-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3409-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Adrian Bunk April 30, 2023 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : libapache2-mod-auth-openidc Version : 2.3.10.2-1+deb10u2 CVE ID : CVE-2019-20479 CVE-2021-32785 CVE-2021-32786 CVE-2021-32791 CVE-2021-32792 CVE-2023-28625 Debian Bug : 991580 991581 991582 991583 1033916 Several vulnerabilities were fixed in libapache2-mod-auth-openidc, an OpenID Connect Relying Party implementation for Apache. CVE-2019-20479 Insufficient validatation of URLs beginning with a slash and backslash. CVE-2021-32785 Crash when using an unencrypted Redis cache. CVE-2021-32786 Open Redirect vulnerability in the logout functionality. CVE-2021-32791 AES GCM encryption in used static IV and AAD. CVE-2021-32792 XSS vulnerability when using OIDCPreservePost. CVE-2023-28625 NULL pointer dereference with OIDCStripCookies. For Debian 10 buster, these problems have been fixed in version 2.3.10.2-1+deb10u2. We recommend that you upgrade your libapache2-mod-auth-openidc packages. For the detailed security status of libapache2-mod-auth-openidc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmRO2icACgkQiNJCh6LY mLGkPhAAg1hWzk52AhdbiwRuEj9zyyZKJd7ZQYDjbBMgOlgSXG28XtS8tTEp8oKP /hyWoyyczyqkdVwv3UAoOwOcuXa8Fr9bcCdF/KWZsONFtAXaf1+IOvQmyg+orf5P G4xG7EtMIXKb/JF0zNEov7dAr2TP1bAlE1lIdDbsNje+0lV7irXumnx8BVAoDJ0j 3Ea8ptrtDknTXNf8hEx7TNR5XoSi8soeaAZw0ckHVK7t9P+YLvd4HWBt1xwU4w5q SryyVRgYe0s68AA2aIQYj205Zx4f5auLwkR+GPvW0cpoqUAbiy27JqBW2AysB5qO GsFwUfUn9nVj6ViJxhEbW9KnrMRb2Xy2FqfGVqU9rMuEkTUjAbsUzTYWa2RccULJ q4QskZrhowYqw7JhhOOyAbM0pU6RW9y0PWte7uQzfbw0mtK9vPLtnpPIBI0tPjg+ veko0oRGwS3FU4oAa3jWS8VOJhlR//lB5RpgMRqhd/Dm68+81UQ8+2lBSLRbfuXg Le7CmV33DIuwixr6HCfSCrvSk4PpQm/GQDKgYo+LuVr+LNZ0J+NDdvbFfLRhV5NX TvliSq3nfnfxSjQ/s8DdF+8StSVW2nOjPwfPQ3TK1VtFUpwWFl+d93vcr/uoh9yb GJaFLbWVYjNu6EavWs/pqb+W7Qq5G7XTeE9Mdxq2KgE07ePuOwc= =Tb3N -----END PGP SIGNATURE-----