Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apache2-mod_auth_openidc.16271 for openSUSE:Leap:15.2:Update checked in at 2021-05-16 06:04:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2:Update/apache2-mod_auth_openidc.16271 (Old) and /work/SRC/openSUSE:Leap:15.2:Update/.apache2-mod_auth_openidc.16271.new.2988 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_auth_openidc.16271" Sun May 16 06:04:58 2021 rev:1 rq:892598 version:2.3.8 Changes: -------- New Changes file: --- /dev/null 2021-04-29 10:03:23.520854754 +0200 +++ /work/SRC/openSUSE:Leap:15.2:Update/.apache2-mod_auth_openidc.16271.new.2988/apache2-mod_auth_openidc.changes 2021-05-16 06:04:59.417382422 +0200 @@ -0,0 +1,88 @@ +------------------------------------------------------------------- +Thu Apr 1 13:09:02 UTC 2021 - pgaj...@suse.com + +- require hiredis only for newer distros than SLE-15 [jsc#SLE-11726] + +------------------------------------------------------------------- +Wed Mar 4 14:07:52 UTC 2020 - Kristyna Streitova <kstreit...@suse.com> + +- add apache2-mod_auth_openidc-2.3.8-CVE-2019-20479.patch to fix + open redirect issue that exists in URLs with a slash and + backslash at the beginning [bsc#1164459], [CVE-2019-20479] + +------------------------------------------------------------------- +Wed Oct 30 11:35:12 UTC 2019 - Kristyna Streitova <kstreit...@suse.com> + +- add apache2-mod_auth_openidc-2.3.8-CVE-2019-14857.patch to fix + open redirect issue that exists in URLs with trailing slashes + [bsc#1153666], [CVE-2019-14857] + +------------------------------------------------------------------- +Fri Nov 9 16:38:07 UTC 2018 - kstreit...@suse.com + +- submission to SLE15SP1 because of fate#324447 +- build with hiredis only for openSUSE where hiredis is available +- add a version for jansson BuildRequires + +------------------------------------------------------------------- +Tue Oct 30 11:04:27 UTC 2018 - kstreit...@suse.com + +- update to 2.3.8 +- changes in 2.3.8 + * fix return result FALSE when JWT payload parsing fails + * add LGTM code quality badges + * fix 3 LGTM alerts + * improve auto-detection of XMLHttpRequests via Accept header + * initialize test_proto_authorization_request properly + * add sanity check on provider->auth_request_method + * allow usage with LibreSSL + * don't return content with 503 since it will turn the HTTP + status code into a 200 + * add option to set an upper limit to the number of concurrent + state cookies via OIDCStateMaxNumberOfCookies + * make the default maximum number of parallel state cookies + 7 instead of unlimited + * fix using access token as endpoint auth method in + introspection calls + * fix reading access_token form POST parameters when combined + with `AuthType auth-openidc` +- changes in 2.3.7 + * abort when string length for remote user name substitution + is larger than 255 characters + * fix Redis concurrency issue when used with multiple vhosts + * add support for authorization server metadata with + OIDCOAuthServerMetadataURL as in RFC 8414 + * refactor session object creation + * clear session cookie and contents if cache corruption is detected + * use apr_pstrdup when setting r->user + * reserve 255 characters in remote username substition instead of 50 +- changes in 2.3.6 + * add check to detect session cache corruption for server-based + caches and cached static metadata + * avoid using pipelining for Redis + * send Basic header in OAuth www-authenticate response if that's + the only accepted method; thanks @puiterwijk + * refactor Redis cache backend to solve issues on AUTH errors: + a) memory leak and b) redisGetReply lagging behind + * adjust copyright year/org + * fix buffer overflow in shm cache key set strcpy + * turn missing session_state from warning into a debug statement + * fix missing "return" on error return from the OP + * explicitly set encryption kid so we're compatible with + cjose >= 0.6.0 +- changes in 2.3.5 + * fix encoding of preserved POST data + * avoid buffer overflow in shm cache key construction + * compile with with Libressl + +------------------------------------------------------------------- +Fri Apr 27 13:39:45 UTC 2018 - vci...