- ------------------------------------------------------------------------- Debian LTS Advisory DLA-3409-1 [email protected] https://www.debian.org/lts/security/ Adrian Bunk April 30, 2023 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : libapache2-mod-auth-openidc Version : 2.3.10.2-1+deb10u2 CVE ID : CVE-2019-20479 CVE-2021-32785 CVE-2021-32786 CVE-2021-32791 CVE-2021-32792 CVE-2023-28625 Debian Bug : 991580 991581 991582 991583 1033916 Several vulnerabilities were fixed in libapache2-mod-auth-openidc, an OpenID Connect Relying Party implementation for Apache. CVE-2019-20479 Insufficient validatation of URLs beginning with a slash and backslash. CVE-2021-32785 Crash when using an unencrypted Redis cache. CVE-2021-32786 Open Redirect vulnerability in the logout functionality. CVE-2021-32791 AES GCM encryption in used static IV and AAD. CVE-2021-32792 XSS vulnerability when using OIDCPreservePost. CVE-2023-28625 NULL pointer dereference with OIDCStripCookies. For Debian 10 buster, these problems have been fixed in version 2.3.10.2-1+deb10u2. We recommend that you upgrade your libapache2-mod-auth-openidc packages. For the detailed security status of libapache2-mod-auth-openidc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Debian LTS: DLA-3409-1: libapache2-mod-auth-openidc security update
April 30, 2023
Several vulnerabilities were fixed in libapache2-mod-auth-openidc, an OpenID Connect Relying Party implementation for Apache
Summary
CVE-2019-20479
Insufficient validatation of URLs beginning with a slash and backslash.
CVE-2021-32785
Crash when using an unencrypted Redis cache.
CVE-2021-32786
Open Redirect vulnerability in the logout functionality.
CVE-2021-32791
AES GCM encryption in used static IV and AAD.
CVE-2021-32792
XSS vulnerability when using OIDCPreservePost.
CVE-2023-28625
NULL pointer dereference with OIDCStripCookies.
For Debian 10 buster, these problems have been fixed in version
2.3.10.2-1+deb10u2.
We recommend that you upgrade your libapache2-mod-auth-openidc packages.
For the detailed security status of libapache2-mod-auth-openidc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Severity
Package : libapache2-mod-auth-openidc
Version : 2.3.10.2-1+deb10u2
CVE ID : CVE-2019-20479 CVE-2021-32785 CVE-2021-32786 CVE-2021-32791
Debian Bug : 991580 991581 991582 991583 1033916
News
HOWTOs
About Us
Powered By
