Operating System:

[Debian]

Published:

30 July 2020

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2020.2602 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2602
                libapache2-mod-auth-openidc security update
                               30 July 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libapache2-mod-auth-openidc
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Cross-site Scripting           -- Remote with User Interaction
                   Provide Misleading Information -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-1010247 CVE-2019-20479 CVE-2019-14857

Reference:         ESB-2020.0940
                   ESB-2020.0756

Original Bulletin: 
   https://www.debian.org/lts/security/2020/dla-2298

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2298-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                    Thorsten Alteholz
July 29, 2020                                 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : libapache2-mod-auth-openidc
Version        : 2.1.6-1+deb9u1
CVE ID         : CVE-2019-14857 CVE-2019-20479 CVE-2019-1010247


Several issues have been found in libapache2-mod-auth-openidc, the OpenID 
Connect authentication module for the Apache HTTP server.

CVE-2019-14857

     Insufficient validation of URLs leads to an Open Redirect
     vulnerability. An attacker may trick a victim into providing
     credentials for an OpenID provider by forwarding the request to an
     illegitimate website.

CVE-2019-20479

     Due to insufficient validatation of URLs an Open Redirect
     vulnerability for URLs beginning with a slash and backslash could be
     abused.

CVE-2019-1010247

     The OIDCRedirectURI page contains generated JavaScript code that uses
     a poll parameter as a string variable, thus might contain additional
     JavaScript code. This might result in Criss-Site Scripting (XSS).


For Debian 9 stretch, these problems have been fixed in version
2.1.6-1+deb9u1.

We recommend that you upgrade your libapache2-mod-auth-openidc packages.

For the detailed security status of libapache2-mod-auth-openidc please 
refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl8h78JfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEfE9Q/+LUe+WhVzkBG0P2e/SHcx9/TG8bLp0xs3O+pdRDciSFTyKWZSVsOOr2hN
oxkMbnmynU0vHIsLL1LpDz9TL+0/Fu1USgQpplvoN6Oiw8tdbxBT4vyTlme/8E/o
dbngFcd13BWFam6eHgW2Bgvo357OyQtRSrP/b7Kx3pVVvv6ohU0q8HKKqx21i+Tb
XA/Kqq2p6XusZ1BgTy6O81kn5EctRw0RbHTaZg8OPtTLwq5Xe5hLR1JA4z0pXVnD
MH/G+H1ln2QKOWOQAJYHj4z5id+iZOToJDFsRaymIc2qGZpm8oNay7Ibn3Y2ys99
xc+Q1ArSux0mI5w8hMoU3ibZE8DWJZnyvG4KTQ6ViLtfZOkEqyU0GVqjpu+M7adR
yOsRQb4viCyrV+XgCkkRfnyLNyCqFdwSRKz6TlewziJwW1OF4vyJ2phO0aZEbvF1
bUAaf0y6zwEVuCwhTOC5qu8FDdje+yjVWFJtqrKtsZEWOUbY3xX8Bd9J8Fi1nfEp
m6Nl2crASv19PCkMa4lyNgUJDPysdNgIWeqSfv5Vm5A64hgQ9fhtKu4BetWPZH7G
sBAElX/g7nV69s9tnkZETv4QJoNGuiaMHRGCJcQNNiM/XPU8NG4fdznT+6cve+2o
aIG7OaWS460JWMVfm7IhDltUN/yFTD7wjObZgPyhSDT2c+/akQQ=
=KLt4
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXyJmX+NLKJtyKPYoAQjS8g/9EeiYzyldxaWeLApiJt7P3UD1GaykvXN7
x7BlGjyD7BBgr4lCerOn15UHiNlDOzjJ+GPstVeHYgQOTZUAXAYe0CZ+yJ/ykBPK
O1hhKuzxlHsEcvqNQDyGenOXfgkIl3ifkB6He74xUv99GLAj+V3sFZpnhbFICW1c
Bh6QbSgPw5nTQ0dup90pDX1CQxT7SUz9fd9Uaje8MqQ6EtAbJj17Mjicg6gC0le1
HQkjE7Cd+DwiVu3ncEtY7vvfLTFbHaiU0WQoytsGyHjlgPXWLx5lXAl93urDBLZY
gDcOX3hSKxo4oO+WDUho00E8zedC9q/EJPdOqRtIyRkh59x+FBw+bivnZgWqEXC1
IkJutzojYkI3gC7+za3KEulFe2oVMaqFFlf4AuUgumVhfhOeNDrOtggWE/hCkJ6h
P35r9z3kqNZD+uu0o9aXwX052va+v6uTx4oLAOSNrgT//1MLx3ae0q8W18APzm8A
dO+V/qk41l5g/TbnH4gQZ12SNcbRpR1c5VdIctfaSL3sBw3lbNM4r99RM5tpgYH0
IVJaDvKuY6slE0ddXjkMb5kN4Cssi/64fXSjLaN32f5rokOcgNBp1/aOdGKWxh6T
1CKVp6sc6Yg0k3pJN5zAHL4OBFdjjyVBQjdkgM8WSqwPU8KSuwsEu2A9E27talL8
p8x3lfFxok0=
=HHYe
-----END PGP SIGNATURE-----