Hi Moritz, On Fri, May 02, 2025 at 02:31:06PM +0200, Salvatore Bonaccorso wrote: > Hi Moritz, > > On Fri, May 02, 2025 at 02:13:01PM +0200, Moritz Schlarb wrote: > > Hi carnil, > > > > On Thu, 2025-05-01 at 09:18 +0200, Salvatore Bonaccorso wrote: > > > The only reference so far we have is the RedHat bugzilla entry at [1], > > > do you know more, is it reported upstream and have other references to > > > follow? > > > > Upstream had not even been informed about this vulnerability, nor registered > > the CVE. > > Also, we both tried to reproduce the bug in question but could not trigger a > > crash of the Apache httpd process... > > Okay that's bad. Let's ask in the RedHat bugzilla then if they can > share more information. Do you have a RH bugzilla account to subscribe > to the bug as well? Otherwise I will try to relay new information.
So RedHat has provided more information and we know it's fixed by https://github.com/OpenIDC/mod_auth_openidc/commit/29ea79dea97cdab1b0d150af2c9a50a442e7216e and as you are already aware as well upstream has created https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-x7cf-8wgv-5j86 Regards, Salvatore
