[SECURITY] [DLA 3751-1] libapache2-mod-auth-openidc security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3751-1] libapache2-mod-auth-openidc security update
From: "Chris Lamb" <lamby@debian.org>
Date: Tue, 05 Mar 2024 18:16:33 +0000
Message-id: <[🔎] 170966104569.105022.17889395547052646247@copycat>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3751-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
March 05, 2024                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : libapache2-mod-auth-openidc
Version        : 2.3.10.2-1+deb10u4
CVE ID         : CVE-2024-24814
Debian Bug     : 1064183

It was discovered that there was a potential Denial of Service (DoS)
attack in libapache2-mod-auth-openidc, an OpenID Connect (OpenIDC)
module for the Apache web server.

Missing input validation on mod_auth_openidc_session_chunks cookie
value made the server vulnerable to this attack. If an attacker
manipulated the value of the OpenIDC cookie to a very large integer
like 99999999, the server struggled with the request for a long time
and finally returned a 500 error. Making a few requests of this kind
caused servers to become unresponsive, and so attackers could thereby
craft requests that would make the server work very hard and/or crash
with minimal effort.

For Debian 10 buster, this problem has been fixed in version
2.3.10.2-1+deb10u4.

We recommend that you upgrade your libapache2-mod-auth-openidc packages.

For the detailed security status of libapache2-mod-auth-openidc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmXnW3MACgkQHpU+J9Qx
HlhwGw/+NHgag1pRt184HwyEomFSYn/Gx0cLFxs9W5pAQ+KZXze4/YYe5WxqBzAy
P6XC843DtG8GBtfDjNQah5eOEaWpXNmWhQyLGgN6KzrVCxq1JOx2XAbcVUp9ZVTw
Ibh+G//9L2YePuto0ogIEgBlhNfmbr1R58lFzEuDjZxT7LfrSPFLhXtaGA3rrv6v
eJW4AM+iUI8iReg/CUqYt67c43BDhBINOhgNQrAsY4CB8miMCMxTIfzoAugR+JFA
JEonKjaPskVhX6HWBhH9qmogsXhDLsY3HFAsnFy6JsbcD1FYgc9lLbw9MzOnSPa3
4Gvmbh+w5M3bGIX3lPoNyUHXf1f5FhcLspqGbnXxgXWrxLKSkf5MYDH871+gLVm1
hoJ9DZe2OzmL4g4xfiTQf0WUg3ZEL6ta9s4s5dgDTwB6S8iBDSUzcgF1bk8Lumvf
zd2P3F7nPoLd69MBZeB1PCvQ8te4k4m4RkWluAAzY0jPU+lWe99UUifSgyZj80xE
sb7ozzEBpOWaqXTu5DfkDflBZgCOF+y6gPRijvv4jOq8V4SCva7J0J3vKoc9Ooo4
HnwCJxFdVt3X2LznxvUHwYPcwMX3zgA/jazYamVRgmEQjGEMeyQvWPJ53O2nJUlf
C6/yAsmQkGl20RZusKGWx2qAMHES5GgN1SoZtRuZh2PuDlYlYcs=
=XLup
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3750-1] php-phpseclib security update
Next by Date: [SECURITY] [DLA 3752-1] libuv1 security update
Previous by thread: [SECURITY] [DLA 3750-1] php-phpseclib security update
Next by thread: [SECURITY] [DLA 3752-1] libuv1 security update
Index(es):
- Date
- Thread