{"schema_version":"1.7.2","id":"OESA-2023-1235","modified":"2023-04-21T11:05:10Z","published":"2023-04-21T11:05:10Z","upstream":["CVE-2022-23527","CVE-2023-28625"],"summary":"mod_auth_openidc security update","details":"This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party(RP) to an OpenID Connect Provider(OP).\r\n\r\nSecurity Fix(es):\r\n\r\nmod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\\t, leading to an open redirect. This issue has been patched in version 2.4.12.2. Users unable to upgrade can mitigate the issue by configuring mod_auth_openidc to only allow redirection when the destination matches a given regular expression with OIDCRedirectURLsAllowed.(CVE-2022-23527)\r\n\r\nmod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using `OIDCStripCookies`.(CVE-2023-28625)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS","name":"mod_auth_openidc","purl":"pkg:rpm/openEuler/mod_auth_openidc\u0026distro=openEuler-22.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.13.2-1.oe2203"}]}],"ecosystem_specific":{"aarch64":["mod_auth_openidc-2.4.13.2-1.oe2203.aarch64.rpm","mod_auth_openidc-debugsource-2.4.13.2-1.oe2203.aarch64.rpm","mod_auth_openidc-debuginfo-2.4.13.2-1.oe2203.aarch64.rpm"],"src":["mod_auth_openidc-2.4.13.2-1.oe2203.src.rpm"],"x86_64":["mod_auth_openidc-debuginfo-2.4.13.2-1.oe2203.x86_64.rpm","mod_auth_openidc-debugsource-2.4.13.2-1.oe2203.x86_64.rpm","mod_auth_openidc-2.4.13.2-1.oe2203.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1235"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23527"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28625"}],"database_specific":{"severity":"High"}}