Debian Security Advisory
DLA-3409-1 libapache2-mod-auth-openidc -- LTS security update
- Date Reported:
- 30 Apr 2023
- Affected Packages:
- libapache2-mod-auth-openidc
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 991580, Bug 991581, Bug 991582, Bug 991583, Bug 1033916.
In Mitre's CVE dictionary: CVE-2019-20479, CVE-2021-32785, CVE-2021-32786, CVE-2021-32791, CVE-2021-32792, CVE-2023-28625. - More information:
-
Several vulnerabilities were fixed in libapache2-mod-auth-openidc, an OpenID Connect Relying Party implementation for Apache.
- CVE-2019-20479
Insufficient validatation of URLs beginning with a slash and backslash.
- CVE-2021-32785
Crash when using an unencrypted Redis cache.
- CVE-2021-32786
Open Redirect vulnerability in the logout functionality.
- CVE-2021-32791
AES GCM encryption in used static IV and AAD.
- CVE-2021-32792
XSS vulnerability when using OIDCPreservePost.
- CVE-2023-28625
NULL pointer dereference with OIDCStripCookies.
For Debian 10 buster, these problems have been fixed in version 2.3.10.2-1+deb10u2.
We recommend that you upgrade your libapache2-mod-auth-openidc packages.
For the detailed security status of libapache2-mod-auth-openidc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
- CVE-2019-20479