Hello all,
I want to support this request heavily!
Another patch variant had been posted in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860064
But it seems there is an upstream fix available, too.
Regards,
--
Moritz Schlarb
Unix-Gruppe | Systembetreuung
Zentrum für Datenverarbeitung
Dear Markus,
could it be the case that the upload of jetty9:amd64=9.4.57-0+deb11u1 has been
built on Bookworm instead of Bullseye?
$ apt install jetty9
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may m
4.9.4-0+deb11u5) bullseye-security; urgency=high
+
+ * Fix CVE-2025-31492
+"protected content leakage when using OIDCProviderAuthRequestMethod POST"
+Backported applicable portions from upstream fix in
+https://github.com/OpenIDC/mod_auth_openidc/commit/b59b8ad63411857090ba1088e23fe4
Hey Sylvain,
On Wed, 2025-04-16 at 12:40 +0200, Sylvain Beucler wrote:
> The patch looks good :)
Thanks!
> The LTS upload workflow is detailed at:
> https://lts-team.pages.debian.net/wiki/Development.html
>
> As a DD you can do everything by yourself, but if you want I can take
> care of the a
g 2025-04-16 11:13:22.0 +0200
+++ libapache2-mod-auth-openidc-2.4.9.4/debian/changelog 2025-05-07 14:36:24.0 +0200
@@ -1,3 +1,9 @@
+libapache2-mod-auth-openidc (2.4.9.4-0+deb11u6) bullseye-security; urgency=high
+
+ * Add upstream patch to fix CVE-2025-3891
+
+ -- Moritz Schlarb We
