- Package:
- src:libapache2-mod-auth-openidc
- Source:
- src:libapache2-mod-auth-openidc
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2025-04-18 11:51:03 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for libapache2-mod-auth-openidc. CVE-2025-31492[0]: | mod_auth_openidc is an OpenID Certified authentication and | authorization module for the Apache 2.x HTTP server that implements | the OpenID Connect Relying Party functionality. Prior to 2.4.16.11, | a bug in a mod_auth_openidc results in disclosure of protected | content to unauthenticated users. The conditions for disclosure are | an OIDCProviderAuthRequestMethod POST, a valid account, and there | mustn't be any application-level gateway (or load balancer etc) | protecting the server. When you request a protected resource, the | response includes the HTTP status, the HTTP headers, the intended | response (the self-submitting form), and the protected resource | (with no headers). This is an example of a request for a protected | resource, including all the data returned. In the case where | mod_auth_openidc returns a form, it has to return OK from | check_userid so as not to go down the error path in httpd. This | means httpd will try to issue the protected resource. | oidc_content_handler is called early, which has the opportunity to | prevent the normal output being issued by httpd. | oidc_content_handler has a number of checks for when it intervenes, | but it doesn't check for this case, so the handler returns DECLINED. | Consequently, httpd appends the protected content to the response. | The issue has been patched in mod_auth_openidc versions >= | 2.4.16.11. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-31492 https://www.cve.org/CVERecord?id=CVE-2025-31492 [1] https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-59jp-rwph-878r [2] https://github.com/OpenIDC/mod_auth_openidc/commit/b59b8ad63411857090ba1088e23fe414c690c127 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-auth-openidc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1102413@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Schlarb <moschlar@debian.org> (supplier of updated libapache2-mod-auth-openidc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 10 Apr 2025 14:27:27 +0200
Source: libapache2-mod-auth-openidc
Architecture: source
Version: 2.4.16.11-1
Distribution: unstable
Urgency: high
Maintainer: Moritz Schlarb <moschlar@debian.org>
Changed-By: Moritz Schlarb <moschlar@debian.org>
Closes: 1102413
Changes:
libapache2-mod-auth-openidc (2.4.16.11-1) unstable; urgency=high
.
* New upstream version 2.4.16.11
Fixes CVE-2025-31492, Closes: #1102413
Checksums-Sha1:
6aa9508df89f8f63e8f9da0552242e0383cba588 2305 libapache2-mod-auth-openidc_2.4.16.11-1.dsc
e22358b94c975f86baca201a4d5fcff8538844d0 334972 libapache2-mod-auth-openidc_2.4.16.11.orig.tar.gz
043b3618c945352e587e63153f3c695adeb0e2fe 7888 libapache2-mod-auth-openidc_2.4.16.11-1.debian.tar.xz
e45f3239735bb1766e2765b6e738913f7c7ccc64 9237 libapache2-mod-auth-openidc_2.4.16.11-1_amd64.buildinfo
Checksums-Sha256:
2f9052b64ae3434c60d1cf56abb61c8e3cac4dab29b14816390c29de604ee58d 2305 libapache2-mod-auth-openidc_2.4.16.11-1.dsc
6c25775511e8ad8684b0185f3456879259ed02fba86a2fd4baa7376e1f6c4abc 334972 libapache2-mod-auth-openidc_2.4.16.11.orig.tar.gz
c993f959582e733763d187eeb604492623df2d73d7b616619eeaf45b03e4c82d 7888 libapache2-mod-auth-openidc_2.4.16.11-1.debian.tar.xz
76780a7525aca14cb6d84d6bf4071476df509f4a220291ddc0dbc710620db0ab 9237 libapache2-mod-auth-openidc_2.4.16.11-1_amd64.buildinfo
Files:
26e7c1c6ded807f027063e7b0c1f00fb 2305 httpd optional libapache2-mod-auth-openidc_2.4.16.11-1.dsc
33d72cbb81d5e604d963bfd0f5c3f546 334972 httpd optional libapache2-mod-auth-openidc_2.4.16.11.orig.tar.gz
e6bf4ca072bf6b145be69c0012cb022f 7888 httpd optional libapache2-mod-auth-openidc_2.4.16.11-1.debian.tar.xz
a25223b17505b5e878f95e8a26e228c3 9237 httpd optional libapache2-mod-auth-openidc_2.4.16.11-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE3wEiR7/GVQGv8oRFDCS4Qcfduq8FAmf3ufQUHG1vc2NobGFy
QGRlYmlhbi5vcmcACgkQDCS4Qcfduq9DLQ/5AXOnfrxQqxlyGmrckRlimqO14LP/
pCTKKP1kbAxR/2zK5axMpuEGgQApAWIOzotv75Jikr5KZCIS7AcyzfodeS20sNcE
zvVpGcap1CCS1IX5oCbqd56Aj9ouel1bHqxi9yfXAwQYxtLkPtnk+MTdl0XnrrfX
hxVpl8ChkoFKlojhsl8n4n6i1kfv0R9dKDtSuyw+s7zJMAAPz9gIva0gOeT/vBHc
rqu649+eDiB4cr/oPqSIwR0ZGxBtFLYY2Zp98fCC9zOPnbMdNfCAMWf31OtkQ4Rl
fDyMBEtEaa8VotpbBAS3/IRrWAlNeorbpc8L/wt49R7NBIrCG0jryAj0jrQwGa0U
CVnYIEyp/tbivpx+/XBUDPEQJFv7JN74/Jk4+8VWjDRSqYafP+l5vBkFg2Wit9je
MgzyUA7ksOcBCNZ5NsnLmjNTACaBEkd7osE3+tIRKWr5+k6DTcowD7C85D22uy0Z
v9ur3g40de5m4RXgbCO4NVTljx/m4Vjm4UHT8IPv4UeHANAzGspYLBTmQCsIR+wK
mYNcUaTrtphZwQzbXyTkVAjaR8jUeOJBCusNunOAseNLRUmOTCoahphDXK254kEG
lYtL2521z6HOyjvlSs4wFBr6vzI26p43WIBrUsc1p+WlKTNT8y8sijVXuVBnmjd0
Jka/nQG/Qx+TYMA=
=OABm
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-auth-openidc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1102413@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Schlarb <moschlar@debian.org> (supplier of updated libapache2-mod-auth-openidc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 16 Apr 2025 10:56:55 +0200
Source: libapache2-mod-auth-openidc
Architecture: source
Version: 2.4.12.3-2+deb12u3
Distribution: bookworm-security
Urgency: high
Maintainer: Moritz Schlarb <schlarbm@uni-mainz.de>
Changed-By: Moritz Schlarb <moschlar@debian.org>
Closes: 1102413
Changes:
libapache2-mod-auth-openidc (2.4.12.3-2+deb12u3) bookworm-security; urgency=high
.
* Fix CVE-2025-31492
"protected content leakage when using OIDCProviderAuthRequestMethod POST"
Backported applicable portions from upstream fix in
https://github.com/OpenIDC/mod_auth_openidc/commit/b59b8ad63411857090ba1088e23fe414c690c127
(Closes: #1102413)
Checksums-Sha1:
f4cf8a960d1085e029d8a05a78ebc867022bdc8f 2321 libapache2-mod-auth-openidc_2.4.12.3-2+deb12u3.dsc
b9ac80752e9df80a776dd3159c36b89235fcc566 273808 libapache2-mod-auth-openidc_2.4.12.3.orig.tar.gz
685255dca61e4deac0711ce08de4c04ec374f8f0 9312 libapache2-mod-auth-openidc_2.4.12.3-2+deb12u3.debian.tar.xz
6906bb7dd0925ab406e526891973a6b97d321d18 8598 libapache2-mod-auth-openidc_2.4.12.3-2+deb12u3_amd64.buildinfo
Checksums-Sha256:
52d111a00bfc122ff8b41b77d4b54790e1ec2244db421b191e9e5d3b85bd0872 2321 libapache2-mod-auth-openidc_2.4.12.3-2+deb12u3.dsc
a40866cd1a16fdf9f0f5907c6261b8df2c2d8cc503eec66458ea9e90cc26aae9 273808 libapache2-mod-auth-openidc_2.4.12.3.orig.tar.gz
b5eb62a8c6f26fd8481a5e074566662c9e3944764aa5ec8f2be9d46d75de3cf8 9312 libapache2-mod-auth-openidc_2.4.12.3-2+deb12u3.debian.tar.xz
78a83fd8e823abdd826e0e16054928fdf05560f809fd6dc3deda4b1791cf2797 8598 libapache2-mod-auth-openidc_2.4.12.3-2+deb12u3_amd64.buildinfo
Files:
c5aa37d395b2b61ba03d09d9a90e3124 2321 httpd optional libapache2-mod-auth-openidc_2.4.12.3-2+deb12u3.dsc
d380369f305e372e643ed64b22630f2f 273808 httpd optional libapache2-mod-auth-openidc_2.4.12.3.orig.tar.gz
a2c8b22f2994c893fc078e93e4b1a395 9312 httpd optional libapache2-mod-auth-openidc_2.4.12.3-2+deb12u3.debian.tar.xz
cd6dc6797fd695f2600b74153eab735b 8598 httpd optional libapache2-mod-auth-openidc_2.4.12.3-2+deb12u3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE3wEiR7/GVQGv8oRFDCS4Qcfduq8FAmf/v6QUHG1vc2NobGFy
QGRlYmlhbi5vcmcACgkQDCS4Qcfduq/HLw/+Nvk3lA/p0LO0hqpqYrA4OOPE0CB9
v4tWaEczO4dVWsYTmxFiu1SAV86jpXTv1SFT1ivKSmZP+DEqhecnx6iRY+YKNxt9
QkOd5I3/cA8xMrIBg2VszgilR67EzoAXt7wdkTkFeHYIpWjVebtM84eChU5S2K6L
qP2/S0/GANUDyJxM8uf+SmrZtQjVE4hqnlKZWHOwQ3x3i+z+QufNUv0oiXcBAWH2
Muzcgdf4VgpLuLLAl00hSwPr+faKwy+cytN6IVQ1Aks+gehXTj6KYQEzO27nJIB5
n/x4b8OO46YSGdWl9rMP+Cp6dUEphAZgMX8rvTLWYHeNHeoqDPBsNgVDPr470Z3n
kNWiRYUJOBMnMZxQ+DZtMy5Vc9XtA2rIElJ9mbZbJDz8MibJTBPAQQsPzmoBn5mE
pz6RB0Va1UglQ898HU/oPXV6WYuds68ByeaeaRnN+unTpB7sL0hx1vbtHLxsLC6U
eLYCoRV7PJM/xZLwQQmwUqXS0F8AmutkFBCGEVLKwtnpnxNEYm0vCduLt8thEbFc
hlFEkf3O785jabM3OlSg6Y5YmNSco7B4dKDHW7ci6C/5K+AiCoJyhvkcmUTIAkIV
lv/gWEerdEP5D1cZDBlqAzTx8xMC1ijZm78D9e4j5BIan9cSV+JtabYQQsHkf8JJ
10xD2EkYo9eISw8=
=jVQy
-----END PGP SIGNATURE-----