Debian: DLA-3752-2 Urgent: libcurl Denial of Service Vulnerability
debian lts
March 5, 2024
It was discovered that there was a potential Denial of Service (DoS) attack in libapache2-mod-auth-openidc, an OpenID Connect (OpenIDC) module for the Apache web server
Topics Covered
Summary
Missing input validation on mod_auth_openidc_session_chunks cookie
value made the server vulnerable to this attack. If an attacker
manipulated the value of the OpenIDC cookie to a very large integer
like 99999999, the server struggled with the request for a long time
and finally returned a 500 error. Making a few requests of this kind
caused servers to become unresponsive, and so attackers could thereby
craft requests that would make the server work very hard and/or crash
with minimal effort.
For Debian 10 buster, this problem has been fixed in version
2.3.10.2-1+deb10u4.
We recommend that you upgrade your libapache2-mod-auth-openidc packages.
For the detailed security status of libapache2-mod-auth-openidc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/libapache2-mod-auth-openidc
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Package: libapache2-mod-auth-openidc
Version: 2.3.10.2-1+deb10u4
CVE ID: CVE-2024-24814
Debian Bug: 1064183
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!