Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2017-6059: Release release 2.1.4 · OpenIDC/mod_auth_openidc

Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication module for Apache (aka mod_auth_openidc) before 2.14 allows remote attackers to spoof page content via a malicious URL provided to the user, which triggers an invalid request.

CVE
Open in Source
#ubuntu#debian#apache#redis#auth#rpm#ssl

This is a minor release with relatively few features and bugfixes. Accompanying libcjose packages can be found in the 2.1.3 release. Ubuntu Wily packages can also be used on Xenial and Yakkety. Centos 6 RPMs depend on libhiredis-0.12 now e.g. from https://pkgs.org/centos-6/puias-unsupported-x86_64/

Bugfixes

  • don’t crash when data is POST-ed to the redirect URL, it has just 1 POST parameter and it is not response_mode
  • use dynamic memory buffer for writing HTTP call responses which happens to solve (at least) libcurl/mpm-event interference on Debian Stretch; see #207
  • remove trailing linebreaks from input in test-cmd tool

Features

  • support Libre SSL, see #205, thanks @AliceWonderMiscreations
  • update OIDC logout support to Front-Channel Logout 1.0 draft 01: http://openid.net/specs/openid-connect-frontchannel-1_0.html
  • log errors in the error log on invalid requests to redirect URI

Security

  • don’t echo the query parameters on the error page when an invalid request is made to the Redirect URI; closes #212; thanks @LukasReschke

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE