Your message dated Thu, 10 Apr 2025 12:50:47 +0000
with message-id <e1u2rml-00fqd5...@fasolo.debian.org>
and subject line Bug#1102413: fixed in libapache2-mod-auth-openidc 2.4.16.11-1
has caused the Debian Bug report #1102413,
regarding libapache2-mod-auth-openidc: CVE-2025-31492
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1102413: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102413
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libapache2-mod-auth-openidc
Version: 2.4.16.10-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for libapache2-mod-auth-openidc.
CVE-2025-31492[0]:
| mod_auth_openidc is an OpenID Certified authentication and
| authorization module for the Apache 2.x HTTP server that implements
| the OpenID Connect Relying Party functionality. Prior to 2.4.16.11,
| a bug in a mod_auth_openidc results in disclosure of protected
| content to unauthenticated users. The conditions for disclosure are
| an OIDCProviderAuthRequestMethod POST, a valid account, and there
| mustn't be any application-level gateway (or load balancer etc)
| protecting the server. When you request a protected resource, the
| response includes the HTTP status, the HTTP headers, the intended
| response (the self-submitting form), and the protected resource
| (with no headers). This is an example of a request for a protected
| resource, including all the data returned. In the case where
| mod_auth_openidc returns a form, it has to return OK from
| check_userid so as not to go down the error path in httpd. This
| means httpd will try to issue the protected resource.
| oidc_content_handler is called early, which has the opportunity to
| prevent the normal output being issued by httpd.
| oidc_content_handler has a number of checks for when it intervenes,
| but it doesn't check for this case, so the handler returns DECLINED.
| Consequently, httpd appends the protected content to the response.
| The issue has been patched in mod_auth_openidc versions >=
| 2.4.16.11.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-31492
https://www.cve.org/CVERecord?id=CVE-2025-31492
[1]
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-59jp-rwph-878r
[2]
https://github.com/OpenIDC/mod_auth_openidc/commit/b59b8ad63411857090ba1088e23fe414c690c127
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libapache2-mod-auth-openidc
Source-Version: 2.4.16.11-1
Done: Moritz Schlarb <mosch...@debian.org>
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-auth-openidc, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1102...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Schlarb <mosch...@debian.org> (supplier of updated
libapache2-mod-auth-openidc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 10 Apr 2025 14:27:27 +0200
Source: libapache2-mod-auth-openidc
Architecture: source
Version: 2.4.16.11-1
Distribution: unstable
Urgency: high
Maintainer: Moritz Schlarb <mosch...@debian.org>
Changed-By: Moritz Schlarb <mosch...@debian.org>
Closes: 1102413
Changes:
libapache2-mod-auth-openidc (2.4.16.11-1) unstable; urgency=high
.
* New upstream version 2.4.16.11
Fixes CVE-2025-31492, Closes: #1102413
Checksums-Sha1:
6aa9508df89f8f63e8f9da0552242e0383cba588 2305
libapache2-mod-auth-openidc_2.4.16.11-1.dsc
e22358b94c975f86baca201a4d5fcff8538844d0 334972
libapache2-mod-auth-openidc_2.4.16.11.orig.tar.gz
043b3618c945352e587e63153f3c695adeb0e2fe 7888
libapache2-mod-auth-openidc_2.4.16.11-1.debian.tar.xz
e45f3239735bb1766e2765b6e738913f7c7ccc64 9237
libapache2-mod-auth-openidc_2.4.16.11-1_amd64.buildinfo
Checksums-Sha256:
2f9052b64ae3434c60d1cf56abb61c8e3cac4dab29b14816390c29de604ee58d 2305
libapache2-mod-auth-openidc_2.4.16.11-1.dsc
6c25775511e8ad8684b0185f3456879259ed02fba86a2fd4baa7376e1f6c4abc 334972
libapache2-mod-auth-openidc_2.4.16.11.orig.tar.gz
c993f959582e733763d187eeb604492623df2d73d7b616619eeaf45b03e4c82d 7888
libapache2-mod-auth-openidc_2.4.16.11-1.debian.tar.xz
76780a7525aca14cb6d84d6bf4071476df509f4a220291ddc0dbc710620db0ab 9237
libapache2-mod-auth-openidc_2.4.16.11-1_amd64.buildinfo
Files:
26e7c1c6ded807f027063e7b0c1f00fb 2305 httpd optional
libapache2-mod-auth-openidc_2.4.16.11-1.dsc
33d72cbb81d5e604d963bfd0f5c3f546 334972 httpd optional
libapache2-mod-auth-openidc_2.4.16.11.orig.tar.gz
e6bf4ca072bf6b145be69c0012cb022f 7888 httpd optional
libapache2-mod-auth-openidc_2.4.16.11-1.debian.tar.xz
a25223b17505b5e878f95e8a26e228c3 9237 httpd optional
libapache2-mod-auth-openidc_2.4.16.11-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE3wEiR7/GVQGv8oRFDCS4Qcfduq8FAmf3ufQUHG1vc2NobGFy
QGRlYmlhbi5vcmcACgkQDCS4Qcfduq9DLQ/5AXOnfrxQqxlyGmrckRlimqO14LP/
pCTKKP1kbAxR/2zK5axMpuEGgQApAWIOzotv75Jikr5KZCIS7AcyzfodeS20sNcE
zvVpGcap1CCS1IX5oCbqd56Aj9ouel1bHqxi9yfXAwQYxtLkPtnk+MTdl0XnrrfX
hxVpl8ChkoFKlojhsl8n4n6i1kfv0R9dKDtSuyw+s7zJMAAPz9gIva0gOeT/vBHc
rqu649+eDiB4cr/oPqSIwR0ZGxBtFLYY2Zp98fCC9zOPnbMdNfCAMWf31OtkQ4Rl
fDyMBEtEaa8VotpbBAS3/IRrWAlNeorbpc8L/wt49R7NBIrCG0jryAj0jrQwGa0U
CVnYIEyp/tbivpx+/XBUDPEQJFv7JN74/Jk4+8VWjDRSqYafP+l5vBkFg2Wit9je
MgzyUA7ksOcBCNZ5NsnLmjNTACaBEkd7osE3+tIRKWr5+k6DTcowD7C85D22uy0Z
v9ur3g40de5m4RXgbCO4NVTljx/m4Vjm4UHT8IPv4UeHANAzGspYLBTmQCsIR+wK
mYNcUaTrtphZwQzbXyTkVAjaR8jUeOJBCusNunOAseNLRUmOTCoahphDXK254kEG
lYtL2521z6HOyjvlSs4wFBr6vzI26p43WIBrUsc1p+WlKTNT8y8sijVXuVBnmjd0
Jka/nQG/Qx+TYMA=
=OABm
-----END PGP SIGNATURE-----
pgp1zPxYwOXaj.pgp
Description: PGP signature
--- End Message ---
