Package: libapache2-mod-auth-openidc / 2.4.12.3-2+deb12u4

Metadata

Package Version Patches format
libapache2-mod-auth-openidc 2.4.12.3-2+deb12u4 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 Fix CVE 2023 28625 segfault DoS when OIDCStripCookie.patch | (download)

src/mod_auth_openidc.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 
 fix cve-2023-28625: segfault dos when oidcstripcookies is set
0002 fix DoS CVE 2024 24814.patch | (download)

src/util.c | 35 17 + 18 - 0 !
1 file changed, 17 insertions(+), 18 deletions(-)

 
 [patch] release 2.4.15.2: fix dos cve-2024-24814

fix CVE-2024-24814: DoS when 'OIDCSessionType client-cookie' is set and
a crafted Cookie header is supplied
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv

Signed-off-by: Hans Zandbelt <hans.zandbelt@openidc.com>
0003 avoid crash when the Forwarded header is not present.patch | (download)

src/util.c | 4 3 + 1 - 0 !
test/test.c | 4 4 + 0 - 0 !
2 files changed, 7 insertions(+), 1 deletion(-)

 
 avoid crash when the forwarded header is not present

but OIDCXForwardedHeaders is configured for it; see #1171; thanks
@daviddpd

Signed-off-by: Hans Zandbelt <hans.zandbelt@openidc.com>
0004 Fix CVE 2025 31492 protected content leakage when us.patch | (download)

src/mod_auth_openidc.c | 6 5 + 1 - 0 !
src/mod_auth_openidc.h | 3 2 + 1 - 0 !
src/proto.c | 14 9 + 5 - 0 !
3 files changed, 16 insertions(+), 7 deletions(-)

 
 fix cve-2025-31492 "protected content leakage when using
 OIDCProviderAuthRequestMethod POST"

Backported applicable portions from upstream fix in
https://github.com/OpenIDC/mod_auth_openidc/commit/b59b8ad63411857090ba1088e23fe414c690c127
0005 Fix CVE 2025 3891.patch | (download)

src/authz.c | 17 9 + 8 - 0 !
src/cache/file.c | 2 1 + 1 - 0 !
src/cache/shm.c | 4 2 + 2 - 0 !
src/config.c | 58 29 + 29 - 0 !
src/jose.c | 98 49 + 49 - 0 !
src/jose.h | 3 3 + 0 - 0 !
src/metadata.c | 4 2 + 2 - 0 !
src/mod_auth_openidc.c | 84 42 + 42 - 0 !
src/oauth.c | 6 3 + 3 - 0 !
src/parse.c | 116 58 + 58 - 0 !
src/proto.c | 56 28 + 28 - 0 !
src/session.c | 4 2 + 2 - 0 !
src/util.c | 38 19 + 19 - 0 !
test/test-cmd.c | 18 9 + 9 - 0 !
test/test.c | 4 2 + 2 - 0 !
15 files changed, 258 insertions(+), 254 deletions(-)

 
 fix cve-2025-3891

DoS when sending empty Content-Type header with OIDCPreservePost On
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-x7cf-8wgv-5j86

Patch from https://github.com/OpenIDC/mod_auth_openidc/commit/29ea79dea97cdab1b0d150af2c9a50a442e7216e

replace apr_strnatcmp/strcmp with _oidc_strcmp

and replace strncmp with _oidc_strncmp

Signed-off-by: Hans Zandbelt <hans.zandbelt@openidc.com>