Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits: a1eee9f7 by Sylvain Beucler at 2025-12-02T23:03:52+01:00 CVE-2025-31492/libapache2-mod-auth-openidc: introductory commit Checked by setting up the PoC from: https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-59jp-rwph-878r with precisions from: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-31492 Bisecting shows that version 6890b13c481f12debbd7c65a79e9dc5197deb794 introduces a 500 error, which is fixed by 5854e766a18b3d196e625222ef112f7a49ade1c7. Cherry-picking that fix shows that 6890b13c481f12debbd7c65a79e9dc5197deb794 also introduces the CVE. v2.3.11 -> !vuln 6890b13c481f12debbd7c65a79e9dc5197deb794^ -> !vuln 6890b13c481f12debbd7c65a79e9dc5197deb794 -> 500 | w/fix: vuln 1ff9abc91a160c92027974952aeb108d0f34e9f5 -> 500 | w/fix: vuln a2b62793e17ab04c59ef4d956253339c77a350aa -> 500 | w/fix: vuln 5854e766a18b3d196e625222ef112f7a49ade1c7^ -> 500 | w/fix: vuln 5854e766a18b3d196e625222ef112f7a49ade1c7 -> vuln (500 fix) 3d95b4a3fbc493c6acc745626ac33143eb4968bf -> vuln v2.4.0 -> vuln Note: OpenSUSE has a patch for 2.3.8, which backports bits of new code in an old code base, but I can't reproduce the CVE on that version. I have to assume they were just being extra cautious, though with the risk of introducing functional regressions. - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -77077,6 +77077,8 @@ CVE-2025-31492 (mod_auth_openidc is an OpenID Certified authentication and autho {DSA-5904-1 DLA-4129-1} - libapache2-mod-auth-openidc 2.4.16.11-1 (bug #1102413) NOTE: https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-59jp-rwph-878r + NOTE: OIDCProviderAuthRequestMethod introduced by: https://github.com/OpenIDC/mod_auth_openidc/commit/d77ec0228901d25bcbc873950d964d5c1e00254a (2.3.1rc2) + NOTE: Introduced by: https://github.com/OpenIDC/mod_auth_openidc/commit/6890b13c481f12debbd7c65a79e9dc5197deb794 (2.4.0rc11) NOTE: Fixed by: https://github.com/OpenIDC/mod_auth_openidc/commit/b59b8ad63411857090ba1088e23fe414c690c127 (v2.4.16.11) CVE-2025-31488 (Plain Craft Launcher (PCL) is a launcher for Minecraft. PCL allows use ...) NOT-FOR-US: Plain Craft Launcher (PCL) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1eee9f7451be5645a5ae3dc572adced82111ae9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1eee9f7451be5645a5ae3dc572adced82111ae9 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
