-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 18 Apr 2024 14:20:00 +0200 Source: libapache2-mod-auth-openidc Binary: libapache2-mod-auth-openidc libapache2-mod-auth-openidc-dbgsym Architecture: i386 Version: 2.4.12.3-2+deb12u1 Distribution: bookworm Urgency: medium Maintainer: all / amd64 / i386 Build Daemon (x86-conova-02) Changed-By: Moritz Schlarb Description: libapache2-mod-auth-openidc - OpenID Connect Relying Party implementation for Apache Closes: 1064183 Changes: libapache2-mod-auth-openidc (2.4.12.3-2+deb12u1) bookworm; urgency=medium . * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks cookie value made the server vulnerable to a Denial of Service (DoS) attack. If an attacker manipulated the value of the OpenIDC cookie to a very large integer like 99999999, the server struggled with the request for a long time and finally returned a 500 error. Making a few requests of this kind caused servers to become unresponsive, and so attackers could thereby craft requests that would make the server work very hard and/or crash with minimal effort. (Closes: #1064183) Checksums-Sha1: 9972d8b3c252b4e5b7e06f1557dbda55a59df05c 260652 libapache2-mod-auth-openidc-dbgsym_2.4.12.3-2+deb12u1_i386.deb 559928160085fbf7c27994822f29248ee0430dcd 7926 libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1_i386-buildd.buildinfo 2126321beb5627457c2cb441d5dfadb5396a8b0c 194468 libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1_i386.deb Checksums-Sha256: c4ac096d8e615b722b3d726f9d57d61c6070ea99bcdc1f188fb6354e4d6cb147 260652 libapache2-mod-auth-openidc-dbgsym_2.4.12.3-2+deb12u1_i386.deb 60ad7c550ca2ab0bd3732e05edde45b6f307a0deb45b69f3b1a15784dd560a2c 7926 libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1_i386-buildd.buildinfo 6e1569588bf5f9e12144b1e4c16618c2a359ad062220f5d2cc70686b15186f22 194468 libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1_i386.deb Files: 8074ea4b89330d7393fd405b8de1bf4c 260652 debug optional libapache2-mod-auth-openidc-dbgsym_2.4.12.3-2+deb12u1_i386.deb c1bd7374bae68577831fbadb9853fa32 7926 httpd optional libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1_i386-buildd.buildinfo 0e582382583488d66298bdbec83d37d9 194468 httpd optional libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1_i386.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEErEDrIdpJkzFMm6K+PyQET5WCY90FAmYmm5gACgkQPyQET5WC Y93pEw/5AcYGxCrWC0BEpk4zo4GVE6euY4KOhJY6EZwc2KI8Z14QGsSQ0eLcxfyC jvXHXAEHOdEhXiVcxgjah/NAhnDwkuGypzh/6zPk3EO0frcxtC74p2fkY4IBvnJy f0NfnczUTUxKcuzfEyO2NN5IdrrzWhsxM6VQT8m6lRbDJirVrSwbVQSws3pT25tw ijuoxSZb1r+SWpHnx2ssligKZxjx43Jl0xu5jURmK+J2Pd03xofaKgP85rs4YqWL LXWWbenVvzZhh9m/T06jK4Che3AutkABWapy8Ae9MIkYtpJ+/72C/eKYnyGb8Ilq qZX+wRIhSnc07/s3oImfflPFROrTuspsYSxEoEelm++kN+5GuXKWfgWaYj47W/Ge +6J+2c3ZPO709dg5myZCscn9F7ENjQuGRwyKIk9kahlt4+y1z9B0iTo6kX6pTPZZ p6YDtlG+CbVIrJs6BxuJM3tBhkFrvBBM/p2z2Hby7NwRMnYzQeIxwuXnjGxk2M83 +RzfIHMjqHBF1hsAbNoJeqCyn800PDO/ywDiNP7av01HPXAQX1CDpd2qXE2zaTp1 CxmKgwsc44wKQqRgd95/P5ALY0FamcaIPmfP8FpwCNpx8YEgFkTP3hT9MwXPMtqA QH/9se9FVxpgHwXRplOACR95yIUNbf76YLNWKi86jbIg/geWOAU= =AyHh -----END PGP SIGNATURE-----