| Summary: | apache-mod_auth_openidc new security issues CVE-2021-3278[56] and CVE-2021-3279[12] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, marja11, mitya, nicolas.salguero, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | apache-mod_auth_openidc-2.4.2.1-1.1.mga8.src.rpm | CVE: | CVE-2021-32786, CVE-2021-32791, CVE-2021-32792 |
| Status comment: | |||
|
Description
David Walser
2021-08-08 19:44:33 CEST
David Walser
2021-08-08 19:44:56 CEST
CC:
(none) =>
nicolas.salguero Assigning to all packagers collectively, because I haven't seen mitya since three years ago. @ ns80 feel free to reassign to yourself :-) CC:
(none) =>
marja11, mitya Suggested advisory: ======================== The updated package fixes security vulnerabilities: In versions prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. (CVE-2021-32786) In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openidc uses a static IV and AAD. It is important to fix because this creates a static nonce and since aes-gcm is a stream cipher, this can lead to known cryptographic issues, since the same key is being reused. (CVE-2021-32791) In mod_auth_openidc before version 2.4.9, there is an XSS vulnerability in when using `OIDCPreservePost On`. (CVE-2021-32792) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32786 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32791 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32792 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FZVF6BSJLRQZ7PFFR4X5JSU6KUJYNOCU/ ======================== Updated package in core/updates_testing: ======================== apache-mod_auth_openidc-2.4.9.4-1.mga8 from SRPM: apache-mod_auth_openidc-2.4.9.4-1.mga8.src.rpm Status:
NEW =>
ASSIGNED SUSE has issued an advisory for this today (September 13): https://lists.suse.com/pipermail/sle-security-updates/2021-September/009431.html One additional issue, CVE-2021-32785, was also fixed upstream in 2.4.9. It should be added to the advisory. Summary:
apache-mod_auth_openidc new security issues CVE-2021-32786 and CVE-2021-3279[12] =>
apache-mod_auth_openidc new security issues CVE-2021-3278[56] and CVE-2021-3279[12] (In reply to David Walser from comment #3) > SUSE has issued an advisory for this today (September 13): > https://lists.suse.com/pipermail/sle-security-updates/2021-September/009431. > html > > One additional issue, CVE-2021-32785, was also fixed upstream in 2.4.9. > > It should be added to the advisory. Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/54B4RYNP5L63X2FMX2QCVYB2LGLL42IY/ MGA8-64 Plasma on Lenovo B50 No installation issues. Previous versionwas installed, so now new ine is there. So after installation as in bug 29103 comment 4: # systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: inactive (dead) # systemctl start httpd # systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2021-09-30 15:28:34 CEST; 5s ago Main PID: 15319 (/usr/sbin/httpd) Status: "Processing requests..." Tasks: 6 (limit: 9402) Memory: 42.2M CPU: 245ms CGroup: /system.slice/httpd.service ├─15319 /usr/sbin/httpd -DFOREGROUND ├─15322 /usr/sbin/httpd -DFOREGROUND ├─15323 /usr/sbin/httpd -DFOREGROUND ├─15324 /usr/sbin/httpd -DFOREGROUND ├─15325 /usr/sbin/httpd -DFOREGROUND └─15326 /usr/sbin/httpd -DFOREGROUND sep 30 15:28:34 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server... sep 30 15:28:34 mach5.hviaene.thuis httpd[15319]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using mach5.hviaene.thuis. Set the 'ServerName' directive globally to suppr> sep 30 15:28:34 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server. Pointed browser to localhost and got "It works!" OK for me. Whiteboard:
(none) =>
MGA8-64-OK Validating. Advisory in Comment 2. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2021-10-02 19:16:24 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0452.html Resolution:
(none) =>
FIXED This update also fixed CVE-2021-39191: https://lists.suse.com/pipermail/sle-security-updates/2021-October/009576.html https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-2pgf-8h6h-gqg2 (In reply to David Walser from comment #8) > This update also fixed CVE-2021-39191: > https://lists.suse.com/pipermail/sle-security-updates/2021-October/009576. > html > https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-2pgf- > 8h6h-gqg2 Fedora has issued an advisory for this on December 12: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/32RGPW5LZDLDTB7MKZIGAHPSLFOUNWR5/ |