-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.2444
                libapache2-mod-auth-openidc security update
                                2 May 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libapache2-mod-auth-openidc
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2023-28625 CVE-2021-32792 CVE-2021-32791
                   CVE-2021-32786 CVE-2021-32785 CVE-2019-20479

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2023/04/msg00034.html

Comment: CVSS (Max):  7.5 CVE-2023-28625 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-3409-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Adrian Bunk
April 30, 2023                                https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : libapache2-mod-auth-openidc
Version        : 2.3.10.2-1+deb10u2
CVE ID         : CVE-2019-20479 CVE-2021-32785 CVE-2021-32786 CVE-2021-32791 
                 CVE-2021-32792 CVE-2023-28625
Debian Bug     : 991580 991581 991582 991583 1033916

Several vulnerabilities were fixed in libapache2-mod-auth-openidc,
an OpenID Connect Relying Party implementation for Apache.

CVE-2019-20479

    Insufficient validatation of URLs beginning with a slash and backslash.

CVE-2021-32785

    Crash when using an unencrypted Redis cache.

CVE-2021-32786

    Open Redirect vulnerability in the logout functionality.

CVE-2021-32791

    AES GCM encryption in used static IV and AAD.

CVE-2021-32792

    XSS vulnerability when using OIDCPreservePost.

CVE-2023-28625

    NULL pointer dereference with OIDCStripCookies.

For Debian 10 buster, these problems have been fixed in version
2.3.10.2-1+deb10u2.

We recommend that you upgrade your libapache2-mod-auth-openidc packages.

For the detailed security status of libapache2-mod-auth-openidc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmRO2icACgkQiNJCh6LY
mLGkPhAAg1hWzk52AhdbiwRuEj9zyyZKJd7ZQYDjbBMgOlgSXG28XtS8tTEp8oKP
/hyWoyyczyqkdVwv3UAoOwOcuXa8Fr9bcCdF/KWZsONFtAXaf1+IOvQmyg+orf5P
G4xG7EtMIXKb/JF0zNEov7dAr2TP1bAlE1lIdDbsNje+0lV7irXumnx8BVAoDJ0j
3Ea8ptrtDknTXNf8hEx7TNR5XoSi8soeaAZw0ckHVK7t9P+YLvd4HWBt1xwU4w5q
SryyVRgYe0s68AA2aIQYj205Zx4f5auLwkR+GPvW0cpoqUAbiy27JqBW2AysB5qO
GsFwUfUn9nVj6ViJxhEbW9KnrMRb2Xy2FqfGVqU9rMuEkTUjAbsUzTYWa2RccULJ
q4QskZrhowYqw7JhhOOyAbM0pU6RW9y0PWte7uQzfbw0mtK9vPLtnpPIBI0tPjg+
veko0oRGwS3FU4oAa3jWS8VOJhlR//lB5RpgMRqhd/Dm68+81UQ8+2lBSLRbfuXg
Le7CmV33DIuwixr6HCfSCrvSk4PpQm/GQDKgYo+LuVr+LNZ0J+NDdvbFfLRhV5NX
TvliSq3nfnfxSjQ/s8DdF+8StSVW2nOjPwfPQ3TK1VtFUpwWFl+d93vcr/uoh9yb
GJaFLbWVYjNu6EavWs/pqb+W7Qq5G7XTeE9Mdxq2KgE07ePuOwc=
=Tb3N
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZFBrw8kNZI30y1K9AQjZCg//asGGKyjCA9QJQjeuyYnrF84/pVP3PdDC
He6TyssFaRngvjm4IkdCMGmWXJY38byj8l+f8u0KxgxmwecPvAjUaTFZ4h6Mgsg4
Adj1FOORVDa2FopWl/Nz41tNQrJ2LGhcN+/OzYxSTklfQYialvn0EdSkJajWMAkn
w9Yn5PO6+CbKltYcGynrXs1IwVR9racuUz+0pZd495IMyQrnmmlPWM+tNvPrHP0m
30KHDbrZ6QeqbCFv0qESfD2Z11bD7MUpXm1mnUUNJSPnivB7yOAfQeI3CcYvEymd
bMwbUfyfpRYK38LdmvRdwuhmOk6Ph0XDH6OGDGZe4Mc0Hrl+839BtDEid3jQAD9T
Emm3ixp2d3/V+rIOGSO8S1VySOR8NP5+TOTnQIEqvJsvWrp7nRb7htsAOZEm67lC
IRL2k5VV3IDKgUxpAY+JljVCDlhKT5p1iXC5QRRiAid3anYvZRkS+/btBgtJNRGg
AK/9gGFjCTR7aKIGYyRTD4ECnogGZ+cKWGFOR032EO4njXA3SmAmRhkjbnYBlclD
XUPJw7CxrD4fdwTOPyewWr9PT3EISX/+jPKW5tRnDYZ35/x8rJHPg2AqtX9u1et9
tdn4U4Cj1QrQ2im28MdcMnt4iA2oaVNjJAeOVu/oMsHxO9LfIYUTgPjLP+1NaUY1
Ptk6/RW2Kf0=
=6U94
-----END PGP SIGNATURE-----