Your message dated Thu, 18 Apr 2024 12:05:41 +0000
with message-id <[email protected]>
and subject line Bug#1064183: fixed in libapache2-mod-auth-openidc 2.4.15.7-1
has caused the Debian Bug report #1064183,
regarding libapache2-mod-auth-openidc: CVE-2024-24814
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1064183: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064183
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libapache2-mod-auth-openidc
Version: 2.4.15.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libapache2-mod-auth-openidc.
CVE-2024-24814[0]:
| mod_auth_openidc is an OpenID Certified™ authentication and
| authorization module for the Apache 2.x HTTP server that implements
| the OpenID Connect Relying Party functionality. In affected versions
| missing input validation on mod_auth_openidc_session_chunks cookie
| value makes the server vulnerable to a denial of service (DoS)
| attack. An internal security audit has been conducted and the
| reviewers found that if they manipulated the value of the
| mod_auth_openidc_session_chunks cookie to a very large integer, like
| 99999999, the server struggles with the request for a long time and
| finally gets back with a 500 error. Making a few requests of this
| kind caused our server to become unresponsive. Attackers can craft
| requests that would make the server work very hard (and possibly
| become unresponsive) and/or crash with minimal effort. This issue
| has been addressed in version 2.4.15.2. Users are advised to
| upgrade. There are no known workarounds for this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-24814
https://www.cve.org/CVERecord?id=CVE-2024-24814
[1]
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv
[2]
https://github.com/OpenIDC/mod_auth_openidc/commit/4022c12f314bd89d127d1be008b1a80a08e1203d
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libapache2-mod-auth-openidc
Source-Version: 2.4.15.7-1
Done: Moritz Schlarb <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-auth-openidc, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Schlarb <[email protected]> (supplier of updated
libapache2-mod-auth-openidc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 18 Apr 2024 13:46:00 +0200
Source: libapache2-mod-auth-openidc
Architecture: source
Version: 2.4.15.7-1
Distribution: unstable
Urgency: medium
Maintainer: Moritz Schlarb <[email protected]>
Changed-By: Moritz Schlarb <[email protected]>
Closes: 1064183
Changes:
libapache2-mod-auth-openidc (2.4.15.7-1) unstable; urgency=medium
.
[ Hans Zandbelt ]
* update to OpenIDC Github repository/organization
.
[ Moritz Schlarb ]
* Bump Standards-Version
* New upstream version 2.4.15.7
* CVE-2024-24814: Missing input validation on
mod_auth_openidc_session_chunks
cookie value made the server vulnerable to a Denial of Service (DoS)
attack. If an attacker manipulated the value of the OpenIDC cookie to a
very large integer like 99999999, the server struggled with the request
for
a long time and finally returned a 500 error. Making a few requests of
this
kind caused servers to become unresponsive, and so attackers could
thereby
craft requests that would make the server work very hard and/or crash
with
minimal effort. (Closes: #1064183)
Checksums-Sha1:
99e38667e5cbf3d57bdfa894f4591cf5a0a13e2c 2303
libapache2-mod-auth-openidc_2.4.15.7-1.dsc
7a3b80e65f4243fb7a958a262ac8d08e0473d09d 317784
libapache2-mod-auth-openidc_2.4.15.7.orig.tar.gz
cf9be9c7cbf4030844f47fd1c1ad1c0f0a78e76b 7588
libapache2-mod-auth-openidc_2.4.15.7-1.debian.tar.xz
997920d4d6f2ffb1d3f752c2efa7c3c815b1cc39 8866
libapache2-mod-auth-openidc_2.4.15.7-1_amd64.buildinfo
Checksums-Sha256:
eb67c0732a7d4f059da9234eb8460004852b069836c3b42a57b47de46f2ff344 2303
libapache2-mod-auth-openidc_2.4.15.7-1.dsc
672a7a483f28314372e33ad48a501c5cb8aac40c5a9c921ea962e7e2c11ab807 317784
libapache2-mod-auth-openidc_2.4.15.7.orig.tar.gz
0eee50cf955f1c07c05071945c14a841df83f09b6beb49131b0ae2bfbac7865d 7588
libapache2-mod-auth-openidc_2.4.15.7-1.debian.tar.xz
cade656c2a13892b465472aa06f2cdcc419dd3259688bee919d5f400679926c6 8866
libapache2-mod-auth-openidc_2.4.15.7-1_amd64.buildinfo
Files:
2185caf1e85847bb9382070f358002d8 2303 httpd optional
libapache2-mod-auth-openidc_2.4.15.7-1.dsc
1161b07162a9b930dd3f0bc9bec05a9f 317784 httpd optional
libapache2-mod-auth-openidc_2.4.15.7.orig.tar.gz
f671e9c783143c4e158784cf55065af0 7588 httpd optional
libapache2-mod-auth-openidc_2.4.15.7-1.debian.tar.xz
d1ca7a5fec5a63fd93d417204e764639 8866 httpd optional
libapache2-mod-auth-openidc_2.4.15.7-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCgA0FiEE3wEiR7/GVQGv8oRFDCS4Qcfduq8FAmYhCHAWHHNjaGxhcmJt
QHVuaS1tYWluei5kZQAKCRAMJLhBx926r0FMEACqE3ut/RuQjCMoeT+sUkMfWqOy
9I33i5HKbWWGrNcjx1a91SckGEFHkDiR+SfoyTNAF7aJ1FvAeXKPTJjH58DKXAa4
eQG+ti0KedQEoN5l5kUyR1922Vl6nIFlMoQ0K+f0evdHQQ/CIja3DUZOPiIb879W
az+rpIZv1PFjuF+MDmkl50/ysoj8QjT+M98e3M3D9Nh2iSREainYMWH4oHpKuUfP
PGcZa8NeOfPY4hoG8fN61nzWiXMaNX8bQQJ7h5xX2sHYvKb+syKgrTOFyi+uzaWI
evgrdytz2NLCHiTw/lc6VFAF0jg2sn5YIcr3Td25TJPJFfZf3uCVPZs7xjGGAr5Q
HezmbkzBevKULNin2DFhKVhnDYW5fZXpRpO/boGuLvoli9DVOU8N1My9c+1x9A3i
45VX7OmShN2bm6G4i+Kw9C3hGntVuzVggF1GVyGBFhlZ2J+sDlkiStEnaE4o2h3W
kKuMs4IyQB29xvRWb3kbxPnoo6fyiZJczPPck/YgTZppOnQKd+oP4ox0POmFo2aY
w7+3rOrG7kv5G3Zi2yXJBKZiNdV+/Es+PQ88UtrVl7e+AyNNQGuyKSfCmIz4wH4+
xQwTEPNE6EB77VjVovuj8d3QMCFI0Wc0p5hucF0wrbX6PPnXMyvpyCHqUCt8UBEj
csbkQZki9ZpyPVHi0w==
=TsXQ
-----END PGP SIGNATURE-----
pgpyNvVRwtqkb.pgp
Description: PGP signature
--- End Message ---