Lucene search

DebianDEBIAN:DLA-3409-1:B6325

HistoryApr 30, 2023 - 9:14 p.m.

[SECURITY] [DLA 3409-1] libapache2-mod-auth-openidc security update

2023-04-3021:14:15

lists.debian.org

openid connect relying party

xss vulnerability

cve-2019-20479

aes gcm encryption

cve-2021-32786

cve-2021-32792

null pointer dereference

cve-2023-28625

open redirect vulnerability

apache

cve-2021-32791

cve-2021-32785

debian 10 buster

security update

redis cache

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.3 High

AI Score

Confidence

Low

0.005 Low

EPSS

Percentile

77.1%

JSON

Debian LTS Advisory DLA-3409-1 [email protected]
https://www.debian.org/lts/security/ Adrian Bunk
April 30, 2023 https://wiki.debian.org/LTS

Package : libapache2-mod-auth-openidc
Version : 2.3.10.2-1+deb10u2
CVE ID : CVE-2019-20479 CVE-2021-32785 CVE-2021-32786 CVE-2021-32791
CVE-2021-32792 CVE-2023-28625
Debian Bug : 991580 991581 991582 991583 1033916

Several vulnerabilities were fixed in libapache2-mod-auth-openidc,
an OpenID Connect Relying Party implementation for Apache.

CVE-2019-20479

Insufficient validatation of URLs beginning with a slash and backslash.

CVE-2021-32785

Crash when using an unencrypted Redis cache.

CVE-2021-32786

Open Redirect vulnerability in the logout functionality.

CVE-2021-32791

AES GCM encryption in used static IV and AAD.

CVE-2021-32792

XSS vulnerability when using OIDCPreservePost.

CVE-2023-28625

NULL pointer dereference with OIDCStripCookies.

For Debian 10 buster, these problems have been fixed in version
2.3.10.2-1+deb10u2.

We recommend that you upgrade your libapache2-mod-auth-openidc packages.

For the detailed security status of libapache2-mod-auth-openidc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian10i386libapache2-mod-auth-openidc< 2.3.10.2-1+deb10u2libapache2-mod-auth-openidc_2.3.10.2-1+deb10u2_i386.deb
Debian10armhflibapache2-mod-auth-openidc< 2.3.10.2-1+deb10u2libapache2-mod-auth-openidc_2.3.10.2-1+deb10u2_armhf.deb
Debian10arm64libapache2-mod-auth-openidc< 2.3.10.2-1+deb10u2libapache2-mod-auth-openidc_2.3.10.2-1+deb10u2_arm64.deb
Debian10alllibapache2-mod-auth-openidc< 2.3.10.2-1+deb10u2libapache2-mod-auth-openidc_2.3.10.2-1+deb10u2_all.deb
Debian10amd64libapache2-mod-auth-openidc< 2.3.10.2-1+deb10u2libapache2-mod-auth-openidc_2.3.10.2-1+deb10u2_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	i386	libapache2-mod-auth-openidc	< 2.3.10.2-1+deb10u2	libapache2-mod-auth-openidc_2.3.10.2-1+deb10u2_i386.deb
Debian	10	armhf	libapache2-mod-auth-openidc	< 2.3.10.2-1+deb10u2	libapache2-mod-auth-openidc_2.3.10.2-1+deb10u2_armhf.deb
Debian	10	arm64	libapache2-mod-auth-openidc	< 2.3.10.2-1+deb10u2	libapache2-mod-auth-openidc_2.3.10.2-1+deb10u2_arm64.deb
Debian	10	all	libapache2-mod-auth-openidc	< 2.3.10.2-1+deb10u2	libapache2-mod-auth-openidc_2.3.10.2-1+deb10u2_all.deb
Debian	10	amd64	libapache2-mod-auth-openidc	< 2.3.10.2-1+deb10u2	libapache2-mod-auth-openidc_2.3.10.2-1+deb10u2_amd64.deb