Bug 31331

Summary: apache-mod_auth_openidc new security issues CVE-2022-23527 and CVE-2023-28625
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: geiger.david68210, nicolas.salguero
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: apache-mod_auth_openidc-2.4.9.4-1.mga8.src.rpm CVE:
Status comment: Fixed upstream in 2.4.13.2

Description David Walser 2022-12-27 17:07:54 CET 
Fedora has issued an advisory on December 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MOA67H3SS5ZRPS5SX4RJN6XE5CLFBWHB/

The issue is fixed upstream in 2.4.12.2:
https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53

Mageia 8 is also affected.
David Walser 2022-12-27 17:08:16 CET

Whiteboard: (none) => MGA8TOO
CC: (none) => nicolas.salguero
Status comment: (none) => Fixed upstream in 2.4.12.2

Comment 1 Lewis Smith 2022-12-27 20:20:34 CET 
Noting that ns80 is already CC'd, assigning this SRPM with no constant maintainer globally.

Assignee: bugsquad => pkg-bugs

Nicolas Salguero 2022-12-28 14:29:35 CET

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Source RPM: apache-mod_auth_openidc-2.4.9.4-3.mga9.src.rpm => apache-mod_auth_openidc-2.4.9.4-1.mga8.src.rpm

Comment 2 David Walser 2023-02-01 18:23:57 CET 
openSUSE has issued an advisory for this on January 30:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/35VWK6P4EMFFBTSTFBNR74WRTYFBBBG3/
Comment 3 David Walser 2023-04-17 15:20:24 CEST 
SUSE has issued an advisory on April 14:
https://lists.suse.com/pipermail/sle-security-updates/2023-April/014465.html

The issue is fixed upstream in 2.4.13.2:
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-f5xw-rvfr-24qr

Mageia 8 is also affected.

Version: 8 => Cauldron
Whiteboard: (none) => MGA8TOO
Status comment: Fixed upstream in 2.4.12.2 => Fixed upstream in 2.4.13.2

David Walser 2023-04-17 15:20:41 CEST

Summary: apache-mod_auth_openidc new security issue CVE-2022-23527 => apache-mod_auth_openidc new security issues CVE-2022-23527 and CVE-2023-28625

Comment 4 David Walser 2023-05-19 20:11:25 CEST 
Debian has issued an advisory for CVE-2023-28625 on May 18:
https://www.debian.org/security/2023/dsa-5405
Comment 5 David GEIGER 2023-07-01 07:26:05 CEST 
package was updated on cauldron by ns80!

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
CC: (none) => geiger.david68210

Comment 6 Nicolas Salguero 2024-01-12 10:33:55 CET 
Mageia 8 EOL

Resolution: (none) => OLD
Status: NEW => RESOLVED