openSUSE has issued an advisory on April 15: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/4RNEMKHJH72IHWVOIEQAKSXHOSDXQN3A/ Debian has issued an advisory on April 17: https://lists.debian.org/debian-security-announce/2025/msg00066.html
Status comment: (none) => Patches available from Debian and openSUSECVE: (none) => CVE-2025-31492Source RPM: (none) => apache-mod_auth_openidc-2.4.15.6-1.mga10.src.rpm, apache-mod_auth_openidc-2.4.13.2-1.1.mga9.src.rpmWhiteboard: (none) => MGA9TOO
Fedora has issued an advisory on April 17: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3Z7RSITAKS2ICGANCQP2TDUHMS2LZDXR/
Chasing Suse: https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-59jp-rwph-878r says "The issue has been patched in mod_auth_openidc versions >= 2.4.16.11." and: https://github.com/OpenIDC/mod_auth_openidc/commit/b59b8ad63411857090ba1088e23fe414c690c127 is their patch. https://bugzilla.suse.com/show_bug.cgi?id=1240893#c19 says "I have verified that the testcase gives BEFORE [fault] for 2.4.16.10 and AFTER [OK] for 2.4.16.11" re previous comment. For QA, I would believe them! Looks like another version update. Assigning to Nicolas who has done recent CVE version updates.
Assignee: bugsquad => nicolas.salguero
Assignee: nicolas.salguero => pkg-bugs
Ubuntu has issued an advisory on April 23: https://ubuntu.com/security/notices/USN-7446-1
Suggested advisory: ======================== The updated package fixes a security vulnerability: mod_auth_openidc allows OIDCProviderAuthRequestMethod POSTs to leak protected data. (CVE-2025-31492) References: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/4RNEMKHJH72IHWVOIEQAKSXHOSDXQN3A/ https://lists.debian.org/debian-security-announce/2025/msg00066.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3Z7RSITAKS2ICGANCQP2TDUHMS2LZDXR/ https://ubuntu.com/security/notices/USN-7446-1 ======================== Updated package in core/updates_testing: ======================== apache-mod_auth_openidc-2.4.13.2-1.2.mga9 from SRPM: apache-mod_auth_openidc-2.4.13.2-1.2.mga9.src.rpm
Status: NEW => ASSIGNEDSource RPM: apache-mod_auth_openidc-2.4.15.6-1.mga10.src.rpm, apache-mod_auth_openidc-2.4.13.2-1.1.mga9.src.rpm => apache-mod_auth_openidc-2.4.13.2-1.1.mga9.src.rpmWhiteboard: MGA9TOO => (none)Assignee: pkg-bugs => qa-bugsVersion: Cauldron => 9Status comment: Patches available from Debian and openSUSE => (none)
Keywords: (none) => advisory
MGA9-64 Plasma Wayland on Compaq H000SB. No installation issues. Ref bug 29344 for testing: # systemctl start httpd # systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled) Active: active (running) since Thu 2025-05-01 15:52:08 CEST; 13s ago Main PID: 344197 (/usr/sbin/httpd) Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec: 0 B/sec" Tasks: 6 (limit: 8806) Memory: 27.0M CPU: 676ms CGroup: /system.slice/httpd.service ├─344197 /usr/sbin/httpd -DFOREGROUND ├─344200 /usr/sbin/httpd -DFOREGROUND ├─344201 /usr/sbin/httpd -DFOREGROUND ├─344202 /usr/sbin/httpd -DFOREGROUND ├─344203 /usr/sbin/httpd -DFOREGROUND └─344204 /usr/sbin/httpd -DFOREGROUND May 01 15:52:08 mach3.hviaene.thuis systemd[1]: Starting httpd.service... May 01 15:52:08 mach3.hviaene.thuis systemd[1]: Started httpd.service. Pointed browser to localhost and got "It works!" OK for me.
Whiteboard: (none) => MGA9-64-OKCC: (none) => herman.viaene
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0147.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED