Bug 25810 - apache-mod_auth_openidc new security issue CVE-2019-14857
Summary: apache-mod_auth_openidc new security issue CVE-2019-14857
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-12-03 21:13 CET by David Walser
Modified: 2019-12-25 20:09 CET (History)
4 users (show)

See Also:
Source RPM: apache-mod_auth_openidc-2.3.2-2.mga7.src.rpm
CVE: CVE-2019-14857
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-12-03 21:13:40 CET 
openSUSE has issued an advisory on November 13:
https://lists.opensuse.org/opensuse-updates/2019-11/msg00078.html

The issue is fixed upstream in 2.4.0.1.

Mageia 7 is also affected.
David Walser 2019-12-03 21:13:52 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2019-12-06 17:44:19 CET 
Assigning globally as there is no maintainer, official or otherwise.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2019-12-12 10:38:45 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

A flaw was found in mod_auth_openidc before version 2.4.0.1. An open redirect issue exists in URLs with trailing slashes similar to CVE-2019-3877 in mod_auth_mellon. (CVE-2019-14857)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14857
https://lists.opensuse.org/opensuse-updates/2019-11/msg00078.html
========================

Updated package in core/updates_testing:
========================
apache-mod_auth_openidc-2.3.2-2.1.mga7

from SRPMS:
apache-mod_auth_openidc-2.3.2-2.1.mga7.src.rpm

Version: Cauldron => 7
CVE: (none) => CVE-2019-14857
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Whiteboard: MGA7TOO => (none)
Assignee: pkg-bugs => qa-bugs

Comment 3 Herman Viaene 2019-12-16 11:26:17 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues
After installation at CLI:
# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
# systemctl  start httpd    
# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2019-12-16 10:56:49 CET; 3s ago
 Main PID: 23335 (httpd)
   Status: "Processing requests..."
   Memory: 11.5M
   CGroup: /system.slice/httpd.service
           ├─23335 /usr/sbin/httpd -DFOREGROUND
           ├─23337 /usr/sbin/httpd -DFOREGROUND
           ├─23338 /usr/sbin/httpd -DFOREGROUND
           ├─23339 /usr/sbin/httpd -DFOREGROUND
           ├─23341 /usr/sbin/httpd -DFOREGROUND
           └─23343 /usr/sbin/httpd -DFOREGROUND

dec 16 10:56:49 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server...
dec 16 10:56:49 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server.

And pointing firefox to localhost gets me "It works!"
Trying to find some test  on the specific update gets me to foreign territories.
I will not object OK on clean instal.

CC: (none) => herman.viaene

Thomas Backlund 2019-12-25 19:46:05 CET

CC: (none) => tmb, sysadmin-bugs
Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA7-64-OK

Comment 4 Mageia Robot 2019-12-25 20:09:53 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0410.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.