Fedora has issued an advisory on March 1: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7DKVEVREYAI4F46CQAVOTPL75WLOZOE/ The issue is fixed upstream in 2.4.15.2: https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv Mageia 9 is also affected.
Source RPM: (none) => apache-mod_auth_openidc-2.4.13.2-1.mga9.src.rpmCVE: (none) => CVE-2024-24814Whiteboard: (none) => MGA9TOO
Assigning this globally; but you Nicolas are the main updater of this SRPM (for example, "version 2.4.13.2 for CVE-2023-28625", and similar precedants). You should see this comment...
Assignee: bugsquad => pkg-bugsStatus comment: (none) => fixed upstream in 2.4.15.2
Suggested advisory: ======================== The updated package fixes a security vulnerability: Missing input validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to DoS attack. (CVE-2024-24814) References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7DKVEVREYAI4F46CQAVOTPL75WLOZOE/ https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv ======================== Updated package in core/updates_testing: ======================== apache-mod_auth_openidc-2.4.13.2-1.1.mga9 from SRPM: apache-mod_auth_openidc-2.4.13.2-1.1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)Assignee: pkg-bugs => qa-bugsStatus comment: fixed upstream in 2.4.15.2 => (none)Version: Cauldron => 9Status: NEW => ASSIGNED
Keywords: (none) => advisory
RH mageia 9 x86_64 Install current package LC_ALL=C urpmi apache-mod_auth_openidc To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release (distrib1)") apache-mod_auth_openidc 2.4.13.2 1.mga9 x86_64 (medium "Core Updates (distrib3)") lib64cjose0 0.6.1 3.1.mga9 x86_64 702KB of additional disk space will be used. 242KB of packages will be retrieved. Proceed with the installation of the 2 packages? (Y/n) y https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/apache-mod_auth_openidc-2.4.13.2-1.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64cjose0-0.6.1-3.1.mga9.x86_64.rpm installing lib64cjose0-0.6.1-3.1.mga9.x86_64.rpm apache-mod_auth_openidc-2.4.13.2-1.mga9.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ###################################################################################### 1/2: lib64cjose0 ###################################################################################### 2/2: apache-mod_auth_openidc ###################################################################################### Update to testing version LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing apache-mod_auth_openidc-2.4.13.2-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ###################################################################################### 1/1: apache-mod_auth_openidc ###################################################################################### 1/1: removing apache-mod_auth_openidc-2.4.13.2-1.mga9.x86_64 ###################################################################################### Test done by Herman in bug#29344 service httpd restart Redirecting to /bin/systemctl restart httpd.service service httpd status Redirecting to /bin/systemctl status httpd.service ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled) Active: active (running) since Thu 2024-03-21 13:04:51 CST; 9s ago Main PID: 94399 (httpd) Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec: 0 B/sec" Tasks: 6 (limit: 6904) Memory: 15.6M CPU: 94ms CGroup: /system.slice/httpd.service ├─94399 /usr/sbin/httpd -DFOREGROUND ├─94401 /usr/sbin/httpd -DFOREGROUND ├─94402 /usr/sbin/httpd -DFOREGROUND ├─94403 /usr/sbin/httpd -DFOREGROUND ├─94404 /usr/sbin/httpd -DFOREGROUND └─94405 /usr/sbin/httpd -DFOREGROUND mar 21 13:04:51 phoenix systemd[1]: Starting httpd.service... mar 21 13:04:51 phoenix httpd[94399]: AH00558: httpd: Could not reliably determine the server's fully qualified domain n> mar 21 13:04:51 phoenix systemd[1]: Started httpd.service. Test local pages without issues Remove the packages LC_ALL=C urpme apache-mod_auth_openidc lib64cjose0 removing apache-mod_auth_openidc-2.4.13.2-1.1.mga9.x86_64 lib64cjose0-0.6.1-3.1.mga9.x86_64 removing package apache-mod_auth_openidc-2.4.13.2-1.1.mga9.x86_64 1/2: removing apache-mod_auth_openidc-2.4.13.2-1.1.mga9.x86_64 ###################################################################################### removing package lib64cjose0-0.6.1-3.1.mga9.x86_64 2/2: removing lib64cjose0-0.6.1-3.1.mga9.x86_64 ###################################################################################### Not issues detected
CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK
Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0081.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED