Debian Buster: DLA-3409-1 Critical: libapache2-mod-auth-openidc Issues
debian lts
April 30, 2023
Several vulnerabilities were fixed in libapache2-mod-auth-openidc, an OpenID Connect Relying Party implementation for Apache
Topics Covered
Summary
CVE-2019-20479
Insufficient validatation of URLs beginning with a slash and backslash.
CVE-2021-32785
Crash when using an unencrypted Redis cache.
CVE-2021-32786
Open Redirect vulnerability in the logout functionality.
CVE-2021-32791
AES GCM encryption in used static IV and AAD.
CVE-2021-32792
XSS vulnerability when using OIDCPreservePost.
CVE-2023-28625
NULL pointer dereference with OIDCStripCookies.
For Debian 10 buster, these problems have been fixed in version
2.3.10.2-1+deb10u2.
We recommend that you upgrade your libapache2-mod-auth-openidc packages.
For the detailed security status of libapache2-mod-auth-openidc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/libapache2-mod-auth-openidc
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: libapache2-mod-auth-openidc
Version: 2.3.10.2-1+deb10u2
CVE ID: CVE-2019-20479 CVE-2021-32785 CVE-2021-32786 CVE-2021-32791
Debian Bug: 991580 991581 991582 991583 1033916
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!