On Wed, Oct 16, 2019 at 11:19:36AM +0200, Moritz Schlarb wrote: > Hi everyone, > > I have prepared a backport of the patches for the version packaged in > Buster: > https://salsa.debian.org/debian/libapache2-mod-auth-openidc/commit/17e31b94a71ef02d1417bee6b0ef7b7379b40375 > > If you deem necessary and sufficient, please release as a security > update or otherwise I'll try to get it in in proposed-updates. > > Regards, > Moritz (another one)
Hi fellow Moritz, the target of the open redirect is under control of the IDP that the user logged into, while a malicious IDP could do much more harm to a user (like arbitrarily rejecting/terminating sessions etc). So I think we can certainly fix this via a point release, but I don't think this warrants a DSA. But maybe I'm missing something, so please let me know if you disagree! Cheers, Moritz