On Wed, May 07, 2025 at 07:36:34AM +0200, Salvatore Bonaccorso wrote:
> Hi Moritz,
>
> On Fri, May 02, 2025 at 02:31:06PM +0200, Salvatore Bonaccorso wrote:
> > Hi Moritz,
> >
> > On Fri, May 02, 2025 at 02:13:01PM +0200, Moritz Schlarb wrote:
> > > Hi carnil,
> > >
> > > On Thu, 2025-05-01 at 09:18 +0200, Salvatore Bonaccorso wrote:
> > > > The only reference so far we have is the RedHat bugzilla entry at [1],
> > > > do you know more, is it reported upstream and have other references to
> > > > follow?
> > >
> > > Upstream had not even been informed about this vulnerability, nor
> > > registered
> > > the CVE.
> > > Also, we both tried to reproduce the bug in question but could not
> > > trigger a
> > > crash of the Apache httpd process...
> >
> > Okay that's bad. Let's ask in the RedHat bugzilla then if they can
> > share more information. Do you have a RH bugzilla account to subscribe
> > to the bug as well? Otherwise I will try to relay new information.
>
> So RedHat has provided more information and we know it's fixed by
> https://github.com/OpenIDC/mod_auth_openidc/commit/29ea79dea97cdab1b0d150af2c9a50a442e7216e
> and as you are already aware as well upstream has created
> https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-x7cf-8wgv-5j86
Let's also fix that one via a DSA. Moritz, could you please prepare an update
for
bookworm-security?
Cheers,
Moritz
