subject:"Bug#945578\: buster\-pu\: package libapache2\-mod\-auth\-openidc\/2.3.10.2\-1"

Bug#945578: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1

2022-08-08 Thread Moritz Schlarb


Dear Adam,

On 05.08.22 21:33, Adam D. Barratt wrote:


Ping? We're in the process of organising the final point release for
buster, as support for it transitions over to the LTS team, so if you
would still like to fix it via pu then the upload needs to happen soon.


Thanks for the additional reminder and I am so so sorry for simply 
forgetting about this until now...
Especially given that everything had been ready since I opened this 
buster-pu bug...


I have just now uploaded the package for the buster distribution.

Best wishes,
--
Moritz Schlarb
Unix und Cloud
Zentrum für Datenverarbeitung
Johannes Gutenberg-Universität Mainz

OpenPGP-Fingerprint: DF01 2247 BFC6
 5501 AFF2 8445 0C24 B841 C7DD BAAF


OpenPGP_signature
Description: OpenPGP digital signature

Bug#945578: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1

2022-08-05 Thread Adam D. Barratt

On Fri, 2021-03-26 at 09:22 +0100, Salvatore Bonaccorso wrote:
> Hi Moritz,
> 
> On Fri, Jul 31, 2020 at 10:25:13AM +0200, Salvatore Bonaccorso wrote:
> > Hi Moritz,
> > 
> > On Tue, Jan 28, 2020 at 10:43:25PM +, Adam D. Barratt wrote:
> > > Control: tags -1 + confirmed
> > > 
> > > On Wed, 2019-11-27 at 11:18 +0100, Moritz Schlarb wrote:
> > > > Fixes CVE-2019-14857 (Open redirect in logout url when using
> > > > URLs
> > > > with backslashes) by improving validation of the post-logout
> > > > URL
> > > > parameter (backported from upstream, see 
> > > > https://salsa.debian.org/debian/libapache2-mod-
> > > > auth-openidc/commit/17e31b94a71ef02d1417bee6b0ef7b7379b40375)
> > > > 
> > > 
> > > Please go ahead; sorry for the delay.
> > 
> > Friendly ping on the acknowledgement from Adam. Moritz did you
> > recieved it? Can you upload for the 10.6 point release?
> 
> Friendly ping for the inclusion in the 10.10 point release. Did you
> got the above conversation?

Ping? We're in the process of organising the final point release for
buster, as support for it transitions over to the LTS team, so if you
would still like to fix it via pu then the upload needs to happen soon.

Regards,

Adam

Bug#945578: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1

2021-03-26 Thread Salvatore Bonaccorso

Hi Moritz,

On Fri, Jul 31, 2020 at 10:25:13AM +0200, Salvatore Bonaccorso wrote:
> Hi Moritz,
> 
> On Tue, Jan 28, 2020 at 10:43:25PM +, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Wed, 2019-11-27 at 11:18 +0100, Moritz Schlarb wrote:
> > > Fixes CVE-2019-14857 (Open redirect in logout url when using URLs
> > > with backslashes) by improving validation of the post-logout URL
> > > parameter (backported from upstream, see 
> > > https://salsa.debian.org/debian/libapache2-mod-
> > > auth-openidc/commit/17e31b94a71ef02d1417bee6b0ef7b7379b40375)
> > > 
> > 
> > Please go ahead; sorry for the delay.
> 
> Friendly ping on the acknowledgement from Adam. Moritz did you
> recieved it? Can you upload for the 10.6 point release?

Friendly ping for the inclusion in the 10.10 point release. Did you
got the above conversation?

Regards,
Salvatore

Bug#945578: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1

2020-07-31 Thread Salvatore Bonaccorso

Hi Moritz,

On Tue, Jan 28, 2020 at 10:43:25PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Wed, 2019-11-27 at 11:18 +0100, Moritz Schlarb wrote:
> > Fixes CVE-2019-14857 (Open redirect in logout url when using URLs
> > with backslashes) by improving validation of the post-logout URL
> > parameter (backported from upstream, see 
> > https://salsa.debian.org/debian/libapache2-mod-
> > auth-openidc/commit/17e31b94a71ef02d1417bee6b0ef7b7379b40375)
> > 
> 
> Please go ahead; sorry for the delay.

Friendly ping on the acknowledgement from Adam. Moritz did you
recieved it? Can you upload for the 10.6 point release?

Regards,
Salvatore

Processed: Re: Bug#945578: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1

2020-01-28 Thread Debian Bug Tracking System

Processing control commands:

> tags -1 + confirmed
Bug #945578 [release.debian.org] buster-pu: package 
libapache2-mod-auth-openidc/2.3.10.2-1
Added tag(s) confirmed.

-- 
945578: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945578
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#945578: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1

2020-01-28 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Wed, 2019-11-27 at 11:18 +0100, Moritz Schlarb wrote:
> Fixes CVE-2019-14857 (Open redirect in logout url when using URLs
> with backslashes) by improving validation of the post-logout URL
> parameter (backported from upstream, see 
> https://salsa.debian.org/debian/libapache2-mod-
> auth-openidc/commit/17e31b94a71ef02d1417bee6b0ef7b7379b40375)
> 

Please go ahead; sorry for the delay.

Regards,

Adam

Bug#945578: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1

2019-11-27 Thread Moritz Schlarb

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Fixes CVE-2019-14857 (Open redirect in logout url when using URLs with
backslashes) by improving validation of the post-logout URL parameter
(backported from upstream, see https://salsa.debian.org/debian/libapache2-mod-
auth-openidc/commit/17e31b94a71ef02d1417bee6b0ef7b7379b40375)

-- System Information:
Debian Release: 10.2
  APT prefers stable-updates
  APT policy: (700, 'stable-updates'), (700, 'stable'), (60, 'testing'), (50,
'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/changelog 
libapache2-mod-auth-openidc-2.3.10.2/debian/changelog
--- libapache2-mod-auth-openidc-2.3.10.2/debian/changelog   2019-01-29 
21:40:30.0 +0100
+++ libapache2-mod-auth-openidc-2.3.10.2/debian/changelog   2019-11-27 
11:09:17.0 +0100
@@ -1,3 +1,10 @@
+libapache2-mod-auth-openidc (2.3.10.2-1+deb10u1) buster; urgency=medium
+
+  * Add patch for CVE-2019-14857
+(Closes: #942165)
+
+ -- Moritz Schlarb   Wed, 27 Nov 2019 11:09:17 +0100
+
 libapache2-mod-auth-openidc (2.3.10.2-1) unstable; urgency=medium
 
   * New upstream version 2.3.10.2
diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/gbp.conf 
libapache2-mod-auth-openidc-2.3.10.2/debian/gbp.conf
--- libapache2-mod-auth-openidc-2.3.10.2/debian/gbp.conf2019-01-29 
21:40:30.0 +0100
+++ libapache2-mod-auth-openidc-2.3.10.2/debian/gbp.conf2019-11-27 
11:08:14.0 +0100
@@ -1,2 +1,3 @@
 [DEFAULT]
 pristine-tar = True
+debian-branch = buster
diff -Nru 
libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0002-improve-validation-of-the-post-logout-URL-parameter-.patch
 
libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0002-improve-validation-of-the-post-logout-URL-parameter-.patch
--- 
libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0002-improve-validation-of-the-post-logout-URL-parameter-.patch
 1970-01-01 01:00:00.0 +0100
+++ 
libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0002-improve-validation-of-the-post-logout-URL-parameter-.patch
 2019-11-27 11:08:14.0 +0100
@@ -0,0 +1,137 @@
+From: Moritz Schlarb 
+Date: Wed, 16 Oct 2019 10:53:49 +0200
+Subject: improve validation of the post-logout URL parameter on logout
+
+From https://github.com/zmartzone/mod_auth_openidc/compare/5c15dfb~1...v2.4.0.3
+
+Fixes https://security-tracker.debian.org/tracker/CVE-2019-14857
+---
+ src/mod_auth_openidc.c | 101 ++---
+ 1 file changed, 63 insertions(+), 38 deletions(-)
+
+diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
+index 5b971d5..916d60d 100644
+--- a/src/mod_auth_openidc.c
 b/src/mod_auth_openidc.c
+@@ -2938,6 +2938,61 @@ out:
+   return rc;
+ }
+ 
++static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char 
*url,
++  char **err_str, char **err_desc) {
++  apr_uri_t uri;
++  const char *c_host = NULL;
++
++  if (apr_uri_parse(r->pool, url, ) != APR_SUCCESS) {
++  *err_str = apr_pstrdup(r->pool, "Malformed URL");
++  *err_desc = apr_psprintf(r->pool, "Logout URL malformed: %s", 
url);
++  oidc_error(r, "%s: %s", *err_str, *err_desc);
++  return FALSE;
++  }
++
++  c_host = oidc_get_current_url_host(r);
++  if ((uri.hostname != NULL)
++  && ((strstr(c_host, uri.hostname) == NULL)
++  || (strstr(uri.hostname, c_host) == 
NULL))) {
++  *err_str = apr_pstrdup(r->pool, "Invalid Request");
++  *err_desc =
++  apr_psprintf(r->pool,
++  "logout value \"%s\" does not 
match the hostname of the current request \"%s\"",
++  apr_uri_unparse(r->pool, , 
0), c_host);
++  oidc_error(r, "%s: %s", *err_str, *err_desc);
++  return FALSE;
++  } else if ((uri.hostname == NULL) && (strstr(url, "/") != url)) {
++  *err_str = apr_pstrdup(r->pool, "Malformed URL");
++  *err_desc =
++  apr_psprintf(r->pool,
++  "No hostname was parsed and it 
does not seem to be relative, i.e starting with '/': %s",
++  url);
++  oidc_error(r, "%s: %s", *err_str, *err_desc);
++  return FALSE;
++} else if ((uri.hostname == NULL) && (strstr(url, "//") == url)) {
++*err_str = apr_pstrdup(r->pool, "Malformed URL");
++*err_desc =
++apr_psprintf(r->pool,
++

Bug#945578: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1

Bug#945578: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1

Bug#945578: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1

Bug#945578: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1

Processed: Re: Bug#945578: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1

Bug#945578: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1

Bug#945578: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1

7 matches

Site Navigation

Mail list logo

Footer information