Your message dated Fri, 18 Apr 2025 11:47:15 +0000
with message-id <e1u5kbf-005whh...@fasolo.debian.org>
and subject line Bug#1102413: fixed in libapache2-mod-auth-openidc
2.4.12.3-2+deb12u3
has caused the Debian Bug report #1102413,
regarding libapache2-mod-auth-openidc: CVE-2025-31492
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1102413: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102413
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libapache2-mod-auth-openidc
Version: 2.4.16.10-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for libapache2-mod-auth-openidc.
CVE-2025-31492[0]:
| mod_auth_openidc is an OpenID Certified authentication and
| authorization module for the Apache 2.x HTTP server that implements
| the OpenID Connect Relying Party functionality. Prior to 2.4.16.11,
| a bug in a mod_auth_openidc results in disclosure of protected
| content to unauthenticated users. The conditions for disclosure are
| an OIDCProviderAuthRequestMethod POST, a valid account, and there
| mustn't be any application-level gateway (or load balancer etc)
| protecting the server. When you request a protected resource, the
| response includes the HTTP status, the HTTP headers, the intended
| response (the self-submitting form), and the protected resource
| (with no headers). This is an example of a request for a protected
| resource, including all the data returned. In the case where
| mod_auth_openidc returns a form, it has to return OK from
| check_userid so as not to go down the error path in httpd. This
| means httpd will try to issue the protected resource.
| oidc_content_handler is called early, which has the opportunity to
| prevent the normal output being issued by httpd.
| oidc_content_handler has a number of checks for when it intervenes,
| but it doesn't check for this case, so the handler returns DECLINED.
| Consequently, httpd appends the protected content to the response.
| The issue has been patched in mod_auth_openidc versions >=
| 2.4.16.11.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-31492
https://www.cve.org/CVERecord?id=CVE-2025-31492
[1]
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-59jp-rwph-878r
[2]
https://github.com/OpenIDC/mod_auth_openidc/commit/b59b8ad63411857090ba1088e23fe414c690c127
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libapache2-mod-auth-openidc
Source-Version: 2.4.12.3-2+deb12u3
Done: Moritz Schlarb <mosch...@debian.org>
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-auth-openidc, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1102...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Schlarb <mosch...@debian.org> (supplier of updated
libapache2-mod-auth-openidc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 16 Apr 2025 10:56:55 +0200
Source: libapache2-mod-auth-openidc
Architecture: source
Version: 2.4.12.3-2+deb12u3
Distribution: bookworm-security
Urgency: high
Maintainer: Moritz Schlarb <schla...@uni-mainz.de>
Changed-By: Moritz Schlarb <mosch...@debian.org>
Closes: 1102413
Changes:
libapache2-mod-auth-openidc (2.4.12.3-2+deb12u3) bookworm-security;
urgency=high
.
* Fix CVE-2025-31492
"protected content leakage when using OIDCProviderAuthRequestMethod POST"
Backported applicable portions from upstream fix in
https://github.com/OpenIDC/mod_auth_openidc/commit/b59b8ad63411857090ba1088e23fe414c690c127
(Closes: #1102413)
Checksums-Sha1:
f4cf8a960d1085e029d8a05a78ebc867022bdc8f 2321
libapache2-mod-auth-openidc_2.4.12.3-2+deb12u3.dsc
b9ac80752e9df80a776dd3159c36b89235fcc566 273808
libapache2-mod-auth-openidc_2.4.12.3.orig.tar.gz
685255dca61e4deac0711ce08de4c04ec374f8f0 9312
libapache2-mod-auth-openidc_2.4.12.3-2+deb12u3.debian.tar.xz
6906bb7dd0925ab406e526891973a6b97d321d18 8598
libapache2-mod-auth-openidc_2.4.12.3-2+deb12u3_amd64.buildinfo
Checksums-Sha256:
52d111a00bfc122ff8b41b77d4b54790e1ec2244db421b191e9e5d3b85bd0872 2321
libapache2-mod-auth-openidc_2.4.12.3-2+deb12u3.dsc
a40866cd1a16fdf9f0f5907c6261b8df2c2d8cc503eec66458ea9e90cc26aae9 273808
libapache2-mod-auth-openidc_2.4.12.3.orig.tar.gz
b5eb62a8c6f26fd8481a5e074566662c9e3944764aa5ec8f2be9d46d75de3cf8 9312
libapache2-mod-auth-openidc_2.4.12.3-2+deb12u3.debian.tar.xz
78a83fd8e823abdd826e0e16054928fdf05560f809fd6dc3deda4b1791cf2797 8598
libapache2-mod-auth-openidc_2.4.12.3-2+deb12u3_amd64.buildinfo
Files:
c5aa37d395b2b61ba03d09d9a90e3124 2321 httpd optional
libapache2-mod-auth-openidc_2.4.12.3-2+deb12u3.dsc
d380369f305e372e643ed64b22630f2f 273808 httpd optional
libapache2-mod-auth-openidc_2.4.12.3.orig.tar.gz
a2c8b22f2994c893fc078e93e4b1a395 9312 httpd optional
libapache2-mod-auth-openidc_2.4.12.3-2+deb12u3.debian.tar.xz
cd6dc6797fd695f2600b74153eab735b 8598 httpd optional
libapache2-mod-auth-openidc_2.4.12.3-2+deb12u3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE3wEiR7/GVQGv8oRFDCS4Qcfduq8FAmf/v6QUHG1vc2NobGFy
QGRlYmlhbi5vcmcACgkQDCS4Qcfduq/HLw/+Nvk3lA/p0LO0hqpqYrA4OOPE0CB9
v4tWaEczO4dVWsYTmxFiu1SAV86jpXTv1SFT1ivKSmZP+DEqhecnx6iRY+YKNxt9
QkOd5I3/cA8xMrIBg2VszgilR67EzoAXt7wdkTkFeHYIpWjVebtM84eChU5S2K6L
qP2/S0/GANUDyJxM8uf+SmrZtQjVE4hqnlKZWHOwQ3x3i+z+QufNUv0oiXcBAWH2
Muzcgdf4VgpLuLLAl00hSwPr+faKwy+cytN6IVQ1Aks+gehXTj6KYQEzO27nJIB5
n/x4b8OO46YSGdWl9rMP+Cp6dUEphAZgMX8rvTLWYHeNHeoqDPBsNgVDPr470Z3n
kNWiRYUJOBMnMZxQ+DZtMy5Vc9XtA2rIElJ9mbZbJDz8MibJTBPAQQsPzmoBn5mE
pz6RB0Va1UglQ898HU/oPXV6WYuds68ByeaeaRnN+unTpB7sL0hx1vbtHLxsLC6U
eLYCoRV7PJM/xZLwQQmwUqXS0F8AmutkFBCGEVLKwtnpnxNEYm0vCduLt8thEbFc
hlFEkf3O785jabM3OlSg6Y5YmNSco7B4dKDHW7ci6C/5K+AiCoJyhvkcmUTIAkIV
lv/gWEerdEP5D1cZDBlqAzTx8xMC1ijZm78D9e4j5BIan9cSV+JtabYQQsHkf8JJ
10xD2EkYo9eISw8=
=jVQy
-----END PGP SIGNATURE-----
pgpohvEReTGMt.pgp
Description: PGP signature
--- End Message ---
