Your message dated Thu, 18 May 2023 20:00:11 +0000
with message-id <[email protected]>
and subject line Bug#1033916: fixed in libapache2-mod-auth-openidc
2.4.9.4-0+deb11u3
has caused the Debian Bug report #1033916,
regarding libapache2-mod-auth-openidc: CVE-2023-28625: segfault DoS when
OIDCStripCookies is set
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1033916: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033916
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libapache2-mod-auth-openidc
Version: 2.4.12.3-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libapache2-mod-auth-openidc.
CVE-2023-28625[0]:
| mod_auth_openidc is an authentication and authorization module for the
| Apache 2.x HTTP server that implements the OpenID Connect Relying
| Party functionality. In versions 2.0.0 through 2.4.13.1, when
| `OIDCStripCookies` is set and a crafted cookie supplied, a NULL
| pointer dereference would occur, resulting in a segmentation fault.
| This could be used in a Denial-of-Service attack and thus presents an
| availability risk. Version 2.4.13.2 contains a patch for this issue.
| As a workaround, avoid using `OIDCStripCookies`.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-28625
https://www.cve.org/CVERecord?id=CVE-2023-28625
[1]
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-f5xw-rvfr-24qr
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libapache2-mod-auth-openidc
Source-Version: 2.4.9.4-0+deb11u3
Done: Moritz Schlarb <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-auth-openidc, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Schlarb <[email protected]> (supplier of updated
libapache2-mod-auth-openidc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 02 May 2023 12:59:57 +0200
Source: libapache2-mod-auth-openidc
Architecture: source
Version: 2.4.9.4-0+deb11u3
Distribution: bullseye-security
Urgency: high
Maintainer: Moritz Schlarb <[email protected]>
Changed-By: Moritz Schlarb <[email protected]>
Closes: 1033916
Changes:
libapache2-mod-auth-openidc (2.4.9.4-0+deb11u3) bullseye-security; urgency=high
.
* Add patch to Fix CVE-2023-28625 (Closes: #1033916)
segfault DoS when OIDCStripCookies is set
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-f5xw-rvfr-24qr
Checksums-Sha1:
cc44486f25fbf33009123780fc290fae8448eb5a 2682
libapache2-mod-auth-openidc_2.4.9.4-0+deb11u3.dsc
47f8b949552c3d32f019c5cf785c4672dc0f8aae 261544
libapache2-mod-auth-openidc_2.4.9.4.orig.tar.gz
ac7ccfb5ecec4cdecd7ede4286da20991d75e256 7324
libapache2-mod-auth-openidc_2.4.9.4-0+deb11u3.debian.tar.xz
125154ef4c72cfee86e778a9f073aafbbbddec7c 7193
libapache2-mod-auth-openidc_2.4.9.4-0+deb11u3_source.buildinfo
Checksums-Sha256:
268ae6b52d6e853421b63894b17f656598f1abf7ce0452be2508e47bdeaecf97 2682
libapache2-mod-auth-openidc_2.4.9.4-0+deb11u3.dsc
142ee7abd49a4c6e2a7233c9124143709e733e8e51896c4a4f4172b0ffbc4741 261544
libapache2-mod-auth-openidc_2.4.9.4.orig.tar.gz
2b593fdcd0482ef13c9523863661e46aa505ea43d92d322c737859ee5200ce28 7324
libapache2-mod-auth-openidc_2.4.9.4-0+deb11u3.debian.tar.xz
b37a4779c0a9b221fe4b51cbb5dacb021c1741052f659fbb2cbdf11f1fa93d66 7193
libapache2-mod-auth-openidc_2.4.9.4-0+deb11u3_source.buildinfo
Files:
5724f4ca0708c588c01513e294455399 2682 httpd optional
libapache2-mod-auth-openidc_2.4.9.4-0+deb11u3.dsc
21959e96f73545012afec7201f5f46fd 261544 httpd optional
libapache2-mod-auth-openidc_2.4.9.4.orig.tar.gz
95bf23311f2c90a5c443fc312ffe425a 7324 httpd optional
libapache2-mod-auth-openidc_2.4.9.4-0+deb11u3.debian.tar.xz
c63f440fd9c611be652d00b1000fee32 7193 httpd optional
libapache2-mod-auth-openidc_2.4.9.4-0+deb11u3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmRiiipfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EfyQQAJ2Va0RRzFK73JmcIEDw5Lr7zKPaLCjW
r6Wl3z9qwaPyQAYkRPyJ9swT9vi804+jOs4WzT5TAjioIuHo1uzJhrtgXV2ENp+e
BkmbBEecvkdOlBUvFkm/zPNVLm5yu9zzUKwqt6zGgbRoeKCsxHgM9FPl3t/+gx6j
LbH056SNPF4fDnAcKaUFf97wLMtWpjmij5rwUcNAS5C4NhPA01Pn92Kxq26zBDpP
sIU0WAHMJAxP4PH8lnmhCtXCX2DTinNAJ0Z9HnSsBFSLKLDisUWJXUa2CTm4bkoB
EvSE9xpq3dy0wdNtnLr+2rbm2hvznATUS/6w4C/wX/khB9KeTsIT7ik/h+IuQqg4
pHYGuJxDGnI/5M/QP9r9e6gQF0+AOJHrkFwPNRvkKqlxQsG7L1zSH1QkVYMGZ0ns
ZRiIuG49sq0jT8XE0VDxwFAHW7oPH3jaC86tgoc6wiM5CEsGNCWvm3njZbhP1CUA
pWghor1kGCS+DDb0NNLUkC/HgJ/qJ5IFPs0OZHXvvHXVzxdNrsEhqsiBzuKl5mjk
ecAgFtDyyJ6ICtr/nKirHkXjyMc+0Tb639B76p6blUVgfHnOkwM2L9U2QqGmc7gS
IU0UCg5lzXwjFaOPpbaFJbJSmDgFdoXbZ0XP4qvGIB7m2xk3eQ5UQtLcEzMuBOob
A1G0smGz4mEH
=yu26
-----END PGP SIGNATURE-----
--- End Message ---
