-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 18 Apr 2024 14:27:26 +0200 Source: libapache2-mod-auth-openidc Binary: libapache2-mod-auth-openidc libapache2-mod-auth-openidc-dbgsym Architecture: amd64 Version: 2.4.9.4-0+deb11u4 Distribution: bullseye Urgency: high Maintainer: all / amd64 / i386 Build Daemon (x86-conova-01) Changed-By: Moritz Schlarb Description: libapache2-mod-auth-openidc - OpenID Connect authentication module for Apache Closes: 1064183 Changes: libapache2-mod-auth-openidc (2.4.9.4-0+deb11u4) bullseye; urgency=high . * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks cookie value made the server vulnerable to a Denial of Service (DoS) attack. If an attacker manipulated the value of the OpenIDC cookie to a very large integer like 99999999, the server struggled with the request for a long time and finally returned a 500 error. Making a few requests of this kind caused servers to become unresponsive, and so attackers could thereby craft requests that would make the server work very hard and/or crash with minimal effort. (Closes: #1064183) Checksums-Sha1: fe0d3472a7bbea10d728f4e8dd064c8ff5a87274 319344 libapache2-mod-auth-openidc-dbgsym_2.4.9.4-0+deb11u4_amd64.deb 090026f1da59dcf396a4971a0688db2a334c02d4 8239 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_amd64-buildd.buildinfo 1e3e4757bae1b707f27437f0cc286f7ba548596f 181132 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_amd64.deb Checksums-Sha256: 6ffd2ea4f3a97bc82add92b57fac6c4905993692d0c001aa2e35421dee4a7589 319344 libapache2-mod-auth-openidc-dbgsym_2.4.9.4-0+deb11u4_amd64.deb 5101173c7dda145cccbd55bb3a3a7e19dca75696d0a52c249b6c2cff67d65d95 8239 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_amd64-buildd.buildinfo 2e222e6d251b699b90147de5d04fe0ad012cc75c282e330bcc913b262e889467 181132 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_amd64.deb Files: 34888e79bdef34afff7b38c948f84d71 319344 debug optional libapache2-mod-auth-openidc-dbgsym_2.4.9.4-0+deb11u4_amd64.deb 5f0b27c832b42a9e0185151f34554b48 8239 httpd optional libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_amd64-buildd.buildinfo b5d0c432d0e9759186366edf8143ca3c 181132 httpd optional libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEgdRoRGwEM09wlaMzOni7ZmUpKEcFAmYmz+oACgkQOni7ZmUp KEcRLQ/6AzyJaTu4bpz32HmOMJmCHCtugVuVUdpk3GicutrTydNOyCtSIAKt1mHy zZWuRSd4pTgqqrkmvuA1CJvJWEAA6TDVYPFgcOlhIeT2IK37HfKOBv0LrzM3Ohgo ZgEZsDDm9N29+kq3JNBWcX5VVzorUdnOqVAvsPpHNNsA4ft0AzCGTZsy3YWAR5Qv Q5gZgnvH/vSXR6lMvQ+E2DIQApAgVlbx4ogIeAPilVmf9JmIZbPVcw6g40r+NPS+ AGCSsX9+Hjw+u8y1vxiWrB95sHUy8V+x4hi1pA7iuScADutdd0EOQLXzZmwYKeUT sTczkXuNlgQ1Vq6MsatgVr8clfrXCkksTKrmBdt6kQAG06kxwwR+YV6+k2sYAR3J puuBd/dSqU7dsEXXv5dzpBt+TezTV2JWXrPKsVEFFe3HokTkccKQHZgsP6IGP+Qw NNHFiumlYiMr2muovFyVZglkyrKXkyCKPF586VglEZnHgNEiIxGKI7OapiVCxhKN t1VY5Q/+dTYuY3y0Yz6Wp3HOF1OFrMcl/REns8BAMM+EbrbYv0aF4XLQQ4e2OLtl V3nU9nFpMNNly6mzmmoP07FMddBE4f5LZECzK+EC977tBTtowmHwrgPlh/gpguPD Y00H7/fiZzE5JHlE55OWPK+wnPF2s9j8LkeE1ojO9rPRmAhgfWM= =Tcm0 -----END PGP SIGNATURE-----