Source: libapache2-mod-auth-openidc
Version: 2.4.15.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for libapache2-mod-auth-openidc.

CVE-2024-24814[0]:
| mod_auth_openidc is an OpenID Certified™ authentication and
| authorization module for the Apache 2.x HTTP server that implements
| the OpenID Connect Relying Party functionality. In affected versions
| missing input validation on mod_auth_openidc_session_chunks cookie
| value makes the server vulnerable to a denial of service (DoS)
| attack. An internal security audit has been conducted and the
| reviewers found that if they manipulated the value of the
| mod_auth_openidc_session_chunks cookie to a very large integer, like
| 99999999, the server struggles with the request for a long time and
| finally gets back with a 500 error. Making a few requests of this
| kind caused our server to become unresponsive. Attackers can craft
| requests that would make the server work very hard (and possibly
| become unresponsive) and/or crash with minimal effort. This issue
| has been addressed in version 2.4.15.2. Users are advised to
| upgrade. There are no known workarounds for this vulnerability.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-24814
    https://www.cve.org/CVERecord?id=CVE-2024-24814
[1] 
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv
[2] 
https://github.com/OpenIDC/mod_auth_openidc/commit/4022c12f314bd89d127d1be008b1a80a08e1203d

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to