[Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data
The fix seems to have landed in https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth- openidc/2.4.17-1 for questing ** Changed in: libapache2-mod-auth-openidc (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2106320 Title: OIDCProviderAuthRequestMethod POST leaks protected data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data
It seems that's being handled? If so could someone unsubscribe ~ubuntu- security-sponsors to get it out of the sponsoring report? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2106320 Title: OIDCProviderAuthRequestMethod POST leaks protected data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data
Focal and bionic are both out of standard support at this point, so both should be "won't fix" (ESM may patch separately to this). ** Changed in: libapache2-mod-auth-openidc (Ubuntu Bionic) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2106320 Title: OIDCProviderAuthRequestMethod POST leaks protected data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data
** Changed in: libapache2-mod-auth-openidc (Ubuntu Focal) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2106320 Title: OIDCProviderAuthRequestMethod POST leaks protected data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data
Are Focal and Bionic affected? If not, please do mark them as "Invalid" in the tracking table. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2106320 Title: OIDCProviderAuthRequestMethod POST leaks protected data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data
Thanks again Peter for providing the debdiff. We published a security notice for it: https://ubuntu.com/security/notices/USN-7446-1 Also thanks for confirming that focal is affected, I will continue working on it and whenever it is ready we will do a -2 USN for it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2106320 Title: OIDCProviderAuthRequestMethod POST leaks protected data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data
This bug was fixed in the package libapache2-mod-auth-openidc - 2.4.15.7-2ubuntu0.1 --- libapache2-mod-auth-openidc (2.4.15.7-2ubuntu0.1) oracular-security; urgency=medium * SECURITY UPDATE: Data leak (LP: #2106320) - debian/patches/CVE-2025-31492.patch: fix OIDCProviderAuthRequestMethod POST - CVE-2025-31492 -- Eduardo Barretto Mon, 14 Apr 2025 17:54:52 +0200 ** Changed in: libapache2-mod-auth-openidc (Ubuntu Noble) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2106320 Title: OIDCProviderAuthRequestMethod POST leaks protected data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data
This bug was fixed in the package libapache2-mod-auth-openidc - 2.4.11-1ubuntu0.1 --- libapache2-mod-auth-openidc (2.4.11-1ubuntu0.1) jammy-security; urgency=medium * SECURITY UPDATE: Data leak (LP: #2106320) - debian/patches/CVE-2025-31492.patch: fix OIDCProviderAuthRequestMethod POST - CVE-2025-31492 -- Peter Benie Tue, 08 Apr 2025 09:46:49 +0100 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2106320 Title: OIDCProviderAuthRequestMethod POST leaks protected data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data
This bug was fixed in the package libapache2-mod-auth-openidc - 2.4.15.1-1ubuntu0.1 --- libapache2-mod-auth-openidc (2.4.15.1-1ubuntu0.1) noble-security; urgency=medium * SECURITY UPDATE: Data leak (LP: #2106320) - debian/patches/CVE-2025-31492.patch: fix OIDCProviderAuthRequestMethod POST - CVE-2025-31492 -- Eduardo Barretto Mon, 14 Apr 2025 19:23:44 +0200 ** Changed in: libapache2-mod-auth-openidc (Ubuntu Jammy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2106320 Title: OIDCProviderAuthRequestMethod POST leaks protected data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data
This bug was fixed in the package libapache2-mod-auth-openidc - 2.4.16.10-1ubuntu1 --- libapache2-mod-auth-openidc (2.4.16.10-1ubuntu1) plucky-security; urgency=medium * SECURITY UPDATE: Data leak (LP: #2106320) - debian/patches/CVE-2025-31492.patch: fix OIDCProviderAuthRequestMethod POST - CVE-2025-31492 -- Eduardo Barretto Mon, 14 Apr 2025 13:52:48 +0200 ** Changed in: libapache2-mod-auth-openidc (Ubuntu Plucky) Status: Fix Committed => Fix Released ** Changed in: libapache2-mod-auth-openidc (Ubuntu Oracular) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2106320 Title: OIDCProviderAuthRequestMethod POST leaks protected data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data
Hi Peter, I've uploaded from Jammy to Plucky into our security-proposed ppa: https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+packages?field.name_filter=libapache&field.status_filter=published&field.series_filter= If you could run some tests that everything looks good, I would appreciate. Focal and bionic I'm still unsure if they are truly vulnerable to it. I will update the bug accordingly when I finalize my thoughts. ** Changed in: libapache2-mod-auth-openidc (Ubuntu Jammy) Status: In Progress => Fix Committed ** Changed in: libapache2-mod-auth-openidc (Ubuntu Noble) Status: In Progress => Fix Committed ** Changed in: libapache2-mod-auth-openidc (Ubuntu Oracular) Status: In Progress => Fix Committed ** Changed in: libapache2-mod-auth-openidc (Ubuntu Plucky) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2106320 Title: OIDCProviderAuthRequestMethod POST leaks protected data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data
** Changed in: libapache2-mod-auth-openidc (Ubuntu Plucky) Status: New => In Progress ** Changed in: libapache2-mod-auth-openidc (Ubuntu Noble) Status: New => In Progress ** Changed in: libapache2-mod-auth-openidc (Ubuntu Plucky) Assignee: (unassigned) => Eduardo Barretto (ebarretto) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2106320 Title: OIDCProviderAuthRequestMethod POST leaks protected data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data
** Changed in: libapache2-mod-auth-openidc (Ubuntu Jammy) Status: New => In Progress ** Changed in: libapache2-mod-auth-openidc (Ubuntu Oracular) Status: New => In Progress ** Changed in: libapache2-mod-auth-openidc (Ubuntu Oracular) Assignee: (unassigned) => Eduardo Barretto (ebarretto) ** Changed in: libapache2-mod-auth-openidc (Ubuntu Noble) Assignee: (unassigned) => Eduardo Barretto (ebarretto) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2106320 Title: OIDCProviderAuthRequestMethod POST leaks protected data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data
** Also affects: libapache2-mod-auth-openidc (Ubuntu Plucky) Importance: Undecided Status: New ** Also affects: libapache2-mod-auth-openidc (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: libapache2-mod-auth-openidc (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: libapache2-mod-auth-openidc (Ubuntu Oracular) Importance: Undecided Status: New ** Also affects: libapache2-mod-auth-openidc (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: libapache2-mod-auth-openidc (Ubuntu Jammy) Importance: Undecided Status: New ** Changed in: libapache2-mod-auth-openidc (Ubuntu Jammy) Assignee: (unassigned) => Eduardo Barretto (ebarretto) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2106320 Title: OIDCProviderAuthRequestMethod POST leaks protected data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-31492 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2106320 Title: OIDCProviderAuthRequestMethod POST leaks protected data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data
Hi, I am certain they will be affected. It looks like the bug has existed since upstream v2.3.1 (July 2017), which is when the feature was added. Peter From: [email protected] on behalf of Eduardo Barretto <[email protected]> Sent: 09 April 2025 12:59 To: Peter Benie Subject: [Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data Thanks Peter, I will take a look at your debdiff and also checking the other releases if they are affect by it too. I'm hoping we will have this released by next week. -- You received this bug notification because you are subscribed to the bug report. https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.launchpad.net%2Fbugs%2F2106320&data=05%7C02%7Cpjb1008%40universityofcambridgecloud.onmicrosoft.com%7C52e2cb3070a846f1aa2b08dd775edc98%7C49a50445bdfa4b79ade3547b4f3986e9%7C1%7C0%7C638797971518952678%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=kwIRYf5OR5Pk0sq5gIjVH%2Fs4hDirlVNbYM%2B4O5wZ1xM%3D&reserved=0<https://bugs.launchpad.net/bugs/2106320> Title: OIDCProviderAuthRequestMethod POST leaks protected data Status in libapache2-mod-auth-openidc package in Ubuntu: New Bug description: Versions up to and including 2.4.16.10 CVE-2025-31492 When doing authentication, and when configured with OIDCProviderAuthRequestMethod POST, the protected resource is appended to the normal http response. This exposes protected data to people who have not been authenticated/authorised. https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FOpenIDC%2Fmod_auth_openidc%2Fsecurity%2Fadvisories%2FGHSA-59jp-&data=05%7C02%7Cpjb1008%40universityofcambridgecloud.onmicrosoft.com%7C52e2cb3070a846f1aa2b08dd775edc98%7C49a50445bdfa4b79ade3547b4f3986e9%7C1%7C0%7C638797971518975412%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=UA0z1t5GnpIcYhAf2I%2BnGgOPOgptX5fEiPAv7OYXFvA%3D&reserved=0<https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-59jp-> rwph-878r To manage notifications about this bug go to: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.launchpad.net%2Fubuntu%2F%2Bsource%2Flibapache2-mod-auth-openidc%2F%2Bbug%2F2106320%2F%2Bsubscriptions&data=05%7C02%7Cpjb1008%40universityofcambridgecloud.onmicrosoft.com%7C52e2cb3070a846f1aa2b08dd775edc98%7C49a50445bdfa4b79ade3547b4f3986e9%7C1%7C0%7C638797971518992600%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=6CfLsxn%2Bt1Cw37%2FgiKBrUpCi2wbCn9Tl8vB2joXaCDI%3D&reserved=0<https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions> -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2106320 Title: OIDCProviderAuthRequestMethod POST leaks protected data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data
Thanks Peter, I will take a look at your debdiff and also checking the other releases if they are affect by it too. I'm hoping we will have this released by next week. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2106320 Title: OIDCProviderAuthRequestMethod POST leaks protected data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data
** Patch added: "auth-fix.debdiff" https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+attachment/5870246/+files/auth-fix.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2106320 Title: OIDCProviderAuthRequestMethod POST leaks protected data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