@suse.com + +- update to 2.3.4 +- requested in fate#323817 + +------------------------------------------------------------------- +Wed Dec 13 11:19:58 UTC 2017 - christof.ha...@mpcdf.mpg.de + +- initial packaging + New: ---- apache2-mod_auth_openidc-2.3.8-CVE-2019-14857.patch apache2-mod_auth_openidc-2.3.8-CVE-2019-20479.patch apache2-mod_auth_openidc.changes apache2-mod_auth_openidc.spec v2.3.8.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2-mod_auth_openidc.spec ++++++ # # spec file for package apache2-mod_auth_openidc # # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # %define apxs %{_sbindir}/apxs2 %define apache_libexecdir %(%{apxs} -q LIBEXECDIR) Name: apache2-mod_auth_openidc Version: 2.3.8 Release: 0 Summary: Apache2.x module for an OpenID Connect enabled Identity Provider License: Apache-2.0 Group: Productivity/Networking/Web/Servers URL: https://github.com/zmartzone/mod_auth_openidc/ Source: https://github.com/zmartzone/mod_auth_openidc/archive/v%{version}.tar.gz Patch0: apache2-mod_auth_openidc-2.3.8-CVE-2019-14857.patch Patch1: apache2-mod_auth_openidc-2.3.8-CVE-2019-20479.patch BuildRequires: apache-rpm-macros BuildRequires: apache2-devel BuildRequires: autoconf BuildRequires: automake %if 0%{?suse_version} >= 1550 BuildRequires: hiredis-devel %endif BuildRequires: libtool BuildRequires: pkgconfig BuildRequires: pkgconfig(cjose) >= 0.4.1 BuildRequires: pkgconfig(jansson) >= 2.0 BuildRequires: pkgconfig(libcurl) BuildRequires: pkgconfig(libpcre) BuildRequires: pkgconfig(openssl) >= 1.0.1 Requires: %{apache_mmn} Requires: %{apache_suse_maintenance_mmn} %description This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. %prep %setup -q -n mod_auth_openidc-%{version} %patch0 -p1 %patch1 -p1 %build ./autogen.sh %configure \ %if 0%{?is_opensuse} > 0 %{?_with_hiredis} \ %else %{?_without_hiredis} \ %endif make %{?_smp_mflags} %install install -D -m0755 src/.libs/mod_auth_openidc.so %{buildroot}%{apache_libexecdir}/mod_auth_openidc.so %files %dir %{apache_libexecdir} %{apache_libexecdir}/mod_auth_openidc.so %changelog ++++++ apache2-mod_auth_openidc-2.3.8-CVE-2019-14857.patch ++++++ Index: mod_auth_openidc-2.3.8/src/mod_auth_openidc.c =================================================================== --- mod_auth_openidc-2.3.8.orig/src/mod_auth_openidc.c +++ mod_auth_openidc-2.3.8/src/mod_auth_openidc.c @@ -2618,6 +2618,62 @@ static int oidc_handle_logout_request(re return HTTP_MOVED_TEMPORARILY; } +static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url, + char **err_str, char **err_desc) { + apr_uri_t uri; + const char *c_host = NULL; + + if (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) { + *err_str = apr_pstrdup(r->pool, "Malformed URL"); + *err_desc = apr_psprintf(r->pool, "Logout URL malformed: %s", url); + oidc_error(r, "%s: %s", *err_str, *err_desc); + return FALSE; + } + + c_host = oidc_get_current_url_host(r); + if ((uri.hostname != NULL) + && ((strstr(c_host, uri.hostname) == NULL) + || (strstr(uri.hostname, c_host) == NULL))) { + *err_str = apr_pstrdup(r->pool, "Invalid Request"); + *err_desc = + apr_psprintf(r->pool, + "logout value \"%s\" does not match the hostname of the current request \"%s\"", + apr_uri_unparse(r->pool, &uri, 0), c_host); + oidc_error(r, "%s: %s", *err_str, *err_desc); + return FALSE; + } else if ((uri.hostname == NULL) && (strstr(url, "/") != url)) { + *err_str = apr_pstrdup(r->pool, "Malformed URL"); + *err_desc = + apr_psprintf(r->pool, + "No hostname was parsed and it