Your message dated Mon, 22 Apr 2024 17:02:10 +0000
with message-id <[email protected]>
and subject line Bug#1064183: fixed in libapache2-mod-auth-openidc 
2.4.12.3-2+deb12u1
has caused the Debian Bug report #1064183,
regarding libapache2-mod-auth-openidc: CVE-2024-24814
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1064183: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064183
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libapache2-mod-auth-openidc
Version: 2.4.15.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for libapache2-mod-auth-openidc.

CVE-2024-24814[0]:
| mod_auth_openidc is an OpenID Certified™ authentication and
| authorization module for the Apache 2.x HTTP server that implements
| the OpenID Connect Relying Party functionality. In affected versions
| missing input validation on mod_auth_openidc_session_chunks cookie
| value makes the server vulnerable to a denial of service (DoS)
| attack. An internal security audit has been conducted and the
| reviewers found that if they manipulated the value of the
| mod_auth_openidc_session_chunks cookie to a very large integer, like
| 99999999, the server struggles with the request for a long time and
| finally gets back with a 500 error. Making a few requests of this
| kind caused our server to become unresponsive. Attackers can craft
| requests that would make the server work very hard (and possibly
| become unresponsive) and/or crash with minimal effort. This issue
| has been addressed in version 2.4.15.2. Users are advised to
| upgrade. There are no known workarounds for this vulnerability.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-24814
    https://www.cve.org/CVERecord?id=CVE-2024-24814
[1] 
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv
[2] 
https://github.com/OpenIDC/mod_auth_openidc/commit/4022c12f314bd89d127d1be008b1a80a08e1203d

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: libapache2-mod-auth-openidc
Source-Version: 2.4.12.3-2+deb12u1
Done: Moritz Schlarb <[email protected]>

We believe that the bug you reported is fixed in the latest version of
libapache2-mod-auth-openidc, which is due to be installed in the Debian FTP 
archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Schlarb <[email protected]> (supplier of updated 
libapache2-mod-auth-openidc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 18 Apr 2024 14:20:00 +0200
Source: libapache2-mod-auth-openidc
Architecture: source
Version: 2.4.12.3-2+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Moritz Schlarb <[email protected]>
Changed-By: Moritz Schlarb <[email protected]>
Closes: 1064183
Changes:
 libapache2-mod-auth-openidc (2.4.12.3-2+deb12u1) bookworm; urgency=medium
 .
   * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks
     cookie value made the server vulnerable to a Denial of Service (DoS)
     attack. If an attacker manipulated the value of the OpenIDC cookie to a
     very large integer like 99999999, the server struggled with the request for
     a long time and finally returned a 500 error. Making a few requests of this
     kind caused servers to become unresponsive, and so attackers could thereby
     craft requests that would make the server work very hard and/or crash with
     minimal effort. (Closes: #1064183)
Checksums-Sha1:
 48152d4f7c03317dc578ea4845a20c15cd315a75 2325 
libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1.dsc
 1c4e5d1781006ff9a29cfa350b15a776adf1cb1a 7764 
libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1.debian.tar.xz
 f5624c86bc0ae6c1fe0bdf90dca4d35a6455dabc 8448 
libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1_amd64.buildinfo
Checksums-Sha256:
 4f5904073b8562a7a3b982b01dd1c75c10f4b29e3d698abc9be4001fdd6e9e98 2325 
libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1.dsc
 2d12ef29195cc123400752e91eb61eb78d86762f22a312faff5ed7dd22db1064 7764 
libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1.debian.tar.xz
 2b0a6a9811ef289acdccf6a254604cba5fec1894f6986d807a2f3e0c18e25c61 8448 
libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1_amd64.buildinfo
Files:
 fd5cc9b4e7a18f975d121d49b88d4a26 2325 httpd optional 
libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1.dsc
 9f0659dc1a46f0b45c6473723ed86e69 7764 httpd optional 
libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1.debian.tar.xz
 176fdc1870d781962f19b40ab903356b 8448 httpd optional 
libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJKBAEBCgA0FiEE3wEiR7/GVQGv8oRFDCS4Qcfduq8FAmYhEu0WHHNjaGxhcmJt
QHVuaS1tYWluei5kZQAKCRAMJLhBx926r6j8D/9Gopp36dLgy9ck9IG9vW3gB/qm
30/gR+smGLaEzu6Hf4YHu1qRl4Dz4LMgx3hKlG2bNAxEfzjmt56H+uWNRiiO90rz
8dAJVGVADm4M6VH6CAXeVe44YwI5Jo/9wVkzUWBANDgIXvC4+0iO7KHwM8X5tbyq
cyJQrG99X1k2BSfbpZHje3bbg1bkFVu3uOOAqWpTaWGZweVjR2Ep7o+FdnDJvA5Q
WKs0zfO7hxyHDUZYyiFqxJa4GTTYT9MWk/0BTD0qyRO8WAA20eENvoG3vkv0plUb
HLhMM0847rYXEIxKLv58ao/Y1rGmDHbAeGqhUkvIuyemdT5yYO/bmDjQ+U9K6ZFA
2qO3vaz7qipDPRgzlouEXcjEwzjNavrQ9N7zLusraXVq4TZ3SQwr3St7th7TgLjz
vd9DS63XyMu/BHAbNbxZvNBJbfS3ZeVhgjxkswq0i26XQId//KmR63B4l+llvabR
4dV73MYrH1lOOcMnfHYqxhgsWWH4dvCBmZGBZmqAVhRRj4xVcHVTfqVkj96U/N6/
ryLZUmv1MbcChzLIxegKWl9mk1bblX/mC12dUmwMP0IsT/ncJ1sF26H+Iv3wGsbi
h8s6jjG7a/cAcFtU45ze7+uwTblo/7U35Ob+LgD46K9F4swYAV1u11gHm8N/EtbX
ByktFjekB59YNfL9ag==
=D0Nz
-----END PGP SIGNATURE-----

Attachment: pgpvObuAh4zF9.pgp
Description: PGP signature


--- End Message ---

Reply via email to