Control: tags -1 + confirmed Dear Philipp,
sound very reasonable - I will backport the patch and have it included in the next Debian stable point release.
Regards, Moritz On 16.07.24 11:10, Philipp Gortan wrote:
Package: libapache2-mod-auth-openidc Version: 2.4.12.3-2+deb12u1 Severity: normal Tags: upstreamDear Maintainer,when a request is processed by libapache2-mod-auth-openidc where the set *forwarded* headers are not as configured in OIDCXForwardedHeaders, a warning is printed, like:oidc_check_x_forwarded_hdr: OIDCXForwardedHeaders configured forheader Forwarded but not found in request Such a situation cannot be avoided in all environments - e.g. because requests are forwarded by different proxies, or only part of the requests are forwarded while some are from localhost - so this situation cannot be circumvented IMHO. A bug in the implementation results in a segfault in the version currently shipped in bookworm.oidc_check_x_forwarded_hdr: OIDCXForwardedHeaders configured forheader Forwarded but not found in requestAH00051: child pid 19 exit signal Segmentation fault (11), possiblecoredump in /etc/apache2 As confirmed by upstream, this issue has been fixed in version 2.4.15.3, and a patch is available here: https://github.com/OpenIDC/mod_auth_openidc/commit/c2f200fb246f546e07c91f04e82345793af0c7c0 Would it be possible to apply this patch to bookworm? Upstream discussion: https://github.com/OpenIDC/mod_auth_openidc/discussions/1233 Thanks a lot. Greetings, Philipp -- System Information: Debian Release: 12.6 Architecture: amd64 (x86_64) Kernel: Linux 6.9.7-arch1-1 (SMP w/12 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: unable to detect Versions of packages libapache2-mod-auth-openidc depends on: ii apache2-bin [apache2-api-20120211] 2.4.59-1~deb12u1 ii libapr1 1.7.2-3 ii libaprutil1 1.6.3-1 ii libc6 2.36-9+deb12u7 ii libcjose0 0.6.2.1-1+deb12u1 ii libcurl4 7.88.1-10+deb12u6 ii libhiredis0.14 0.14.1-3 ii libjansson4 2.14-2 ii libpcre2-8-0 10.42-1 ii libssl3 3.0.13-1~deb12u1 libapache2-mod-auth-openidc recommends no packages. libapache2-mod-auth-openidc suggests no packages. -- Configuration Files: /etc/apache2/mods-available/auth_openidc.conf changed [not included] -- no debconf information Report will be sent to Debian Bug Tracking System <sub...@bugs.debian.org>
-- Moritz Schlarb Unix und Cloud Zentrum für Datenverarbeitung Johannes Gutenberg-Universität Mainz OpenPGP-Fingerprint: DF01 2247 BFC6 5501 AFF2 8445 0C24 B841 C7DD BAAF
smime.p7s
Description: S/MIME Cryptographic Signature
