26289 – apache-mod_auth_openidc new security issue CVE-2019-20479

Bug 26289 - apache-mod_auth_openidc new security issue CVE-2019-20479

Summary: apache-mod_auth_openidc new security issue CVE-2019-20479

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2020-03-02 21:21 CET by David Walser
Modified:	2020-03-06 17:16 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	apache-mod_auth_openidc-2.3.2-2.1.mga7.src.rpm
CVE:	CVE-2019-20479
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-03-02 21:21:25 CET

Debian-LTS has issued an advisory on February 29:
https://www.debian.org/lts/security/2020/dla-2130

The issue is fixed upstream in 2.4.1.

Mageia 7 is also affected.

David Walser 2020-03-02 21:21:48 CET

Whiteboard: (none) => MGA7TOO
CC: (none) => nicolas.salguero
Status comment: (none) => Fixed upstream in 2.4.1

Comment 1 Nicolas Salguero 2020-03-03 09:08:21 CET

Suggested advisory:
========================

The updated package fixes a security vulnerability:

A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning. (CVE-2019-20479)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20479
https://www.debian.org/lts/security/2020/dla-2130
========================

Updated package in core/updates_testing:
========================
apache-mod_auth_openidc-2.3.2-2.2.mga7

from SRPMS:
apache-mod_auth_openidc-2.3.2-2.2.mga7.src.rpm

Assignee: bugsquad => qa-bugs
Version: Cauldron => 7
CVE: (none) => CVE-2019-20479
Source RPM: apache-mod_auth_openidc-2.3.2-3.mga8.src.rpm => apache-mod_auth_openidc-2.3.2-2.1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)
Status comment: Fixed upstream in 2.4.1 => (none)
Status: NEW => ASSIGNED

Comment 2 Herman Viaene 2020-03-03 16:57:09 CET

MGA7-64 Plasma on lenovo B50
No installation issues
Ref bug 25810
# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
# systemctl  start httpd 

# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2020-03-03 16:53:17 CET; 9s ago
 Main PID: 32532 (httpd)
   Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
   Memory: 29.5M
   CGroup: /system.slice/httpd.service
           ├─32532 /usr/sbin/httpd -DFOREGROUND
           ├─32534 /usr/sbin/httpd -DFOREGROUND
           ├─32536 /usr/sbin/httpd -DFOREGROUND
           ├─32537 /usr/sbin/httpd -DFOREGROUND
           ├─32538 /usr/sbin/httpd -DFOREGROUND
           └─32539 /usr/sbin/httpd -DFOREGROUND

Mar 03 16:53:16 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server...
Mar 03 16:53:17 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server.
And pointing firefox to localhost gets me "It works!"
So OK on clean install.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 3 Thomas Andrews 2020-03-04 16:42:28 CET

Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-03-06 15:40:02 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 4 Mageia Robot 2020-03-06 17:16:06 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0129.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.