[SECURITY] [DLA 3409-1] libapache2-mod-auth-openidc security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3409-1] libapache2-mod-auth-openidc security update
From: Adrian Bunk <bunk@debian.org>
Date: Mon, 1 May 2023 00:14:15 +0300
Message-id: <ZE7aJ0fv/vGlLBY1@localhost>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3409-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Adrian Bunk
April 30, 2023                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : libapache2-mod-auth-openidc
Version        : 2.3.10.2-1+deb10u2
CVE ID         : CVE-2019-20479 CVE-2021-32785 CVE-2021-32786 CVE-2021-32791 
                 CVE-2021-32792 CVE-2023-28625
Debian Bug     : 991580 991581 991582 991583 1033916

Several vulnerabilities were fixed in libapache2-mod-auth-openidc,
an OpenID Connect Relying Party implementation for Apache.

CVE-2019-20479

    Insufficient validatation of URLs beginning with a slash and backslash.

CVE-2021-32785

    Crash when using an unencrypted Redis cache.

CVE-2021-32786

    Open Redirect vulnerability in the logout functionality.

CVE-2021-32791

    AES GCM encryption in used static IV and AAD.

CVE-2021-32792

    XSS vulnerability when using OIDCPreservePost.

CVE-2023-28625

    NULL pointer dereference with OIDCStripCookies.

For Debian 10 buster, these problems have been fixed in version
2.3.10.2-1+deb10u2.

We recommend that you upgrade your libapache2-mod-auth-openidc packages.

For the detailed security status of libapache2-mod-auth-openidc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmRO2icACgkQiNJCh6LY
mLGkPhAAg1hWzk52AhdbiwRuEj9zyyZKJd7ZQYDjbBMgOlgSXG28XtS8tTEp8oKP
/hyWoyyczyqkdVwv3UAoOwOcuXa8Fr9bcCdF/KWZsONFtAXaf1+IOvQmyg+orf5P
G4xG7EtMIXKb/JF0zNEov7dAr2TP1bAlE1lIdDbsNje+0lV7irXumnx8BVAoDJ0j
3Ea8ptrtDknTXNf8hEx7TNR5XoSi8soeaAZw0ckHVK7t9P+YLvd4HWBt1xwU4w5q
SryyVRgYe0s68AA2aIQYj205Zx4f5auLwkR+GPvW0cpoqUAbiy27JqBW2AysB5qO
GsFwUfUn9nVj6ViJxhEbW9KnrMRb2Xy2FqfGVqU9rMuEkTUjAbsUzTYWa2RccULJ
q4QskZrhowYqw7JhhOOyAbM0pU6RW9y0PWte7uQzfbw0mtK9vPLtnpPIBI0tPjg+
veko0oRGwS3FU4oAa3jWS8VOJhlR//lB5RpgMRqhd/Dm68+81UQ8+2lBSLRbfuXg
Le7CmV33DIuwixr6HCfSCrvSk4PpQm/GQDKgYo+LuVr+LNZ0J+NDdvbFfLRhV5NX
TvliSq3nfnfxSjQ/s8DdF+8StSVW2nOjPwfPQ3TK1VtFUpwWFl+d93vcr/uoh9yb
GJaFLbWVYjNu6EavWs/pqb+W7Qq5G7XTeE9Mdxq2KgE07ePuOwc=
=Tb3N
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3408-1] jruby security update
Previous by thread: [SECURITY] [DLA 3408-1] jruby security update
Index(es):
- Date
- Thread