-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 18 Apr 2024 14:27:26 +0200 Source: libapache2-mod-auth-openidc Binary: libapache2-mod-auth-openidc libapache2-mod-auth-openidc-dbgsym Architecture: i386 Version: 2.4.9.4-0+deb11u4 Distribution: bullseye Urgency: high Maintainer: amd64 / i386 Build Daemon (x86-ubc-02) Changed-By: Moritz Schlarb Description: libapache2-mod-auth-openidc - OpenID Connect authentication module for Apache Closes: 1064183 Changes: libapache2-mod-auth-openidc (2.4.9.4-0+deb11u4) bullseye; urgency=high . * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks cookie value made the server vulnerable to a Denial of Service (DoS) attack. If an attacker manipulated the value of the OpenIDC cookie to a very large integer like 99999999, the server struggled with the request for a long time and finally returned a 500 error. Making a few requests of this kind caused servers to become unresponsive, and so attackers could thereby craft requests that would make the server work very hard and/or crash with minimal effort. (Closes: #1064183) Checksums-Sha1: f743d18788487131f94fb7a659f26efba77c87fc 250264 libapache2-mod-auth-openidc-dbgsym_2.4.9.4-0+deb11u4_i386.deb cbc186bf94fadecd742594d53485890149971d67 8178 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_i386-buildd.buildinfo ce7b86c03a634fe225478b453d316af960b434dd 188576 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_i386.deb Checksums-Sha256: 75fe030acde462859dd6d0cba34ac7f5fb2e7b81efb8dffb4887f10ef3dde4fe 250264 libapache2-mod-auth-openidc-dbgsym_2.4.9.4-0+deb11u4_i386.deb b3f3c18ef5f42b027c452dcbb9856f0d3dcfb858d473f77ad35b2ada68b06d3b 8178 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_i386-buildd.buildinfo 0e5aae5192f989315abe2adde6190959037fef6f9cf07cba06d3072b2b20b38b 188576 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_i386.deb Files: daea0b427b13bf27bb1b8699740681bf 250264 debug optional libapache2-mod-auth-openidc-dbgsym_2.4.9.4-0+deb11u4_i386.deb 976aa1e7bfa2b4f14129de69b85c7564 8178 httpd optional libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_i386-buildd.buildinfo 358952b69b5b4392abdd34e4d592edfd 188576 httpd optional libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_i386.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEGBeuno8wiDXCewDuqqLQG5ksqMMFAmYm0BgACgkQqqLQG5ks qMM92hAArqcSzXr09tJc75ZmpIp9A6jr4UbIDuq1wGJXaIvPyvwWta1z9MiIGPFI fTdBOrKqKgLLVME9oVvdKSmzl3JRYTOiF8uhUeMI6/wiWNoAIsV90q5kfSA8/6eD 6XKNu+SX6hACFuOFbICx5J/5paUhRMmOrapAAupeHG8n1GKVcpXearuXoW8X6Rt9 /2DKI0SCpvvTsIt9l4jKbvAj2czqu7VSOGF8Kar4CxklHjFzeJ9qdWXEaHTUaRmD PiQ5jQqPJxr1lPa1aOcIVl7+LKvHbN/1AsmmUlVWxAsuROvxz0buIoR9TyL1M7aS YrorQa++xEgN6dlzB2UjgO/SF1gu2PsfggrvmwgjQyOZWTDfdpGV82Y1l9I0Ewr0 nNt0DEUepLjwtDaTN2OGU4TWZGFoNTdYYWUNC+pKlRsqkwF3Q400ZnskqfWCVAbu yOI0hsefIN1iPtHJH6J1KIu4ldM4Y9PROQzmqZMxyWYHWjYUvGvS3zYj6q65hXis dOpvtKEB9UU/3o66woJvMsrIWKjnPatI4btaWdvnEb3VaQWvu9/VoPaOKfyBVbNW Qijw98zJgcLhfs6swGZOx0t0bbgvoSQjq9BkfU4Y3Aeb3FNb8DVdZ7IpcEBd8AVR opv63e0b2k4bLu2CGZ/2cw0pLd4MVqhXnneYb4VBQ44yAvRgBXQ= =Pwj3 -----END PGP SIGNATURE-----