does not seem to be relative, i.e starting with '/': %s", + url); + oidc_error(r, "%s: %s", *err_str, *err_desc); + return FALSE; + } else if ((uri.hostname == NULL) && (strstr(url, "//") == url)) { + *err_str = apr_pstrdup(r->pool, "Malformed URL"); + *err_desc = + apr_psprintf(r->pool, + "No hostname was parsed and starting with '//': %s", + url); + oidc_error(r, "%s: %s", *err_str, *err_desc); + return FALSE; + } + + /* validate the URL to prevent HTTP header splitting */ + if (((strstr(url, "\n") != NULL) || strstr(url, "\r") != NULL)) { + *err_str = apr_pstrdup(r->pool, "Invalid Request"); + *err_desc = + apr_psprintf(r->pool, + "logout value \"%s\" contains illegal \"\n\" or \"\r\" character(s)", + url); + oidc_error(r, "%s: %s", *err_str, *err_desc); + return FALSE; + } + + return TRUE; +} + + /* * perform (single) logout */ @@ -2626,6 +2682,9 @@ static int oidc_handle_logout(request_re /* pickup the command or URL where the user wants to go after logout */ char *url = NULL; + char *error_str = NULL; + char *error_description = NULL; + oidc_util_get_request_parameter(r, OIDC_REDIRECT_URI_REQUEST_LOGOUT, &url); oidc_debug(r, "enter (url=%s)", url); @@ -2641,44 +2700,11 @@ static int oidc_handle_logout(request_re } else { /* do input validation on the logout parameter value */ - - const char *error_description = NULL; - apr_uri_t uri; - - if (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) { - const char *error_description = apr_psprintf(r->pool, - "Logout URL malformed: %s", url); - oidc_error(r, "%s", error_description); - return oidc_util_html_send_error(r, c->error_template, - "Malformed URL", error_description, - HTTP_INTERNAL_SERVER_ERROR); - - } - - const char *c_host = oidc_get_current_url_host(r); - if ((uri.hostname != NULL) - && ((strstr(c_host, uri.hostname) == NULL) - || (strstr(uri.hostname, c_host) == NULL))) { - error_description = - apr_psprintf(r->pool, - "logout value \"%s\" does not match the hostname of the current request \"%s\"", - apr_uri_unparse(r->pool, &uri, 0), c_host); - oidc_error(r, "%s", error_description); - return oidc_util_html_send_error(r, c->error_template, - "Invalid Request", error_description, - HTTP_INTERNAL_SERVER_ERROR); - } - - /* validate the URL to prevent HTTP header splitting */ - if (((strstr(url, "\n") != NULL) || strstr(url, "\r") != NULL)) { - error_description = - apr_psprintf(r->pool, - "logout value \"%s\" contains illegal \"\n\" or \"\r\" character(s)", - url); - oidc_error(r, "%s", error_description); - return oidc_util_html_send_error(r, c->error_template, - "Invalid Request", error_description, - HTTP_INTERNAL_SERVER_ERROR); + if (oidc_validate_post_logout_url(r, url, &error_str, + &error_description) == FALSE) { + return oidc_util_html_send_error(r, c->error_template, error_str, + error_description, + HTTP_BAD_REQUEST); } } ++++++ apache2-mod_auth_openidc-2.3.8-CVE-2019-20479.patch ++++++ >From 2d20c58597c9f7065e5362e603a5c348141c45ea Mon Sep 17 00:00:00 2001 From: AIMOTO NORIHITO <aim...@osstech.co.jp> Date: Tue, 12 Nov 2019 17:09:23 +0900 Subject: [PATCH] Fix open redirect starting with a slash and backslash --- SUSE Bug 1164459 - (CVE-2019-20479) --- src/mod_auth_openidc.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c index 2467a42..b47a697 100644 --- a/src/mod_auth_openidc.c +++ b/src/mod_auth_openidc.c @@ -3063,6 +3063,14 @@ static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url, url); oidc_error(r, "%s: %s", *err_str, *err_desc); return FALSE; + } else if ((uri.hostname == NULL) && (strstr(url, "/\\") == url)) { + *err_str = apr_pstrdup(r->pool, "Malformed URL"); + *err_desc = + apr_psprintf(r->pool, + "No hostname was parsed and starting with '/\\': %s", + url); + oidc_error(r, "%s: %s", *err_str, *err_desc); + return FALSE; } /* validate the URL to prevent HTTP header splitting */