Source: libapache2-mod-auth-openidc Version: 2.4.16.10-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for libapache2-mod-auth-openidc. CVE-2025-31492[0]: | mod_auth_openidc is an OpenID Certified authentication and | authorization module for the Apache 2.x HTTP server that implements | the OpenID Connect Relying Party functionality. Prior to 2.4.16.11, | a bug in a mod_auth_openidc results in disclosure of protected | content to unauthenticated users. The conditions for disclosure are | an OIDCProviderAuthRequestMethod POST, a valid account, and there | mustn't be any application-level gateway (or load balancer etc) | protecting the server. When you request a protected resource, the | response includes the HTTP status, the HTTP headers, the intended | response (the self-submitting form), and the protected resource | (with no headers). This is an example of a request for a protected | resource, including all the data returned. In the case where | mod_auth_openidc returns a form, it has to return OK from | check_userid so as not to go down the error path in httpd. This | means httpd will try to issue the protected resource. | oidc_content_handler is called early, which has the opportunity to | prevent the normal output being issued by httpd. | oidc_content_handler has a number of checks for when it intervenes, | but it doesn't check for this case, so the handler returns DECLINED. | Consequently, httpd appends the protected content to the response. | The issue has been patched in mod_auth_openidc versions >= | 2.4.16.11. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-31492 https://www.cve.org/CVERecord?id=CVE-2025-31492 [1] https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-59jp-rwph-878r [2] https://github.com/OpenIDC/mod_auth_openidc/commit/b59b8ad63411857090ba1088e23fe414c690c127 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
