Debian Security Advisory
DLA-3409-1 libapache2-mod-auth-openidc -- LTS security update
- Date Reported:
- 30 Apr 2023
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 991580, Bug 991581, Bug 991582, Bug 991583, Bug 1033916.
In Mitre's CVE dictionary: CVE-2019-20479, CVE-2021-32785, CVE-2021-32786, CVE-2021-32791, CVE-2021-32792, CVE-2023-28625.
- More information:
Several vulnerabilities were fixed in libapache2-mod-auth-openidc, an OpenID Connect Relying Party implementation for Apache.
Insufficient validatation of URLs beginning with a slash and backslash.
Crash when using an unencrypted Redis cache.
Open Redirect vulnerability in the logout functionality.
AES GCM encryption in used static IV and AAD.
XSS vulnerability when using OIDCPreservePost.
NULL pointer dereference with OIDCStripCookies.
For Debian 10 buster, these problems have been fixed in version 126.96.36.199-1+deb10u2.
We recommend that you upgrade your libapache2-mod-auth-openidc packages.
For the detailed security status of libapache2-mod-auth-openidc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS