Your message dated Mon, 22 Apr 2024 20:34:57 +0000
with message-id <[email protected]>
and subject line Bug#1064183: fixed in libapache2-mod-auth-openidc 
2.4.9.4-0+deb11u4
has caused the Debian Bug report #1064183,
regarding libapache2-mod-auth-openidc: CVE-2024-24814
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1064183: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064183
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libapache2-mod-auth-openidc
Version: 2.4.15.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for libapache2-mod-auth-openidc.

CVE-2024-24814[0]:
| mod_auth_openidc is an OpenID Certified™ authentication and
| authorization module for the Apache 2.x HTTP server that implements
| the OpenID Connect Relying Party functionality. In affected versions
| missing input validation on mod_auth_openidc_session_chunks cookie
| value makes the server vulnerable to a denial of service (DoS)
| attack. An internal security audit has been conducted and the
| reviewers found that if they manipulated the value of the
| mod_auth_openidc_session_chunks cookie to a very large integer, like
| 99999999, the server struggles with the request for a long time and
| finally gets back with a 500 error. Making a few requests of this
| kind caused our server to become unresponsive. Attackers can craft
| requests that would make the server work very hard (and possibly
| become unresponsive) and/or crash with minimal effort. This issue
| has been addressed in version 2.4.15.2. Users are advised to
| upgrade. There are no known workarounds for this vulnerability.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-24814
    https://www.cve.org/CVERecord?id=CVE-2024-24814
[1] 
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv
[2] 
https://github.com/OpenIDC/mod_auth_openidc/commit/4022c12f314bd89d127d1be008b1a80a08e1203d

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: libapache2-mod-auth-openidc
Source-Version: 2.4.9.4-0+deb11u4
Done: Moritz Schlarb <[email protected]>

We believe that the bug you reported is fixed in the latest version of
libapache2-mod-auth-openidc, which is due to be installed in the Debian FTP 
archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Schlarb <[email protected]> (supplier of updated 
libapache2-mod-auth-openidc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 18 Apr 2024 14:27:26 +0200
Source: libapache2-mod-auth-openidc
Architecture: source
Version: 2.4.9.4-0+deb11u4
Distribution: bullseye
Urgency: high
Maintainer: Moritz Schlarb <[email protected]>
Changed-By: Moritz Schlarb <[email protected]>
Closes: 1064183
Changes:
 libapache2-mod-auth-openidc (2.4.9.4-0+deb11u4) bullseye; urgency=high
 .
   * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks
     cookie value made the server vulnerable to a Denial of Service (DoS)
     attack. If an attacker manipulated the value of the OpenIDC cookie to a
     very large integer like 99999999, the server struggled with the request for
     a long time and finally returned a 500 error. Making a few requests of this
     kind caused servers to become unresponsive, and so attackers could thereby
     craft requests that would make the server work very hard and/or crash with
     minimal effort. (Closes: #1064183)
Checksums-Sha1:
 59075b190efed8b5b0acc91beb6719f72950f871 2560 
libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4.dsc
 c2547eb068c4cf808254e22084bf38863ed65927 8180 
libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4.debian.tar.xz
 5b57962345ba44d775627aa58e67c23270996c32 8775 
libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_amd64.buildinfo
Checksums-Sha256:
 fdfdf2d1e8f29d9aeecc447f752f9d6c8fd197a17f41e9928bb0c9520cbc6095 2560 
libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4.dsc
 e180e64cb72b19bbb55a9b17ee6c9b6157b6ee79b0e38fee4f3af08be0de9656 8180 
libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4.debian.tar.xz
 7163bc3c51b761633c1dee6881d715342daad6817f4afad1c9d7093765ada122 8775 
libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_amd64.buildinfo
Files:
 db3f551e27cc7eb67b79ae17934e027b 2560 httpd optional 
libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4.dsc
 e6225a8e4af69e90ca7ed50d884358a6 8180 httpd optional 
libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4.debian.tar.xz
 645b146646668d77485825efad8fcb2a 8775 httpd optional 
libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJKBAEBCgA0FiEE3wEiR7/GVQGv8oRFDCS4Qcfduq8FAmYhEhAWHHNjaGxhcmJt
QHVuaS1tYWluei5kZQAKCRAMJLhBx926r+JaEACGpXKn4dQQBUzRzfHpy7I+h6d+
KhrZkahzHob6pesxyOhW6d+mbBYyaqzk7HTprOo1Xtu0mr5AvPnyJPkQQdoG6nmb
COTbSyuIOKtykC28eTjm9nqcECm4NCNhCKeNocS0HXJr8juQvbmR6tb0u1sQt/WY
nmrK1RPJFb7VaJw5lwVcCOUgFLD6SCfglVOxORFkmiU6btxM/soJvATYzDW4hPY8
z2awnGK4oQrREYB61OhbxvzS6aEfpPNWVcrGxlHsDXbKjcjq/DsnEcxN/1TVnjYR
ehVKJjKhRL/sqsn5xoWPr3Yd2i4KsW7yXEmW6St3RvW5fhoL4ufAfWFFCYB3TX8r
AlQZSaoW+kxuAVTlNp3X4syIibzOsRRq/TVRIFNkwFjCDMmKARARSmbg//NoVQqD
2/PYRjFr4WtDFqfnezGGtQHwocoRGDxlyD+FDTjmZq676E5vexpq1s6Dy5Pz6BJE
00Onbmqn8dN23ojD+SdKYwR2CQbLIkpnXx0voa5Hd7EeqqPdeKm1jmuEQjlSJM0T
JQ8z4TBJvffeUCC7XxvHo/w3a5fVOipIcpg9VpQd+Bh2Of06Jk2W8Cr4yi1AW5Kx
T1Pi0+a/q50JSeobrSpHgTRnW9ikhb0clFpAe445wEV70529ncFUmfG0CNS6PmaE
3ujZ3jN+aB2PDK6dxA==
=buzI
-----END PGP SIGNATURE-----

Attachment: pgpNSvCTxoKA5.pgp
Description: PGP signature


--- End Message ---

Reply via email to