Bug 32928

Assigning this globally; but you Nicolas are the main updater of this SRPM (for example, "version 2.4.13.2 for CVE-2023-28625", and similar precedants). You should see this comment...

Assignee: bugsquad => pkg-bugs
Status comment: (none) => fixed upstream in 2.4.15.2

Suggested advisory:
========================

The updated package fixes a security vulnerability:

Missing input validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to DoS attack. (CVE-2024-24814)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7DKVEVREYAI4F46CQAVOTPL75WLOZOE/
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv
========================

Updated package in core/updates_testing:
========================
apache-mod_auth_openidc-2.4.13.2-1.1.mga9

from SRPM:
apache-mod_auth_openidc-2.4.13.2-1.1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Assignee: pkg-bugs => qa-bugs
Status comment: fixed upstream in 2.4.15.2 => (none)
Version: Cauldron => 9
Status: NEW => ASSIGNED

RH mageia 9 x86_64

Install current package

LC_ALL=C urpmi apache-mod_auth_openidc
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  apache-mod_auth_openidc        2.4.13.2     1.mga9        x86_64  
(medium "Core Updates (distrib3)")
  lib64cjose0                    0.6.1        3.1.mga9      x86_64  
702KB of additional disk space will be used.
242KB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) y


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/apache-mod_auth_openidc-2.4.13.2-1.mga9.x86_64.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64cjose0-0.6.1-3.1.mga9.x86_64.rpm
installing lib64cjose0-0.6.1-3.1.mga9.x86_64.rpm apache-mod_auth_openidc-2.4.13.2-1.mga9.x86_64.rpm from /var/cache/urpmi/rpms
Preparing...                     ######################################################################################
      1/2: lib64cjose0           ######################################################################################
      2/2: apache-mod_auth_openidc
                                 ######################################################################################

Update to testing version

LC_ALL=C urpmi --auto --auto-update 
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing apache-mod_auth_openidc-2.4.13.2-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ######################################################################################
      1/1: apache-mod_auth_openidc
                                 ######################################################################################
      1/1: removing apache-mod_auth_openidc-2.4.13.2-1.mga9.x86_64
                                 ######################################################################################

Test done by Herman in bug#29344

service httpd restart
Redirecting to /bin/systemctl restart httpd.service
service httpd status
Redirecting to /bin/systemctl status httpd.service
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
     Active: active (running) since Thu 2024-03-21 13:04:51 CST; 9s ago
   Main PID: 94399 (httpd)
     Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
      Tasks: 6 (limit: 6904)
     Memory: 15.6M
        CPU: 94ms
     CGroup: /system.slice/httpd.service
             ├─94399 /usr/sbin/httpd -DFOREGROUND
             ├─94401 /usr/sbin/httpd -DFOREGROUND
             ├─94402 /usr/sbin/httpd -DFOREGROUND
             ├─94403 /usr/sbin/httpd -DFOREGROUND
             ├─94404 /usr/sbin/httpd -DFOREGROUND
             └─94405 /usr/sbin/httpd -DFOREGROUND

mar 21 13:04:51 phoenix systemd[1]: Starting httpd.service...
mar 21 13:04:51 phoenix httpd[94399]: AH00558: httpd: Could not reliably determine the server's fully qualified domain n>
mar 21 13:04:51 phoenix systemd[1]: Started httpd.service.

Test local pages without issues

Remove the packages

 LC_ALL=C urpme apache-mod_auth_openidc lib64cjose0
removing apache-mod_auth_openidc-2.4.13.2-1.1.mga9.x86_64 lib64cjose0-0.6.1-3.1.mga9.x86_64
removing package apache-mod_auth_openidc-2.4.13.2-1.1.mga9.x86_64
      1/2: removing apache-mod_auth_openidc-2.4.13.2-1.1.mga9.x86_64
                                 ######################################################################################
removing package lib64cjose0-0.6.1-3.1.mga9.x86_64
      2/2: removing lib64cjose0-0.6.1-3.1.mga9.x86_64
                                 ######################################################################################

Not issues detected

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0081.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED