[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 2298-1] libapache2-mod-auth-openidc security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2298-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                    Thorsten Alteholz
July 29, 2020                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : libapache2-mod-auth-openidc
Version        : 2.1.6-1+deb9u1
CVE ID         : CVE-2019-14857 CVE-2019-20479 CVE-2019-1010247


Several issues have been found in libapache2-mod-auth-openidc, the OpenID Connect authentication module for the Apache HTTP server.

CVE-2019-14857

    Insufficient validation of URLs leads to an Open Redirect
    vulnerability. An attacker may trick a victim into providing
    credentials for an OpenID provider by forwarding the request to an
    illegitimate website.

CVE-2019-20479

    Due to insufficient validatation of URLs an Open Redirect
    vulnerability for URLs beginning with a slash and backslash could be
    abused.

CVE-2019-1010247

    The OIDCRedirectURI page contains generated JavaScript code that uses
    a poll parameter as a string variable, thus might contain additional
    JavaScript code. This might result in Criss-Site Scripting (XSS).


For Debian 9 stretch, these problems have been fixed in version
2.1.6-1+deb9u1.

We recommend that you upgrade your libapache2-mod-auth-openidc packages.

For the detailed security status of libapache2-mod-auth-openidc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl8h78JfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEfE9Q/+LUe+WhVzkBG0P2e/SHcx9/TG8bLp0xs3O+pdRDciSFTyKWZSVsOOr2hN
oxkMbnmynU0vHIsLL1LpDz9TL+0/Fu1USgQpplvoN6Oiw8tdbxBT4vyTlme/8E/o
dbngFcd13BWFam6eHgW2Bgvo357OyQtRSrP/b7Kx3pVVvv6ohU0q8HKKqx21i+Tb
XA/Kqq2p6XusZ1BgTy6O81kn5EctRw0RbHTaZg8OPtTLwq5Xe5hLR1JA4z0pXVnD
MH/G+H1ln2QKOWOQAJYHj4z5id+iZOToJDFsRaymIc2qGZpm8oNay7Ibn3Y2ys99
xc+Q1ArSux0mI5w8hMoU3ibZE8DWJZnyvG4KTQ6ViLtfZOkEqyU0GVqjpu+M7adR
yOsRQb4viCyrV+XgCkkRfnyLNyCqFdwSRKz6TlewziJwW1OF4vyJ2phO0aZEbvF1
bUAaf0y6zwEVuCwhTOC5qu8FDdje+yjVWFJtqrKtsZEWOUbY3xX8Bd9J8Fi1nfEp
m6Nl2crASv19PCkMa4lyNgUJDPysdNgIWeqSfv5Vm5A64hgQ9fhtKu4BetWPZH7G
sBAElX/g7nV69s9tnkZETv4QJoNGuiaMHRGCJcQNNiM/XPU8NG4fdznT+6cve+2o
aIG7OaWS460JWMVfm7IhDltUN/yFTD7wjObZgPyhSDT2c+/akQQ=
=KLt4
-----END PGP SIGNATURE-----


Reply to: