Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-28625: Release release 2.4.13.2 · OpenIDC/mod_auth_openidc

mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when OIDCStripCookies is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using OIDCStripCookies.

CVE
#mac#windows#microsoft#ubuntu#linux#debian#red_hat#dos#apache#redis#oracle#oauth#auth#ibm#ssl
  1. Releases
  2. v2.4.13.2

Security

  • CVE-2023-28625: prevent core dump when OIDCStripCookies is set and a crafted Cookie header is supplied
    GHSA-f5xw-rvfr-24qr
  • fix code scanning alerts from 2 code scanning tools all over the place

Features

  • add support for Elliptic Curve signing/encryption keys in addtiion to RSA keys,
    i.e. client keys configured in OIDCPrivateKeyFiles/OIDCPublicKeyFiles, published on OIDCClientJwksUri
    and used in private_key_jwt authentication, encrypted id_token’s, request objects/uri’s,
    but also statically configured provider keys in OIDCOAuthVerifyCertFiles and OIDCProviderVerifyCertFiles
  • record authorization errors in environment variable OIDC_AUTHZ_ERROR
    so its value can be used in logs e.g. with HTTP 401 responses in the access log:
    LogFormat “%h %l %u %t %U %401{OIDC_AUTHZ_ERROR}e %>s %b” combined
    also log authorization errors with oidc_debug instead of oidc_info

Bugfixes

  • fix for omitting the kid# prefix in OIDCPublicKeyFiles/OIDCPrivateKeyFiles and other certificate configuration primitives when linked against OpenSSL <= 1.0.x
  • allow target_link_uri’s without a path in 3rd-party-init SSO with a multi-provider setup
  • correct cookie path printout in error log when target_link_uri does not match OIDCCookiePath

Commercial

  • binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro’s, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via [email protected]
  • support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

Related news

Debian Security Advisory 5405-1

Debian Linux Security Advisory 5405-1 - It was discovered that missing input sanitizing in the implementation of the OIDCStripCookie option in mod_auth_openidc could result in denial of service.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907