| Summary: | apache-mod_auth_openidc new security issue CVE-2021-20718 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, nicolas.salguero, ouaurelien, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | apache-mod_auth_openidc-2.4.2.1-1.mga8.src.rpm | CVE: | CVE-2021-20718 |
| Status comment: | |||
|
Description
David Walser
2021-06-10 20:35:44 CEST
David Walser
2021-06-10 20:35:55 CEST
CC:
(none) =>
nicolas.salguero The registered maintainer mitya is not with us any more, and various people commit this SRPM; so asigning the bug globally. Assignee:
bugsquad =>
pkg-bugs Fedora has issued an advisory for this on June 11: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5HJK366TLFEOIYWTHQSZO24MSDPBXHJU/ Suggested advisory: ======================== The updated package fixes a security vulnerability: mod_auth_openidc 2.4.0 to 2.4.7 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vectors. (CVE-2021-20718) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20718 https://lists.suse.com/pipermail/sle-security-updates/2021-June/008962.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5HJK366TLFEOIYWTHQSZO24MSDPBXHJU/ ======================== Updated package in core/updates_testing: ======================== apache-mod_auth_openidc-2.4.2.1-1.1.mga8 from SRPM: apache-mod_auth_openidc-2.4.2.1-1.1.mga8.src.rpm CVE:
(none) =>
CVE-2021-20718 MGA8-64 Plasma on lenovo B50 No installation issues Ref bug 26289 # systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: inactive (dead) # systemctl start httpd # systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2021-06-18 14:57:51 CEST; 2s ago Main PID: 13008 (httpd) Status: "Processing requests..." Tasks: 6 (limit: 9402) Memory: 7.7M CPU: 59ms CGroup: /system.slice/httpd.service ├─13008 /usr/sbin/httpd -DFOREGROUND ├─13010 /usr/sbin/httpd -DFOREGROUND ├─13011 /usr/sbin/httpd -DFOREGROUND ├─13012 /usr/sbin/httpd -DFOREGROUND ├─13013 /usr/sbin/httpd -DFOREGROUND └─13014 /usr/sbin/httpd -DFOREGROUND jun 18 14:57:51 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server... jun 18 14:57:51 mach5.hviaene.thuis httpd[13008]: AH00558: httpd: Could not reliably determine the serv> jun 18 14:57:51 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server. Point browser to localhost and get "It works", so OK on clean install. CC:
(none) =>
herman.viaene Validating. Advisory in Comment 3. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Aurelien Oudelet
2021-06-22 21:40:32 CEST
CC:
(none) =>
ouaurelien An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0280.html Status:
ASSIGNED =>
RESOLVED |