Hi, I am certain they will be affected. It looks like the bug has existed since upstream v2.3.1 (July 2017), which is when the feature was added.
Peter ________________________________ From: nore...@launchpad.net <nore...@launchpad.net> on behalf of Eduardo Barretto <2106...@bugs.launchpad.net> Sent: 09 April 2025 12:59 To: Peter Benie <pjb1...@cam.ac.uk> Subject: [Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data Thanks Peter, I will take a look at your debdiff and also checking the other releases if they are affect by it too. I'm hoping we will have this released by next week. -- You received this bug notification because you are subscribed to the bug report. https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.launchpad.net%2Fbugs%2F2106320&data=05%7C02%7Cpjb1008%40universityofcambridgecloud.onmicrosoft.com%7C52e2cb3070a846f1aa2b08dd775edc98%7C49a50445bdfa4b79ade3547b4f3986e9%7C1%7C0%7C638797971518952678%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=kwIRYf5OR5Pk0sq5gIjVH%2Fs4hDirlVNbYM%2B4O5wZ1xM%3D&reserved=0<https://bugs.launchpad.net/bugs/2106320> Title: OIDCProviderAuthRequestMethod POST leaks protected data Status in libapache2-mod-auth-openidc package in Ubuntu: New Bug description: Versions up to and including 2.4.16.10 CVE-2025-31492 When doing authentication, and when configured with OIDCProviderAuthRequestMethod POST, the protected resource is appended to the normal http response. This exposes protected data to people who have not been authenticated/authorised. https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FOpenIDC%2Fmod_auth_openidc%2Fsecurity%2Fadvisories%2FGHSA-59jp-&data=05%7C02%7Cpjb1008%40universityofcambridgecloud.onmicrosoft.com%7C52e2cb3070a846f1aa2b08dd775edc98%7C49a50445bdfa4b79ade3547b4f3986e9%7C1%7C0%7C638797971518975412%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=UA0z1t5GnpIcYhAf2I%2BnGgOPOgptX5fEiPAv7OYXFvA%3D&reserved=0<https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-59jp-> rwph-878r To manage notifications about this bug go to: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.launchpad.net%2Fubuntu%2F%2Bsource%2Flibapache2-mod-auth-openidc%2F%2Bbug%2F2106320%2F%2Bsubscriptions&data=05%7C02%7Cpjb1008%40universityofcambridgecloud.onmicrosoft.com%7C52e2cb3070a846f1aa2b08dd775edc98%7C49a50445bdfa4b79ade3547b4f3986e9%7C1%7C0%7C638797971518992600%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=6CfLsxn%2Bt1Cw37%2FgiKBrUpCi2wbCn9Tl8vB2joXaCDI%3D&reserved=0<https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions> -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2106320 Title: OIDCProviderAuthRequestMethod POST leaks protected data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
