-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3751-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb March 05, 2024 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : libapache2-mod-auth-openidc Version : 2.3.10.2-1+deb10u4 CVE ID : CVE-2024-24814 Debian Bug : 1064183 It was discovered that there was a potential Denial of Service (DoS) attack in libapache2-mod-auth-openidc, an OpenID Connect (OpenIDC) module for the Apache web server. Missing input validation on mod_auth_openidc_session_chunks cookie value made the server vulnerable to this attack. If an attacker manipulated the value of the OpenIDC cookie to a very large integer like 99999999, the server struggled with the request for a long time and finally returned a 500 error. Making a few requests of this kind caused servers to become unresponsive, and so attackers could thereby craft requests that would make the server work very hard and/or crash with minimal effort. For Debian 10 buster, this problem has been fixed in version 2.3.10.2-1+deb10u4. We recommend that you upgrade your libapache2-mod-auth-openidc packages. For the detailed security status of libapache2-mod-auth-openidc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmXnW3MACgkQHpU+J9Qx HlhwGw/+NHgag1pRt184HwyEomFSYn/Gx0cLFxs9W5pAQ+KZXze4/YYe5WxqBzAy P6XC843DtG8GBtfDjNQah5eOEaWpXNmWhQyLGgN6KzrVCxq1JOx2XAbcVUp9ZVTw Ibh+G//9L2YePuto0ogIEgBlhNfmbr1R58lFzEuDjZxT7LfrSPFLhXtaGA3rrv6v eJW4AM+iUI8iReg/CUqYt67c43BDhBINOhgNQrAsY4CB8miMCMxTIfzoAugR+JFA JEonKjaPskVhX6HWBhH9qmogsXhDLsY3HFAsnFy6JsbcD1FYgc9lLbw9MzOnSPa3 4Gvmbh+w5M3bGIX3lPoNyUHXf1f5FhcLspqGbnXxgXWrxLKSkf5MYDH871+gLVm1 hoJ9DZe2OzmL4g4xfiTQf0WUg3ZEL6ta9s4s5dgDTwB6S8iBDSUzcgF1bk8Lumvf zd2P3F7nPoLd69MBZeB1PCvQ8te4k4m4RkWluAAzY0jPU+lWe99UUifSgyZj80xE sb7ozzEBpOWaqXTu5DfkDflBZgCOF+y6gPRijvv4jOq8V4SCva7J0J3vKoc9Ooo4 HnwCJxFdVt3X2LznxvUHwYPcwMX3zgA/jazYamVRgmEQjGEMeyQvWPJ53O2nJUlf C6/yAsmQkGl20RZusKGWx2qAMHES5GgN1SoZtRuZh2PuDlYlYcs= =XLup -----END PGP SIGNATURE-----