-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 18 Apr 2024 14:20:00 +0200 Source: libapache2-mod-auth-openidc Binary: libapache2-mod-auth-openidc libapache2-mod-auth-openidc-dbgsym Architecture: amd64 Version: 2.4.12.3-2+deb12u1 Distribution: bookworm Urgency: medium Maintainer: amd64 / i386 Build Daemon (x86-ubc-01) Changed-By: Moritz Schlarb Description: libapache2-mod-auth-openidc - OpenID Connect Relying Party implementation for Apache Closes: 1064183 Changes: libapache2-mod-auth-openidc (2.4.12.3-2+deb12u1) bookworm; urgency=medium . * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks cookie value made the server vulnerable to a Denial of Service (DoS) attack. If an attacker manipulated the value of the OpenIDC cookie to a very large integer like 99999999, the server struggled with the request for a long time and finally returned a 500 error. Making a few requests of this kind caused servers to become unresponsive, and so attackers could thereby craft requests that would make the server work very hard and/or crash with minimal effort. (Closes: #1064183) Checksums-Sha1: 2318034383b8d2a4811897b3f6d8b09539c033f2 331580 libapache2-mod-auth-openidc-dbgsym_2.4.12.3-2+deb12u1_amd64.deb 3a89442e0acfb8b999eec1b43892f0d58552ebad 7986 libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1_amd64-buildd.buildinfo fb745ad28aa917527dffb7763206bb82fbf1f153 186960 libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1_amd64.deb Checksums-Sha256: 572b0bb91ed78a9451ec44c0707204c62b891eeab168764bfc3faa0b226961c2 331580 libapache2-mod-auth-openidc-dbgsym_2.4.12.3-2+deb12u1_amd64.deb 62074c7e79d903428dd08b9823e4117be91cb2c31ea61d994d54caa4b144fa36 7986 libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1_amd64-buildd.buildinfo cf99bd549e7cef9431335cd8af3cc1c69fed1790886a793100b7f765eb3aa61f 186960 libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1_amd64.deb Files: 9da6ef72ac37ceb3d8c426e3d04f84d2 331580 debug optional libapache2-mod-auth-openidc-dbgsym_2.4.12.3-2+deb12u1_amd64.deb 4908ae1a72d283f4dfff81f33b746a6d 7986 httpd optional libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1_amd64-buildd.buildinfo 873da5c0a7d4eddd93c55af409722e7e 186960 httpd optional libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE4Unr4QHS5Yi4rr9Q3KGKEAtjIVgFAmYmm74ACgkQ3KGKEAtj IVgZhhAApKOmBigSbLfn+7Vq7+3dtYr0briTzdfMxIqkbrVFTdmfeoBGHLVvzHuw WPW3VmboH2VdNW18RCJlfhU6MG9Zq6lxhsGTr7sbZO10c6bN0uPVcqHM7SJKZv9l RnZA/GG3nZXU0U6wL5CbtxCURQDH85qXIllMfcKYKovz4KboVIPi1Aj38szRoSFx RU2Appljtq54CRCh5sTD4OOxvafXpFxPG3JhFzQqrVyV+aGs5YwZKDqYTNHoe6FU wMnX3+ZIRThNBlZGU8XOpSp1u/lQKtICj1FSX5A2Ot1Lkz5WP+nHuY9O2XeslswO V/mwURqq4mPe0HexkOsKWddS+dpdJzUch8NBLSCY/DJChKwa8O0nYzuOML8CJjcy VC+nmClxghuRElfRISp40WIut8ssGSs0lna72H//8eIMkAHqsHvbVM6RKsInwmdy 0g3uTmLJNQIGzeu+VJJO0rs0R0YMrX/yqRJ33CiQsp4dylWXFbOwC7QO/Rech9Kq jQwbWh1f0NC7aSa83cgYt0rZOuqhbVlCbxlSeCgIFjNmLxgJ3tCsLL9MmkKElVVd cGNt+gcIKUqioAPK8IiTbj83OHjMl87G0B1S380XVG4MCBIT7axGsD41PHh5k1wb 46AcwmV9cA8F1OmL2fp4Gdjf52PaTirq5AVx2iCHYg6wdTGBR9I= =m+L/ -----END PGP SIGNATURE-----