * fix 3 LGTM alerts
+ * improve auto-detection of XMLHttpRequests via Accept header
+ * initialize test_proto_authorization_request properly
+ * add sanity check on provider->auth_request_method
+ * allow usage with LibreSSL
+ * don't return content with 503 since it will turn the HTTP
+ status code into a 200
+ * add option to set an upper limit to the number of concurrent
+ state cookies via OIDCStateMaxNumberOfCookies
+ * make the default maximum number of parallel state cookies
+ 7 instead of unlimited
+ * fix using access token as endpoint auth method in
+ introspection calls
+ * fix reading access_token form POST parameters when combined
+ with `AuthType auth-openidc`
+- changes in 2.3.7
+ * abort when string length for remote user name substitution
+ is larger than 255 characters
+ * fix Redis concurrency issue when used with multiple vhosts
+ * add support for authorization server metadata with
+ OIDCOAuthServerMetadataURL as in RFC 8414
+ * refactor session object creation
+ * clear session cookie and contents if cache corruption is detected
+ * use apr_pstrdup when setting r->user
+ * reserve 255 characters in remote username substition instead of 50
+- changes in 2.3.6
+ * add check to detect session cache corruption for server-based
+ caches and cached static metadata
+ * avoid using pipelining for Redis
+ * send Basic header in OAuth www-authenticate response if that's
+ the only accepted method; thanks @puiterwijk
+ * refactor Redis cache backend to solve issues on AUTH errors:
+ a) memory leak and b) redisGetReply lagging behind
+ * adjust copyright year/org
+ * fix buffer overflow in shm cache key set strcpy
+ * turn missing session_state from warning into a debug statement
+ * fix missing "return" on error return from the OP
+ * explicitly set encryption kid so we're compatible with
+ cjose >= 0.6.0
+- changes in 2.3.5
+ * fix encoding of preserved POST data
+ * avoid buffer overflow in shm cache key construction
+ * compile with with Libressl
+
+-------------------------------------------------------------------
+Fri Apr 27 13:39:45 UTC 2018 - vci...@suse.com
+
+- update to 2.3.4
+- requested in fate#323817
+
+-------------------------------------------------------------------
+Wed Dec 13 11:19:58 UTC 2017 - christof.ha...@mpcdf.mpg.de
+
+- initial packaging
+
New:
----
apache2-mod_auth_openidc-2.3.8-CVE-2019-14857.patch
apache2-mod_auth_openidc-2.3.8-CVE-2019-20479.patch
apache2-mod_auth_openidc.changes
apache2-mod_auth_openidc.spec
v2.3.8.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2-mod_auth_openidc.spec ++++++
#
# spec file for package apache2-mod_auth_openidc
#
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define apxs %{_sbindir}/apxs2
%define apache_libexecdir %(%{apxs} -q LIBEXECDIR)
Name: apache2-mod_auth_openidc
Version: 2.3.8
Release: 0
Summary: Apache2.x module for an OpenID Connect enabled Identity Provider
License: Apache-2.0
Group: Productivity/Networking/Web/Servers
URL: https://github.com/zmartzone/mod_auth_openidc/
Source:
https://github.com/zmartzone/mod_auth_openidc/archive/v%{version}.tar.gz
Patch0: apache2-mod_auth_openidc-2.3.8-CVE-2019-14857.patch
Patch1: apache2-mod_auth_openidc-2.3.8-CVE-2019-20479.patch
BuildRequires: apache-rpm-macros
BuildRequires: apache2-devel
BuildRequires: autoconf
BuildRequires: automake
%if 0%{?suse_version} >= 1550
BuildRequires: hiredis-devel
%endif
BuildRequires: libtool
BuildRequires: pkgconfig
BuildRequires: pkgconfig(cjose) >= 0.4.1
BuildRequires: pkgconfig(jansson) >= 2.0
BuildRequires: pkgconfig(libcurl)
BuildRequires: pkgconfig(libpcre)
BuildRequires: pkgconfig(openssl) >= 1.0.1
Requires: %{apache_mmn}
Requires: %{apache_suse_maintenance_mmn}
%description
This module enables an Apache 2.x web server to operate as an OpenID Connect
Relying Party and/or OAuth 2.0 Resource Server.
%prep
%setup -q -n mod_auth_openidc-%{version}
%patch0 -p1
%patch1 -p1
%build
./autogen.sh
%configure \
%if 0%{?is_opensuse} > 0
%{?_with_hiredis} \
%else
%{?_without_hiredis} \
%endif
make %{?_smp_mflags}
%install
install -D -m0755 src/.libs/mod_auth_openidc.so
%{buildroot}%{apache_libexecdir}/mod_auth_openidc.so
%files
%dir %{apache_libexecdir}
%{apache_libexecdir}/mod_auth_openidc.so
%changelog
++++++ apache2-mod_auth_openidc-2.3.8-CVE-2019-14857.patch ++++++
Index: mod_auth_openidc-2.3.8/src/mod_auth_openidc.c
===================================================================
--- mod_auth_openidc-2.3.8.orig/src/mod_auth_openidc.c
+++ mod_auth_openidc-2.3.8/src/mod_auth_openidc.c
@@ -2618,6 +2618,62 @@ static int oidc_handle_logout_request(re
return HTTP_MOVED_TEMPORARILY;
}
+static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char
*url,
+ char **err_str, char **err_desc) {
+ apr_uri_t uri;
+ const char *c_host = NULL;
+
+ if (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) {
+ *err_str = apr_pstrdup(r->pool, "Malformed URL");
+ *err_desc = apr_psprintf(r->pool, "Logout URL malformed: %s",
url);
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
+ }
+
+ c_host = oidc_get_current_url_host(r);
+ if ((uri.hostname != NULL)
+ && ((strstr(c_host, uri.hostname) == NULL)
+ || (strstr(uri.hostname, c_host) ==
NULL))) {
+ *err_str = apr_pstrdup(r->pool, "Invalid Request");
+ *err_desc =
+ apr_psprintf(r->pool,
+ "logout value \"%s\" does not
match the hostname of the current request \"%s\"",
+ apr_uri_unparse(r->pool, &uri,
0), c_host);
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
+ } else if ((uri.hostname == NULL) && (strstr(url, "/") != url)) {
+ *err_str = apr_pstrdup(r->pool, "Malformed URL");
+ *err_desc =
+ apr_psprintf(r->pool,
+ "No hostname was parsed and it
does not seem to be relative, i.e starting with '/': %s",
+ url);
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
+ } else if ((uri.hostname == NULL) && (strstr(url, "//") == url)) {
+ *err_str = apr_pstrdup(r->pool, "Malformed URL");
+ *err_desc =
+ apr_psprintf(r->pool,
+ "No hostname was parsed and
starting with '//': %s",
+ url);
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
+ }
+
+ /* validate the URL to prevent HTTP header splitting */
+ if (((strstr(url, "\n") != NULL) || strstr(url, "\r") != NULL)) {
+ *err_str = apr_pstrdup(r->pool, "Invalid Request");
+ *err_desc =
+ apr_psprintf(r->pool,
+ "logout value \"%s\" contains
illegal \"\n\" or \"\r\" character(s)",
+ url);
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
+
/*
* perform (single) logout
*/
@@ -2626,6 +2682,9 @@ static int oidc_handle_logout(request_re
/* pickup the command or URL where the user wants to go after logout */
char *url = NULL;
+ char *error_str = NULL;
+ char *error_description = NULL;
+
oidc_util_get_request_parameter(r, OIDC_REDIRECT_URI_REQUEST_LOGOUT,
&url);
oidc_debug(r, "enter (url=%s)", url);
@@ -2641,44 +2700,11 @@ static int oidc_handle_logout(request_re
} else {
/* do input validation on the logout parameter value */
-
- const char *error_description = NULL;
- apr_uri_t uri;
-
- if (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) {
- const char *error_description = apr_psprintf(r->pool,
- "Logout URL malformed: %s", url);
- oidc_error(r, "%s", error_description);
- return oidc_util_html_send_error(r, c->error_template,
- "Malformed URL", error_description,
- HTTP_INTERNAL_SERVER_ERROR);
-
- }
-
- const char *c_host = oidc_get_current_url_host(r);
- if ((uri.hostname != NULL)
- && ((strstr(c_host, uri.hostname) == NULL)
- || (strstr(uri.hostname,
c_host) == NULL))) {
- error_description =
- apr_psprintf(r->pool,
- "logout value \"%s\"
does not match the hostname of the current request \"%s\"",
-
apr_uri_unparse(r->pool, &uri, 0), c_host);
- oidc_error(r, "%s", error_description);
- return oidc_util_html_send_error(r, c->error_template,
- "Invalid Request", error_description,
- HTTP_INTERNAL_SERVER_ERROR);
- }
-
- /* validate the URL to prevent HTTP header splitting */
- if (((strstr(url, "\n") != NULL) || strstr(url, "\r") != NULL))
{
- error_description =
- apr_psprintf(r->pool,
- "logout value \"%s\"
contains illegal \"\n\" or \"\r\" character(s)",
- url);
- oidc_error(r, "%s", error_description);
- return oidc_util_html_send_error(r, c->error_template,
- "Invalid Request", error_description,
- HTTP_INTERNAL_SERVER_ERROR);
+ if (oidc_validate_post_logout_url(r, url, &error_str,
+ &error_description) == FALSE) {
+ return oidc_util_html_send_error(r, c->error_template,
error_str,
+ error_description,
+ HTTP_BAD_REQUEST);
}
}
++++++ apache2-mod_auth_openidc-2.3.8-CVE-2019-20479.patch ++++++
>From 2d20c58597c9f7065e5362e603a5c348141c45ea Mon Sep 17 00:00:00 2001
From: AIMOTO NORIHITO <aim...@osstech.co.jp>
Date: Tue, 12 Nov 2019 17:09:23 +0900
Subject: [PATCH] Fix open redirect starting with a slash and backslash
---
SUSE Bug 1164459 - (CVE-2019-20479)
---
src/mod_auth_openidc.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
index 2467a42..b47a697 100644
--- a/src/mod_auth_openidc.c
+++ b/src/mod_auth_openidc.c
@@ -3063,6 +3063,14 @@ static apr_byte_t
oidc_validate_post_logout_url(request_rec *r, const char *url,
url);
oidc_error(r, "%s: %s", *err_str, *err_desc);
return FALSE;
+ } else if ((uri.hostname == NULL) && (strstr(url, "/\\") == url)) {
+ *err_str = apr_pstrdup(r->pool, "Malformed URL");
+ *err_desc =
+ apr_psprintf(r->pool,
+ "No hostname was parsed and
starting with '/\\': %s",
+ url);
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
}
/* validate the URL to prevent HTTP header splitting */
