Bug 26289

Summary: apache-mod_auth_openidc new security issue CVE-2019-20479
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, herman.viaene, nicolas.salguero, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: apache-mod_auth_openidc-2.3.2-2.1.mga7.src.rpm CVE: CVE-2019-20479
Status comment:

Description David Walser 2020-03-02 21:21:25 CET 
Debian-LTS has issued an advisory on February 29:
https://www.debian.org/lts/security/2020/dla-2130

The issue is fixed upstream in 2.4.1.

Mageia 7 is also affected.
David Walser 2020-03-02 21:21:48 CET

Whiteboard: (none) => MGA7TOO
CC: (none) => nicolas.salguero
Status comment: (none) => Fixed upstream in 2.4.1

Comment 1 Nicolas Salguero 2020-03-03 09:08:21 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning. (CVE-2019-20479)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20479
https://www.debian.org/lts/security/2020/dla-2130
========================

Updated package in core/updates_testing:
========================
apache-mod_auth_openidc-2.3.2-2.2.mga7

from SRPMS:
apache-mod_auth_openidc-2.3.2-2.2.mga7.src.rpm

Assignee: bugsquad => qa-bugs
Version: Cauldron => 7
CVE: (none) => CVE-2019-20479
Source RPM: apache-mod_auth_openidc-2.3.2-3.mga8.src.rpm => apache-mod_auth_openidc-2.3.2-2.1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)
Status comment: Fixed upstream in 2.4.1 => (none)
Status: NEW => ASSIGNED

Comment 2 Herman Viaene 2020-03-03 16:57:09 CET 
MGA7-64 Plasma on lenovo B50
No installation issues
Ref bug 25810
# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
# systemctl  start httpd 

# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2020-03-03 16:53:17 CET; 9s ago
 Main PID: 32532 (httpd)
   Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
   Memory: 29.5M
   CGroup: /system.slice/httpd.service
           ├─32532 /usr/sbin/httpd -DFOREGROUND
           ├─32534 /usr/sbin/httpd -DFOREGROUND
           ├─32536 /usr/sbin/httpd -DFOREGROUND
           ├─32537 /usr/sbin/httpd -DFOREGROUND
           ├─32538 /usr/sbin/httpd -DFOREGROUND
           └─32539 /usr/sbin/httpd -DFOREGROUND

Mar 03 16:53:16 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server...
Mar 03 16:53:17 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server.
And pointing firefox to localhost gets me "It works!"
So OK on clean install.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 3 Thomas Andrews 2020-03-04 16:42:28 CET 
Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-03-06 15:40:02 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 4 Mageia Robot 2020-03-06 17:16:06 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0129.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED