Your message dated Tue, 07 Sep 2021 08:37:43 +0000
with message-id <[email protected]>
and subject line Bug#993648: fixed in libapache2-mod-auth-openidc 2.4.9.4-1
has caused the Debian Bug report #993648,
regarding libapache2-mod-auth-openidc: CVE-2021-39191
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
993648: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993648
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libapache2-mod-auth-openidc
Version: 2.4.9-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/zmartzone/mod_auth_openidc/issues/672
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libapache2-mod-auth-openidc.
CVE-2021-39191[0]:
| mod_auth_openidc is an authentication/authorization module for the
| Apache 2.x HTTP server that functions as an OpenID Connect Relying
| Party, authenticating users against an OpenID Connect Provider. In
| versions prior to 2.4.9.4, the 3rd-party init SSO functionality of
| mod_auth_openidc was reported to be vulnerable to an open redirect
| attack by supplying a crafted URL in the `target_link_uri` parameter.
| A patch in version 2.4.9.4 made it so that the
| `OIDCRedirectURLsAllowed` setting must be applied to the
| `target_link_uri` parameter. There are no known workarounds aside from
| upgrading to a patched version.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-39191
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39191
[1] https://github.com/zmartzone/mod_auth_openidc/issues/672
[2]
https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-2pgf-8h6h-gqg2
[3]
https://github.com/zmartzone/mod_auth_openidc/commit/03e6bfb446f4e3f27c003d30d6a433e5dd8e2b3d
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libapache2-mod-auth-openidc
Source-Version: 2.4.9.4-1
Done: Moritz Schlarb <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-auth-openidc, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Schlarb <[email protected]> (supplier of updated
libapache2-mod-auth-openidc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 07 Sep 2021 09:37:15 +0200
Source: libapache2-mod-auth-openidc
Architecture: source
Version: 2.4.9.4-1
Distribution: unstable
Urgency: medium
Maintainer: Moritz Schlarb <[email protected]>
Changed-By: Moritz Schlarb <[email protected]>
Closes: 868949 883616 891224 993648
Changes:
libapache2-mod-auth-openidc (2.4.9.4-1) unstable; urgency=medium
.
* New upstream version 2.4.9.4
* Fix "CVE-2021-39191" (Closes: #993648)
* 2.4.9.2 fixed a regression regarding segfault at reload/restart
(Closes: #883616, #891224, #868949)
Checksums-Sha1:
6e0593f90c1dbf43efda8586732980feecfc953e 2528
libapache2-mod-auth-openidc_2.4.9.4-1.dsc
47f8b949552c3d32f019c5cf785c4672dc0f8aae 261544
libapache2-mod-auth-openidc_2.4.9.4.orig.tar.gz
64d79ff511f145f1131fc8e52b9883837773c690 5848
libapache2-mod-auth-openidc_2.4.9.4-1.debian.tar.xz
b6f2b10fdde35bf0e62c1bc4edb326f73bc2800c 7946
libapache2-mod-auth-openidc_2.4.9.4-1_amd64.buildinfo
Checksums-Sha256:
757c704a9229eff21b0a3665ea7fabfe6fd7b56501c879552a6d3c67c73b8792 2528
libapache2-mod-auth-openidc_2.4.9.4-1.dsc
142ee7abd49a4c6e2a7233c9124143709e733e8e51896c4a4f4172b0ffbc4741 261544
libapache2-mod-auth-openidc_2.4.9.4.orig.tar.gz
f0e8c3677b08282fffd71e401ae6f622c596676d60515d7c240fd80b5209b2e1 5848
libapache2-mod-auth-openidc_2.4.9.4-1.debian.tar.xz
2d2c83226d56c80d62009f6a2a656ac3cea08c702846f0f325638eb0f2473db9 7946
libapache2-mod-auth-openidc_2.4.9.4-1_amd64.buildinfo
Files:
7fc4a2d6a82b628e718fdc1042cc270f 2528 httpd optional
libapache2-mod-auth-openidc_2.4.9.4-1.dsc
21959e96f73545012afec7201f5f46fd 261544 httpd optional
libapache2-mod-auth-openidc_2.4.9.4.orig.tar.gz
8377c6fdb6f7a7cedbea6b0ddeeec969 5848 httpd optional
libapache2-mod-auth-openidc_2.4.9.4-1.debian.tar.xz
b4ddeb1f703c0289c8cbde81ddb32e02 7946 httpd optional
libapache2-mod-auth-openidc_2.4.9.4-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCgA0FiEE3wEiR7/GVQGv8oRFDCS4Qcfduq8FAmE3GPYWHHNjaGxhcmJt
QHVuaS1tYWluei5kZQAKCRAMJLhBx926ryc0D/9+bSB19PkraBM/N3ctbS1ns6nM
d1xx6AQfNBcPEzPk1axX2uqqtMG7t4goGn44dtBKe7iMxKxSobffnfuSmiU+j8L4
RCzPMeggRR/W5+DvxDz5Hu6PovZ4yqyLNjL45XQTx4ncAuAhLDl8odkAZpw8b3k/
kGDeBQbCFjQIDJFzCsKOHHNxWPi1ZMv03MISbR4drirfLbhoaSEcbcBDH7f3xT7U
g5qkPoboj24wkDFr6oacbSWsIOj/nttxHSmW41lnw68tKk/AaSvukErkQHJtGEbQ
prdy1quHcIDoGsx/UKLABsaXL955iODoTcL4JcFp/dcLJmnooKLAOuzplU4QFSil
AM5HU7sSNl0rVqOOeX9NptXmTjd9GmWVUu7hBWWN2zrJnyzxzh0uBi/SdJFHV8Zd
sFE+4DCjy2lIquSpWL0e/Mv8ZFOsTJwj4ai5OoOJUSWNFzDcD4HfUCeK5b/Agued
Ea6MMqIPVblzpfVvN3Ca6rTaIHfjtbD7RszN2EMpPpYEFK7UmrkbVNNT2oFZytc4
wydJ/QMOz4bqQa/2Sob95G/rFoPujtucFGKBZAMSkQM4BNjYeubf74ohlaBw7q7u
O+xaySunWtEa5xZaeqjN5hNHXVIEn2RBSDTKQU9/LgEfLxBu1zVnyR1OAN+D/cTz
u1kNKW6RHGcJHytkeg==
=q8c0
-----END PGP SIGNATURE-----
--- End Message ---
