Hi both Moritz! On Fri, Oct 18, 2019 at 09:33:47AM +0200, Moritz Mühlenhoff wrote: > On Wed, Oct 16, 2019 at 11:19:36AM +0200, Moritz Schlarb wrote: > > Hi everyone, > > > > I have prepared a backport of the patches for the version packaged in > > Buster: > > https://salsa.debian.org/debian/libapache2-mod-auth-openidc/commit/17e31b94a71ef02d1417bee6b0ef7b7379b40375 > > > > If you deem necessary and sufficient, please release as a security > > update or otherwise I'll try to get it in in proposed-updates. > > > > Regards, > > Moritz (another one) > > Hi fellow Moritz, > the target of the open redirect is under control of the IDP that the user > logged into, while a malicious IDP could do much more harm to a user > (like arbitrarily rejecting/terminating sessions etc). So I think we can > certainly fix this via a point release, but I don't think this warrants > a DSA. > > But maybe I'm missing something, so please let me know if you disagree!
Following the above, I have now marked the issue as no-dsa in the security-tracker. Moritz (Schlarb), can you prepare updates for upcoming point release? For buster 10.2 happening tomorrow is clearly to late. Regards, Salvatore
