Bug#945578: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1
Dear Adam, On 05.08.22 21:33, Adam D. Barratt wrote: Ping? We're in the process of organising the final point release for buster, as support for it transitions over to the LTS team, so if you would still like to fix it via pu then the upload needs to happen soon. Thanks for the additional reminder and I am so so sorry for simply forgetting about this until now... Especially given that everything had been ready since I opened this buster-pu bug... I have just now uploaded the package for the buster distribution. Best wishes, -- Moritz Schlarb Unix und Cloud Zentrum für Datenverarbeitung Johannes Gutenberg-Universität Mainz OpenPGP-Fingerprint: DF01 2247 BFC6 5501 AFF2 8445 0C24 B841 C7DD BAAF OpenPGP_signature Description: OpenPGP digital signature
Bug#945578: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1
On Fri, 2021-03-26 at 09:22 +0100, Salvatore Bonaccorso wrote: > Hi Moritz, > > On Fri, Jul 31, 2020 at 10:25:13AM +0200, Salvatore Bonaccorso wrote: > > Hi Moritz, > > > > On Tue, Jan 28, 2020 at 10:43:25PM +, Adam D. Barratt wrote: > > > Control: tags -1 + confirmed > > > > > > On Wed, 2019-11-27 at 11:18 +0100, Moritz Schlarb wrote: > > > > Fixes CVE-2019-14857 (Open redirect in logout url when using > > > > URLs > > > > with backslashes) by improving validation of the post-logout > > > > URL > > > > parameter (backported from upstream, see > > > > https://salsa.debian.org/debian/libapache2-mod- > > > > auth-openidc/commit/17e31b94a71ef02d1417bee6b0ef7b7379b40375) > > > > > > > > > > Please go ahead; sorry for the delay. > > > > Friendly ping on the acknowledgement from Adam. Moritz did you > > recieved it? Can you upload for the 10.6 point release? > > Friendly ping for the inclusion in the 10.10 point release. Did you > got the above conversation? Ping? We're in the process of organising the final point release for buster, as support for it transitions over to the LTS team, so if you would still like to fix it via pu then the upload needs to happen soon. Regards, Adam
Bug#945578: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1
Hi Moritz, On Fri, Jul 31, 2020 at 10:25:13AM +0200, Salvatore Bonaccorso wrote: > Hi Moritz, > > On Tue, Jan 28, 2020 at 10:43:25PM +, Adam D. Barratt wrote: > > Control: tags -1 + confirmed > > > > On Wed, 2019-11-27 at 11:18 +0100, Moritz Schlarb wrote: > > > Fixes CVE-2019-14857 (Open redirect in logout url when using URLs > > > with backslashes) by improving validation of the post-logout URL > > > parameter (backported from upstream, see > > > https://salsa.debian.org/debian/libapache2-mod- > > > auth-openidc/commit/17e31b94a71ef02d1417bee6b0ef7b7379b40375) > > > > > > > Please go ahead; sorry for the delay. > > Friendly ping on the acknowledgement from Adam. Moritz did you > recieved it? Can you upload for the 10.6 point release? Friendly ping for the inclusion in the 10.10 point release. Did you got the above conversation? Regards, Salvatore
Bug#945578: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1
Hi Moritz, On Tue, Jan 28, 2020 at 10:43:25PM +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Wed, 2019-11-27 at 11:18 +0100, Moritz Schlarb wrote: > > Fixes CVE-2019-14857 (Open redirect in logout url when using URLs > > with backslashes) by improving validation of the post-logout URL > > parameter (backported from upstream, see > > https://salsa.debian.org/debian/libapache2-mod- > > auth-openidc/commit/17e31b94a71ef02d1417bee6b0ef7b7379b40375) > > > > Please go ahead; sorry for the delay. Friendly ping on the acknowledgement from Adam. Moritz did you recieved it? Can you upload for the 10.6 point release? Regards, Salvatore
Processed: Re: Bug#945578: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1
Processing control commands: > tags -1 + confirmed Bug #945578 [release.debian.org] buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1 Added tag(s) confirmed. -- 945578: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945578 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#945578: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1
Control: tags -1 + confirmed On Wed, 2019-11-27 at 11:18 +0100, Moritz Schlarb wrote: > Fixes CVE-2019-14857 (Open redirect in logout url when using URLs > with backslashes) by improving validation of the post-logout URL > parameter (backported from upstream, see > https://salsa.debian.org/debian/libapache2-mod- > auth-openidc/commit/17e31b94a71ef02d1417bee6b0ef7b7379b40375) > Please go ahead; sorry for the delay. Regards, Adam
Bug#945578: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Fixes CVE-2019-14857 (Open redirect in logout url when using URLs with backslashes) by improving validation of the post-logout URL parameter (backported from upstream, see https://salsa.debian.org/debian/libapache2-mod- auth-openidc/commit/17e31b94a71ef02d1417bee6b0ef7b7379b40375) -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (700, 'stable-updates'), (700, 'stable'), (60, 'testing'), (50, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/changelog libapache2-mod-auth-openidc-2.3.10.2/debian/changelog --- libapache2-mod-auth-openidc-2.3.10.2/debian/changelog 2019-01-29 21:40:30.0 +0100 +++ libapache2-mod-auth-openidc-2.3.10.2/debian/changelog 2019-11-27 11:09:17.0 +0100 @@ -1,3 +1,10 @@ +libapache2-mod-auth-openidc (2.3.10.2-1+deb10u1) buster; urgency=medium + + * Add patch for CVE-2019-14857 +(Closes: #942165) + + -- Moritz Schlarb Wed, 27 Nov 2019 11:09:17 +0100 + libapache2-mod-auth-openidc (2.3.10.2-1) unstable; urgency=medium * New upstream version 2.3.10.2 diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/gbp.conf libapache2-mod-auth-openidc-2.3.10.2/debian/gbp.conf --- libapache2-mod-auth-openidc-2.3.10.2/debian/gbp.conf2019-01-29 21:40:30.0 +0100 +++ libapache2-mod-auth-openidc-2.3.10.2/debian/gbp.conf2019-11-27 11:08:14.0 +0100 @@ -1,2 +1,3 @@ [DEFAULT] pristine-tar = True +debian-branch = buster diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0002-improve-validation-of-the-post-logout-URL-parameter-.patch libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0002-improve-validation-of-the-post-logout-URL-parameter-.patch --- libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0002-improve-validation-of-the-post-logout-URL-parameter-.patch 1970-01-01 01:00:00.0 +0100 +++ libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0002-improve-validation-of-the-post-logout-URL-parameter-.patch 2019-11-27 11:08:14.0 +0100 @@ -0,0 +1,137 @@ +From: Moritz Schlarb +Date: Wed, 16 Oct 2019 10:53:49 +0200 +Subject: improve validation of the post-logout URL parameter on logout + +From https://github.com/zmartzone/mod_auth_openidc/compare/5c15dfb~1...v2.4.0.3 + +Fixes https://security-tracker.debian.org/tracker/CVE-2019-14857 +--- + src/mod_auth_openidc.c | 101 ++--- + 1 file changed, 63 insertions(+), 38 deletions(-) + +diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +index 5b971d5..916d60d 100644 +--- a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +@@ -2938,6 +2938,61 @@ out: + return rc; + } + ++static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url, ++ char **err_str, char **err_desc) { ++ apr_uri_t uri; ++ const char *c_host = NULL; ++ ++ if (apr_uri_parse(r->pool, url, ) != APR_SUCCESS) { ++ *err_str = apr_pstrdup(r->pool, "Malformed URL"); ++ *err_desc = apr_psprintf(r->pool, "Logout URL malformed: %s", url); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; ++ } ++ ++ c_host = oidc_get_current_url_host(r); ++ if ((uri.hostname != NULL) ++ && ((strstr(c_host, uri.hostname) == NULL) ++ || (strstr(uri.hostname, c_host) == NULL))) { ++ *err_str = apr_pstrdup(r->pool, "Invalid Request"); ++ *err_desc = ++ apr_psprintf(r->pool, ++ "logout value \"%s\" does not match the hostname of the current request \"%s\"", ++ apr_uri_unparse(r->pool, , 0), c_host); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; ++ } else if ((uri.hostname == NULL) && (strstr(url, "/") != url)) { ++ *err_str = apr_pstrdup(r->pool, "Malformed URL"); ++ *err_desc = ++ apr_psprintf(r->pool, ++ "No hostname was parsed and it does not seem to be relative, i.e starting with '/': %s", ++ url); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; ++} else if ((uri.hostname == NULL) && (strstr(url, "//") == url)) { ++*err_str = apr_pstrdup(r->pool, "Malformed URL"); ++*err_desc = ++apr_psprintf(r->pool, ++