Debian Security Advisory

DLA-3499-1 libapache2-mod-auth-openidc -- LTS security update

Date Reported:
19 Jul 2023
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 993648, Bug 1026444.
In Mitre's CVE dictionary: CVE-2021-39191, CVE-2022-23527.
More information:

Open Redirect vulnerabilities were found in libapache2-mod-auth-openidc, OpenID Connect Relying Party implementation for Apache, which could lead to information disclosure via phishing attacks.

  • CVE-2021-39191

    The 3rd-party init SSO functionality of mod_auth_openidc was reported to be vulnerable to an open redirect attack by supplying a crafted URL in the target_link_uri parameter.

  • CVE-2022-23527

    When providing a logout parameter to the redirect URI, mod_auth_openidc failed to properly check for URLs starting with "/\t", leading to an open redirect.

For Debian 10 buster, these problems have been fixed in version

We recommend that you upgrade your libapache2-mod-auth-openidc packages.

For the detailed security status of libapache2-mod-auth-openidc please refer to its security tracker page at:

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: