Dear Salvatore,I've prepared, built, tested and uploaded fixed versions for bullseye (2.4.9.4-0+deb11u4), bookworm (2.4.12.3-2+deb12u1) and trixie (2.4.15.7-1).
Would you like to issue a DSA for them or is it enough that they are included in the next stable point release?
Regards, Moritz On 18.02.24 07:57, Salvatore Bonaccorso wrote:
Source: libapache2-mod-auth-openidc Version: 2.4.15.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for libapache2-mod-auth-openidc. CVE-2024-24814[0]: | mod_auth_openidc is an OpenID Certified™ authentication and | authorization module for the Apache 2.x HTTP server that implements | the OpenID Connect Relying Party functionality. In affected versions | missing input validation on mod_auth_openidc_session_chunks cookie | value makes the server vulnerable to a denial of service (DoS) | attack. An internal security audit has been conducted and the | reviewers found that if they manipulated the value of the | mod_auth_openidc_session_chunks cookie to a very large integer, like | 99999999, the server struggles with the request for a long time and | finally gets back with a 500 error. Making a few requests of this | kind caused our server to become unresponsive. Attackers can craft | requests that would make the server work very hard (and possibly | become unresponsive) and/or crash with minimal effort. This issue | has been addressed in version 2.4.15.2. Users are advised to | upgrade. There are no known workarounds for this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24814 https://www.cve.org/CVERecord?id=CVE-2024-24814 [1] https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv [2] https://github.com/OpenIDC/mod_auth_openidc/commit/4022c12f314bd89d127d1be008b1a80a08e1203d Please adjust the affected versions in the BTS as needed. Regards, Salvatore
-- Moritz Schlarb Unix und Cloud Zentrum für Datenverarbeitung Johannes Gutenberg-Universität Mainz OpenPGP-Fingerprint: DF01 2247 BFC6 5501 AFF2 8445 0C24 B841 C7DD BAAF
smime.p7s
Description: S/MIME Cryptographic Signature
