Fedora has issued an advisory today (August 8): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FZVF6BSJLRQZ7PFFR4X5JSU6KUJYNOCU/ The issues are fixed upstream in 2.4.9. Mageia 8 is also affected.
CC: (none) => nicolas.salgueroWhiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 2.4.9
Assigning to all packagers collectively, because I haven't seen mitya since three years ago. @ ns80 feel free to reassign to yourself :-)
CC: (none) => marja11, mityaAssignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated package fixes security vulnerabilities: In versions prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. (CVE-2021-32786) In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openidc uses a static IV and AAD. It is important to fix because this creates a static nonce and since aes-gcm is a stream cipher, this can lead to known cryptographic issues, since the same key is being reused. (CVE-2021-32791) In mod_auth_openidc before version 2.4.9, there is an XSS vulnerability in when using `OIDCPreservePost On`. (CVE-2021-32792) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32786 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32791 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32792 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FZVF6BSJLRQZ7PFFR4X5JSU6KUJYNOCU/ ======================== Updated package in core/updates_testing: ======================== apache-mod_auth_openidc-2.4.9.4-1.mga8 from SRPM: apache-mod_auth_openidc-2.4.9.4-1.mga8.src.rpm
Status: NEW => ASSIGNEDVersion: Cauldron => 8Assignee: pkg-bugs => qa-bugsWhiteboard: MGA8TOO => (none)Status comment: Fixed upstream in 2.4.9 => (none)CVE: (none) => CVE-2021-32786, CVE-2021-32791, CVE-2021-32792
SUSE has issued an advisory for this today (September 13): https://lists.suse.com/pipermail/sle-security-updates/2021-September/009431.html One additional issue, CVE-2021-32785, was also fixed upstream in 2.4.9. It should be added to the advisory.
Summary: apache-mod_auth_openidc new security issues CVE-2021-32786 and CVE-2021-3279[12] => apache-mod_auth_openidc new security issues CVE-2021-3278[56] and CVE-2021-3279[12]
(In reply to David Walser from comment #3) > SUSE has issued an advisory for this today (September 13): > https://lists.suse.com/pipermail/sle-security-updates/2021-September/009431. > html > > One additional issue, CVE-2021-32785, was also fixed upstream in 2.4.9. > > It should be added to the advisory. Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/54B4RYNP5L63X2FMX2QCVYB2LGLL42IY/
MGA8-64 Plasma on Lenovo B50 No installation issues. Previous versionwas installed, so now new ine is there. So after installation as in bug 29103 comment 4: # systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: inactive (dead) # systemctl start httpd # systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2021-09-30 15:28:34 CEST; 5s ago Main PID: 15319 (/usr/sbin/httpd) Status: "Processing requests..." Tasks: 6 (limit: 9402) Memory: 42.2M CPU: 245ms CGroup: /system.slice/httpd.service ├─15319 /usr/sbin/httpd -DFOREGROUND ├─15322 /usr/sbin/httpd -DFOREGROUND ├─15323 /usr/sbin/httpd -DFOREGROUND ├─15324 /usr/sbin/httpd -DFOREGROUND ├─15325 /usr/sbin/httpd -DFOREGROUND └─15326 /usr/sbin/httpd -DFOREGROUND sep 30 15:28:34 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server... sep 30 15:28:34 mach5.hviaene.thuis httpd[15319]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using mach5.hviaene.thuis. Set the 'ServerName' directive globally to suppr> sep 30 15:28:34 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server. Pointed browser to localhost and got "It works!" OK for me.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0452.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
This update also fixed CVE-2021-39191: https://lists.suse.com/pipermail/sle-security-updates/2021-October/009576.html https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-2pgf-8h6h-gqg2
(In reply to David Walser from comment #8) > This update also fixed CVE-2021-39191: > https://lists.suse.com/pipermail/sle-security-updates/2021-October/009576. > html > https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-2pgf- > 8h6h-gqg2 Fedora has issued an advisory for this on December 12: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/32RGPW5LZDLDTB7MKZIGAHPSLFOUNWR5/