On Wed, Oct 16, 2019 at 11:19:36AM +0200, Moritz Schlarb wrote:
> Hi everyone,
>
> I have prepared a backport of the patches for the version packaged in
> Buster:
> https://salsa.debian.org/debian/libapache2-mod-auth-openidc/commit/17e31b94a71ef02d1417bee6b0ef7b7379b40375
>
> If you deem necessary and sufficient, please release as a security
> update or otherwise I'll try to get it in in proposed-updates.
>
> Regards,
> Moritz (another one)
Hi fellow Moritz,
the target of the open redirect is under control of the IDP that the user
logged into, while a malicious IDP could do much more harm to a user
(like arbitrarily rejecting/terminating sessions etc). So I think we can
certainly fix this via a point release, but I don't think this warrants
a DSA.
But maybe I'm missing something, so please let me know if you disagree!
Cheers,
Moritz
