Dear Security Team,regarding fixing this in Bullseye (https://salsa.debian.org/debian/libapache2-mod-auth-openidc/-/compare/769c3920203e7c64f6ff9456ee6858ac0cb034f0...a8e821213ac28ca0909ca4f1bf512de5e35f90fa):
Shall I upload this to security or proposed-updates? Best regards, Moritz On 03.04.23 22:38, Salvatore Bonaccorso wrote:
Source: libapache2-mod-auth-openidc Version: 2.4.12.3-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for libapache2-mod-auth-openidc. CVE-2023-28625[0]: | mod_auth_openidc is an authentication and authorization module for the | Apache 2.x HTTP server that implements the OpenID Connect Relying | Party functionality. In versions 2.0.0 through 2.4.13.1, when | `OIDCStripCookies` is set and a crafted cookie supplied, a NULL | pointer dereference would occur, resulting in a segmentation fault. | This could be used in a Denial-of-Service attack and thus presents an | availability risk. Version 2.4.13.2 contains a patch for this issue. | As a workaround, avoid using `OIDCStripCookies`. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-28625 https://www.cve.org/CVERecord?id=CVE-2023-28625 [1] https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-f5xw-rvfr-24qr Please adjust the affected versions in the BTS as needed. Regards, Salvatore
-- Moritz Schlarb Unix und Cloud Zentrum für Datenverarbeitung Johannes Gutenberg-Universität Mainz OpenPGP-Fingerprint: DF01 2247 BFC6 5501 AFF2 8445 0C24 B841 C7DD BAAF
OpenPGP_signature
Description: OpenPGP digital signature