Debian-LTS has issued an advisory on February 29: https://www.debian.org/lts/security/2020/dla-2130 The issue is fixed upstream in 2.4.1. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOCC: (none) => nicolas.salgueroStatus comment: (none) => Fixed upstream in 2.4.1
Suggested advisory: ======================== The updated package fixes a security vulnerability: A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning. (CVE-2019-20479) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20479 https://www.debian.org/lts/security/2020/dla-2130 ======================== Updated package in core/updates_testing: ======================== apache-mod_auth_openidc-2.3.2-2.2.mga7 from SRPMS: apache-mod_auth_openidc-2.3.2-2.2.mga7.src.rpm
Assignee: bugsquad => qa-bugsVersion: Cauldron => 7CVE: (none) => CVE-2019-20479Source RPM: apache-mod_auth_openidc-2.3.2-3.mga8.src.rpm => apache-mod_auth_openidc-2.3.2-2.1.mga7.src.rpmWhiteboard: MGA7TOO => (none)Status comment: Fixed upstream in 2.4.1 => (none)Status: NEW => ASSIGNED
MGA7-64 Plasma on lenovo B50 No installation issues Ref bug 25810 # systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: inactive (dead) # systemctl start httpd # systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2020-03-03 16:53:17 CET; 9s ago Main PID: 32532 (httpd) Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec: 0 B/sec" Memory: 29.5M CGroup: /system.slice/httpd.service ├─32532 /usr/sbin/httpd -DFOREGROUND ├─32534 /usr/sbin/httpd -DFOREGROUND ├─32536 /usr/sbin/httpd -DFOREGROUND ├─32537 /usr/sbin/httpd -DFOREGROUND ├─32538 /usr/sbin/httpd -DFOREGROUND └─32539 /usr/sbin/httpd -DFOREGROUND Mar 03 16:53:16 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server... Mar 03 16:53:17 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server. And pointing firefox to localhost gets me "It works!" So OK on clean install.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 1.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0129.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED