mod_auth_openidc:2.3 security update
エラータID: AXSA:2023-7316:01
リリース日:
2023/12/27 Wednesday - 03:32
題名:
mod_auth_openidc:2.3 security update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- mod_auth_openidc の oidc_validate_redirect_url() 関数には、
\t で始まる URL を適切にチェックできない問題があるため、
リモートの攻撃者により、細工された URL を介して、オープン
リダイレクト攻撃を可能とする脆弱性が存在します。
(CVE-2022-23527)
- mod_auth_openidc には、OIDCStripCookies が設定された
環境における NULL ポインタデリファレンスの問題があるため、
リモートの攻撃者により、細工された Cookie を介して、
セグメンテーションフォルトの発生とこれに起因するサービス
拒否攻撃を可能とする脆弱性が存在します。(CVE-2023-28625)
Modularity name: mod_auth_openidc
Stream name: 2.3
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-23527
mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\t, leading to an open redirect. This issue has been patched in version 2.4.12.2. Users unable to upgrade can mitigate the issue by configuring mod_auth_openidc to only allow redirection when the destination matches a given regular expression with OIDCRedirectURLsAllowed.
mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\t, leading to an open redirect. This issue has been patched in version 2.4.12.2. Users unable to upgrade can mitigate the issue by configuring mod_auth_openidc to only allow redirection when the destination matches a given regular expression with OIDCRedirectURLsAllowed.
CVE-2023-28625
mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using `OIDCStripCookies`.
mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using `OIDCStripCookies`.
追加情報:
N/A
ダウンロード:
SRPMS
- cjose-0.6.1-4.module+el8+1698+832e3207.src.rpm
MD5: f0efc81f057f274ff7f9424de46cdced
SHA-256: 68c5ac2041ae31f91ac81b9b4eeb51d24dfc7b0ab713451239af56c84b54bc64
Size: 1.52 MB - mod_auth_openidc-2.4.9.4-5.module+el8+1698+832e3207.src.rpm
MD5: 7209dc615139e2c13b92d5eb1d79b424
SHA-256: 5f75fde33b4cc82eec34152a92b889f6a9f809a9a2a64e80744b75690148dd3c
Size: 271.69 kB
Asianux Server 8 for x86_64
- cjose-0.6.1-4.module+el8+1698+832e3207.x86_64.rpm
MD5: 0b61d1f4352e8386e90932ec4bdd47a5
SHA-256: c73b5b3a0a337921841a794f8770418e2ce0a233d681d9c2e28e76163093d492
Size: 183.40 kB - cjose-debugsource-0.6.1-4.module+el8+1698+832e3207.x86_64.rpm
MD5: 4356187b8dba19e13be9fcd78a717856
SHA-256: 42c48ca8e3a8b16a36f3cbbf0200d920619dcd7cfaaa5bcc03ba30b273869593
Size: 41.52 kB - cjose-devel-0.6.1-4.module+el8+1698+832e3207.x86_64.rpm
MD5: 1b9a7086f0a5e9b14c5ed7b321d846cf
SHA-256: 02a36aba8febd0557d96d674a6f0be9ee8415bccfbfc89a9b459889d6c86d258
Size: 17.64 kB - mod_auth_openidc-2.4.9.4-5.module+el8+1698+832e3207.x86_64.rpm
MD5: 486768359e54ad66070a30bd831a4f00
SHA-256: 5bcfba413b9a5b8246af33a4ea1ccb0e0633e5670b98997c5733bad2dc458aa2
Size: 196.04 kB - mod_auth_openidc-debugsource-2.4.9.4-5.module+el8+1698+832e3207.x86_64.rpm
MD5: a7d7268b0f37e915cd6d33c0cd489060
SHA-256: 276b4c6794762001bd8089b84b58a76c4ace25c7e440bcd283c4cf167cefa7d1
Size: 149.95 kB
English