[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#1102413: libapache2-mod-auth-openidc: CVE-2025-31492



Hey Sylvain,

On Wed, 2025-04-16 at 12:40 +0200, Sylvain Beucler wrote:
> The patch looks good :)

Thanks!

> The LTS upload workflow is detailed at:
> https://lts-team.pages.debian.net/wiki/Development.html
> 
> As a DD you can do everything by yourself, but if you want I can take 
> care of the administrative side (registering a DLA, announcing it, etc.).

Okay, cool - so I have made a source-only-upload to security-master and
registered DLA-4129-1.
Now I wait until they are built, fill out the announcement template and then
I'll send it.

> How did you test the update?

On some (live) servers (that don't normally use the
"OIDCProviderAuthRequestMethod POST" setting. ;)

> There's a proof-of-concept for this CVE IIUC.

There was no concrete info in the GHSA, so I used my NI[1] to come up with

echo -e "GET /wp-login.php HTTP/1.1\r\nHost: <hostname>\r\nAccept:
text/html\r\n\r\n" | openssl s_client -connect <hostname>:443 -ign_eof

[1]: Natural Intelligence, SCNR ;)

> We also try to run tests at Salsa-CI, with a LTS config:
> https://lts-team.pages.debian.net/git-workflow-lts.html#add-salsa-ci-yml
> You can push at your own repo at Salsa or at the lts-team repo is you 
> wish to keep LTS/ELTS history separate.

Great - I added it to my Bullseye branch!

Thanks,
Moritz

Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: