"mod_auth_openidc":"2.3" cjose-0.6.1-4.module+el8+1861+c379e080, mod_auth_openidc-2.4.9.4-7.module+el8+1861+c379e080

エラータID: AXSA:2025-9893:01

リリース日: 
2025/04/28 Monday - 16:29
題名: 
"mod_auth_openidc":"2.3" cjose-0.6.1-4.module+el8+1861+c379e080, mod_auth_openidc-2.4.9.4-7.module+el8+1861+c379e080
影響のあるチャネル: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.

Security Fix(es):

* mod_auth_openidc: mod_auth_openidc allows OIDCProviderAuthRequestMethod POSTs to leak protected data (CVE-2025-31492)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-31492
mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Prior to 2.4.16.11, a bug in a mod_auth_openidc results in disclosure of protected content to unauthenticated users. The conditions for disclosure are an OIDCProviderAuthRequestMethod POST, a valid account, and there mustn't be any application-level gateway (or load balancer etc) protecting the server. When you request a protected resource, the response includes the HTTP status, the HTTP headers, the intended response (the self-submitting form), and the protected resource (with no headers). This is an example of a request for a protected resource, including all the data returned. In the case where mod_auth_openidc returns a form, it has to return OK from check_userid so as not to go down the error path in httpd. This means httpd will try to issue the protected resource. oidc_content_handler is called early, which has the opportunity to prevent the normal output being issued by httpd. oidc_content_handler has a number of checks for when it intervenes, but it doesn't check for this case, so the handler returns DECLINED. Consequently, httpd appends the protected content to the response. The issue has been patched in mod_auth_openidc versions >= 2.4.16.11.

Modularity name: "mod_auth_openidc"
Stream name: "2.3"

解決策: 

Update packages.

CVE: 
CVE-2025-31492
mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Prior to 2.4.16.11, a bug in a mod_auth_openidc results in disclosure of protected content to unauthenticated users. The conditions for disclosure are an OIDCProviderAuthRequestMethod POST, a valid account, and there mustn't be any application-level gateway (or load balancer etc) protecting the server. When you request a protected resource, the response includes the HTTP status, the HTTP headers, the intended response (the self-submitting form), and the protected resource (with no headers). This is an example of a request for a protected resource, including all the data returned. In the case where mod_auth_openidc returns a form, it has to return OK from check_userid so as not to go down the error path in httpd. This means httpd will try to issue the protected resource. oidc_content_handler is called early, which has the opportunity to prevent the normal output being issued by httpd. oidc_content_handler has a number of checks for when it intervenes, but it doesn't check for this case, so the handler returns DECLINED. Consequently, httpd appends the protected content to the response. The issue has been patched in mod_auth_openidc versions >= 2.4.16.11.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. cjose-0.6.1-4.module+el8+1861+c379e080.src.rpm
    MD5: 59e509b5aa4dcca0d82ff7408b4ccf6c
    SHA-256: 0c6a564f050ca6626d5555a8f9b538859caf68e5ccb7e773a482376f7f72c8f7
    Size: 1.52 MB
  2. mod_auth_openidc-2.4.9.4-7.module+el8+1861+c379e080.src.rpm
    MD5: 54783146f0df1dba9bbe57cd48a3adfe
    SHA-256: fdfada6aa728e17961d07dea4ae7f2f836b6d64a7cf827a2b113c156f4f44aec
    Size: 275.51 kB

Asianux Server 8 for x86_64
  1. cjose-0.6.1-4.module+el8+1861+c379e080.x86_64.rpm
    MD5: 73849bf8cba6246f45e1c6ef4abfe4ba
    SHA-256: 4f906758419cc7dcd6914d39547523a399b8e4059099bdc3b9de6cef02957c44
    Size: 183.94 kB
  2. cjose-debugsource-0.6.1-4.module+el8+1861+c379e080.x86_64.rpm
    MD5: 7ee53eff671b32f71fefec754b2e313c
    SHA-256: c28fcf1febec13657def37abb7f1081ef719d7f81d44bc93393e067e63d82a41
    Size: 41.52 kB
  3. cjose-devel-0.6.1-4.module+el8+1861+c379e080.x86_64.rpm
    MD5: 86095c79d072d50db9dbc6a7704fc805
    SHA-256: 2a60b971e1e73b4f7e4c82d9cdf48ad738c4043c571f0eeb0dd3ea336dd5d1ce
    Size: 17.64 kB
  4. mod_auth_openidc-2.4.9.4-7.module+el8+1861+c379e080.x86_64.rpm
    MD5: 5ab21e0cc7f58ebbf2a24e2d5c095fc8
    SHA-256: 87c502b712fbc5627a3782b6fd6994604d4b22071652c22916062e2ba3ab7aa1
    Size: 196.84 kB
  5. mod_auth_openidc-debugsource-2.4.9.4-7.module+el8+1861+c379e080.x86_64.rpm
    MD5: 15f986709b3b27f3ccfa4770264af38e
    SHA-256: 6f1f18a7c8b791739574d5c35dcd06acb42dcfa4b822e8a54b3796205ac763ab
    Size: 150.57 kB