On Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0.20.17, the video-core process incorrectly extracts fields from a user-controlled JSON payload, leading to a buffer overflow on the stack. An attacker can send an HTTP request to trigger this vulnerability. The memcpy call overflows the destination buffer, which has a size of 512 bytes. An attacker can send an arbitrarily long "url" value in order to overwrite the saved-PC with 0x42424242.

**Summary**

Multiple exploitable buffer overflow vulnerabilities exist in the camera “update” feature of video-core’s HTTP server of Samsung SmartThings Hub. The video-core process incorrectly extracts fields from a user-controlled JSON payload, leading to a buffer overflow on the stack. An attacker can send an HTTP request to trigger this vulnerability.

**Tested Versions**

Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17

**Product URLs**

https://www.smartthings.com/products/smartthings-hub

**CVSSv3 Score**

9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

**Details**

Samsung produces a series of devices aimed at controlling and monitoring a home, such as wall switches, LED bulbs, thermostats and cameras. One of those is the Samsung SmartThings Hub, a central controller which allows an end user to use their smartphone to connect to their house remotely and operate other devices through it. The hub board utilizes several systems on chips. The firmware in question is executed by an i.MX 6 SoloLite processor (Cortex-A9), which has an ARMv7-A architecture.

The firmware is Linux-based, and runs a series of daemons that interface with devices nearby via ethernet, ZigBee, Z-Wave and Bluetooth protocols. Additionally, the hubCore process is responsible for communicating with the remote SmartThings servers via a persistent TLS connection. These servers act as a bridge that allows for secure communication between the smartphone application and the hub. End users can simply install the SmartThings mobile application on their smartphone to control the hub remotely.

One of the features of the hub is that it connects to smart cameras, configures them and looks at their livestreams. For testing, we set up the Samsung SmartCam SNH-V6414BN on the hub. Once done, the livestream can be displayed by the smartphone application by connecting either to the remote SmartThings servers, or directly to the camera, if they’re both in the same subnetwork.

Inside the hub, the livestream is handled by the video-core process, which uses ffmpeg to connect via RTSP to the smart camera in its same local network, and at the same time, provides a streamable link for the smartphone application.

The remote SmartThings servers have the possibility to communicate with the video-core process by sending messages in the persistent TLS connection, established by the hubCore process. These messages can encapsulate an HTTP request, which hubCore would relay directly to the HTTP server exposed by video-core. The HTTP server listens on port 3000, bound to the localhost address, so a local connection is needed to perform this request.

We identified a vulnerable request that can be exploited to achieve code execution on the video-core process, which is running as root. By sending a PATCH request for the /cameras/<camera-id> path it’s possible to replace the URL and the “state” value of an existing camera.

Such request is handled by function sub_49B4C:

    .text:00049B4C     sub_49B4C
    .text:00049B4C
    .text:00049B4C 000        STMFD           SP!, {R4-R11,LR}
    .text:00049B50 024        ADD             R12, R3, #8
    .text:00049B54 024        ADD             R11, SP, #0x20
    .text:00049B58 024        SUB             SP, SP, #0x3580
    .text:00049B5C 35A4       BIC             R12, R12, #7
    .text:00049B60 35A4       SUB             SP, SP, #0x2C
    .text:00049B64 35D0       SUB             R4, R11, #-var_3000
    ...
    .text:00049BCC 35D0       BL              http_required_json_parameters  ; [1]
    ...
    .text:00049C90 000        BL              json_tokener_parse             ; [2]
    ...
    .text:00049D10 000        BL              db_camera_by_id                ; [3]
    .text:00049D14 000        SUB             R3, R11, #-var_3580
    .text:00049D18 000        CMN             R0, #4
    .text:00049D1C 000        SUB             R3, R3, #0x2C
    .text:00049D20 000        LDR             R12, [R3]
    .text:00049D24 000        BEQ             loc_49FD8
    .text:00049D28 000        CMP             R8, #0
    .text:00049D2C 000        BNE             loc_4A270
    ...
    .text:0004A130     loc_4A130
    .text:0004A130 000        SUB             R3, R11, #-var_3580
    .text:0004A134 000        MOV             R1, #:lower16:state            ; "state"
    .text:0004A138 000        SUB             R3, R3, #0x30
    .text:0004A13C 000        STR             R12, [R3]
    .text:0004A140 000        SUB             R3, R11, #-var_3580
    .text:0004A144 000        MOVT            R1, #:upper16:state            ; "state"
    .text:0004A148 000        SUB             R3, R3, #0x2C
    .text:0004A14C 000        LDR             R2, [R3]
    .text:0004A150 000        SUB             R3, R11, #-var_3580
    .text:0004A154 000        SUB             R3, R3, #0x28
    .text:0004A158 000        LDR             R0, [R3]                       ; jso
    .text:0004A15C 000        BL              json_object_object_get_ex      ; [4]
    .text:0004A160 000        SUB             R3, R11, #-var_3580
    .text:0004A164 000        CMP             R0, #0
    .text:0004A168 000        SUB             R3, R3, #0x30
    .text:0004A16C 000        LDR             R12, [R3]
    .text:0004A170 000        BNE             loc_4A180
    ...
    .text:0004A180     loc_4A180
    .text:0004A180 000        SUB             R3, R11, #-var_3580
    .text:0004A184 000        LDR             R0, [R4,#-0x580]
    .text:0004A188 000        SUB             R3, R3, #0x2C
    .text:0004A18C 000        STR             R12, [R3]
    .text:0004A190 000        BL              json_object_to_json_string     ; [5]
    .text:0004A194 000        SUB             R3, R11, #-var_3580
    .text:0004A198 000        SUBS            R5, R0, #0
    .text:0004A19C 000        SUB             R3, R3, #0x2C
    .text:0004A1A0 000        LDR             R12, [R3]
    .text:0004A1A4 000        BEQ             loc_4A3CC
    .text:0004A1A8 000        BL              strlen                         ; [6]
    .text:0004A1AC 000        SUB             R3, R11, #-var_2040
    .text:0004A1B0 000        MOV             R2, R0
    .text:0004A1B4 000        SUB             R3, R3, #0x28
    .text:0004A1B8 000        MOV             R1, R5
    .text:0004A1BC 000        ADD             R0, R3, #0x810
    .text:0004A1C0 000        ADD             R0, R0, #8
    .text:0004A1C4 000        BL              memcpy                         ; [7]
    .text:0004A1C8 000        MOV             R0, R5
    .text:0004A1CC 000        BL              strlen
    ...
    .text:0004A270     loc_4A270
    .text:0004A270 000        SUB             R3, R11, #-var_3580
    .text:0004A274 000        SUB             R2, R11, #-var_3580
    .text:0004A278 000        SUB             R3, R3, #0x30
    .text:0004A27C 000        STR             R12, [R3]
    .text:0004A280 000        SUB             R3, R11, #-var_3580
    .text:0004A284 000        SUB             R2, R2, #0x2C
    .text:0004A288 000        SUB             R3, R3, #0x24
    .text:0004A28C 000        MOV             R1, R7
    .text:0004A290 000        STR             R3, [R2]
    .text:0004A294 000        MOV             R2, R3
    .text:0004A298 000        SUB             R3, R11, #-var_3580
    .text:0004A29C 000        MOV             R6, #:lower16:debug_log
    .text:0004A2A0 000        SUB             R3, R3, #0x28
    .text:0004A2A4 000        LDR             R0, [R3]                       ; jso
    .text:0004A2A8 000        BL              json_object_object_get_ex      ; [4]
    .text:0004A2AC 000        SUB             R3, R11, #-var_3580
    .text:0004A2B0 000        CMP             R0, #0
    .text:0004A2B4 000        SUB             R3, R3, #0x30
    ...
    .text:0004A2D0 000        SUB             R3, R11, #-var_3580
    .text:0004A2D4 000        LDR             R0, [R4,#-0x580]
    .text:0004A2D8 000        SUB             R3, R3, #0x30
    .text:0004A2DC 000        STR             R12, [R3]
    .text:0004A2E0 000        BL              json_object_to_json_string     ; [5]
    .text:0004A2E4 000        SUB             R3, R11, #-var_3580
    .text:0004A2E8 000        SUBS            R5, R0, #0
    .text:0004A2EC 000        SUB             R3, R3, #0x30
    .text:0004A2F0 000        LDR             R12, [R3]
    .text:0004A2F4 000        BEQ             loc_4A44C
    .text:0004A2F8 000        BL              strlen                         ; [6]
    .text:0004A2FC 000        SUB             R3, R11, #-var_2040
    .text:0004A300 000        MOV             R2, R0
    .text:0004A304 000        SUB             R3, R3, #0x24
    .text:0004A308 000        MOV             R1, R5
    .text:0004A30C 000        ADD             R0, R3, #0x610
    .text:0004A310 000        BL              memcpy                         ; [7]
    .text:0004A314 000        MOV             R0, R5
    .text:0004A318 000        BL              strlen
    .text:0004A31C 000        SUB             R3, R11, #-var_1A40
    .text:0004A320 000        SUB             R3, R3, #0x18
    .text:0004A324 000        STR             R0, [R3]
    .text:0004A328 000        SUB             R3, R11, #-var_3580
    .text:0004A32C 000        SUB             R3, R3, #0x30
    .text:0004A330 000        LDR             R12, [R3]
    .text:0004A334 000        CMP             R12, #0
    .text:0004A338 000        BNE             loc_4A130
    ...
    

Note that the binary embeds the “json-c” library that is used to manage JSON objects.

The function initially calls http_required_json_parameters at \[1\] to verify that all the required parameters are specified in the JSON request, the parameters are url and state. The JSON payload sent in the request is then parsed using json_tokener_parse \[2\] and the “camera-id” specified in the request path is verified to exist in the database \[3\]. Then, both url and state parameters are extracted using the following sequence:

    - Call to `json_object_object_get_ex` [4] and `json_object_to_json_string` [5] for extracting a parameter by key name.
    - Copy the parameter value in a buffer on the stack, using `strlen` [6] and `memcpy` [7].
    

We can see that the length value for the memcpy call is set from the strlen output of the source string itself. At high level this would be:

    memcpy(stack_buffer, json_parameter, strlen(json_parameter));
    

Since json_parameter is controlled by the user, there is no restriction on the length of the copy operation, which allows for overflowing the stack buffer and execute arbitrary code.

We identified two different vectors that allow for exploiting this vulnerability:

*   Anyone able to impersonate the remote SmartThings servers can send arbitrary HTTP requests to hubCore that would be relayed without modification to the vulnerable video-core process.
*   SmartThings SmartApps allow for the creation of custom applications that can be either published directly into the device itself or on the public marketplace. A SmartApp is executed inside the hubCore process and is allowed to make any localhost connection. It is thus possible for a SmartApp to send arbitrary HTTP requests directly to the vulnerable video-core process.

A third vector might exist, which we decided not to test to avoid damaging any live infrastructure. This would consist of sending a malicious request from the SmartThings mobile application to the remote SmartThings servers. In turn, depending on the remote APIs available, the servers could relay the malicious payload back to the device via the persistent TLS connection. To use this vector, an attacker would need to own a valid OAuth bearer token, or the relative username and password pair to obtain it.

The following is a list of each vulnerability and its proof of concept. A key with value “x” means that its value is irrelevant, but the key still needs to be present. It’s also assumed that a camera is already present and its id is represented by the variable “${sCameraId}”.

**CVE-2018-3903 - “url” key**

The memcpy call overflows the destination buffer, which has a size of 512 bytes. An attacker can send an arbitrarily long “url” value in order to overwrite the saved-PC with 0x42424242:

    $ curl -X PATCH "http://127.0.0.1:3000/cameras/${sCameraId}" -d '{"url":"'$(perl -e 'print "A"x6740')BBBBX'","state":"x"}'
    

**CVE-2018-3904 - “state” key**

The memcpy call overflows the destination buffer, which has a size of 512 bytes. An attacker can send an arbitrarily long “state” value in order to overwrite the saved-PC with 0x42424242:

    $ curl -X PATCH "http://127.0.0.1:3000/cameras/${sCameraId}" -d '{"url":"x","state":"'$(perl -e 'print "A"x6224')BBBBX'"}'
    

**Timeline**

2018-04-16 - Vendor Disclosure  
2018-05-23 - Discussion with vendor/review of timeline for disclosure  
2018-07-17 - Vendor patched  
2018-07-26 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.

CVE-2018-3903: TALOS-2018-0574 || Cisco Talos Intelligence Group

Cross-site scripting (XSS) vulnerability in the search auto-completion functionality in Foreman before 1.4.4 allows remote authenticated users to inject arbitrary web script or HTML via a crafted key name.

CVE-2014-0208: Foreman :: Security

inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.

Secure Open Source has completed the following audits.

**Contents**

*   1 2019
    *   1.1 tcpdump & libpcap
    *   1.2 libssh
*   2 2018
    *   2.1 graphite
    *   2.2 Thunderbird and Enigmail
    *   2.3 SimpleSAMLphp
    *   2.4 oauth2-server
    *   2.5 Knot DNS
*   3 2017
    *   3.1 CakePHP
    *   3.2 chrony
    *   3.3 expat
    *   3.4 GNU libmicrohttpd
    *   3.5 oauth2-server
    *   3.6 dovecot
    *   3.7 ntp
    *   3.8 ntpsec
*   4 2016
    *   4.1 PCRE
    *   4.2 libjpeg-turbo
    *   4.3 phpMyAdmin
    *   4.4 dnsmasq
    *   4.5 zlib
    *   4.6 curl

**2019****tcpdump & libpcap**

Dates: 2019

tcpdump & libpcap are a powerful command-line packet analyzer and a portable C/C++ library for network traffic capture, respectively. The audit was performed by Michael Richardson.

The team found the following problems:

*   8 Verified Fixes

The documents are as follows:

*   Audit report
*   Fix and validation log

**libssh**

Dates: 2019

libshh is a multiplatform C library implementing the SSHv2 protocol on client and server side. The audit was performed by Cure53.

The team found the following problems:

*   1 Critical
*   1 Medium
*   7 Low
*   3 Informational

The documents are as follows:

*   Audit report
*   Fix and validation log

**2018****graphite**

Dates: August 2018

graphite is "a "smart font" system developed specifically to handle the complexities of lesser-known languages of the world. The audit was performed by Radically Open Security.

The team found the following problems:

*   1 Elevated
*   9 Moderate
*   11 Low

The documents are as follows:

*   Audit report
*   Fix and validation log

**Thunderbird and Enigmail**

Dates: January 2018

Thunderbird and Enigmail work together to provide a free, simple interface for OpenPGP email security. The audit was performed by Cure53.

The team found the following problems:

*   3 Critical
*   3 High
*   3 Medium

The documents are as follows:

*   Audit report
*   Fix and validation log

**SimpleSAMLphp**

Dates: January 2018

SimpleSAMLphp is an application written in native PHP that deals with authentication. The audit was performed by Cure53.

The team found the following problems:

*   1 Critical
*   3 Medium
*   1 Informational

The documents are as follows:

*   Audit report
*   Fix and validation log

**oauth2-server**

Dates: September 2017 - February 2018

oauth2-server is a standards compliant implementation of an OAuth 2.0 authorization server written in PHP. The audit was performed by Least Authority.

The team found the following problems:

*   1 High
*   3 Medium
*   1 Low
*   2 Informational

The documents are as follows:

*   Audit report
*   Fix and validation log

**Knot DNS**

Dates: September 2017 - January 2018

Knot DNS is a high-performance authoritative-only DNS server which supports all key features of the modern domain name system. Also audited was Knot Resolver, a caching full DNS resolver implementation, including both a resolver library and a daemon. The audit was performed by Least Authority.

The team found the following problems:

*   4 Medium
*   7 Low
*   2 Informational

Least Authority made the following comment on the code quality: "Overall,​ ​we​​ found​​ the​​ code​​ to​​ be​​ well​ structured​ and​ cleanly​ written. Additionally​ Knot​ makes good​ use​ of​ available​ tools,​ such​ as​ fuzzers​ and​ compiler​ sanitizers."

The documents are as follows:

*   Audit report
*   Fix and validation log

**2017****CakePHP**

Dates: July - November 2017

CakePHP is an open source web framework in PHP. The audit was performed by NCC Group.

The team found the following problems:

*   1 High
*   5 Medium
*   9 Low
*   5 Informational

The documents are as follows:

*   Audit report
*   Fix and validation log

**chrony**

Dates: June - September 2017

chrony is an implementation of the Network Time Protocol, used either to set the time on a particular machine or act as an NTP server for other machines on the network. The audit was performed by Cure53, and kindly funded by CII.

The team found the following problems:

*   2 Low

Cure53 write: The overwhelmingly positive result of this security assignment performed by three Cure53 testers can be clearly inferred from a marginal number and low-risk nature of the findings amassed in this report. Withstanding eleven full days of on-remote testing in August of 2017 means that Chrony is robust, strong, and developed with security in mind. The software boasts sound design and is secure across all tested areas. It is quite safe to assume that untested software in the Chrony family is of a similarly exceptional quality. In general, the software proved to be well-structured and marked by the right abstractions at the appropriate locations. While the functional scope of the software is quite wide, the actual implementation is surprisingly elegant and of a minimal and just necessary complexity. In sum, the Chrony NTP software stands solid and can be seen as trustworthy.

The documents are as follows:

*   Audit report
*   Fix and validation log

**expat**

Dates: February - July 2017

expat is a stream-oriented XML parser library written in C. The audit was performed by Radically Open Security.

The team found the following problems:

*   4 Medium
*   3 Low

The documents are as follows:

*   Audit report
*   Fix and validation log

**GNU libmicrohttpd**

Dates: January - May 2017

GNU libmicrohttpd is a small embeddable HTTP 1.1 server written in C which supports TLS and IPv6. The audit was performed by Least Authority.

The team found the following problems:

*   1 Medium
*   2 Low
*   1 Informational

The documents are as follows:

*   Audit report
*   Fix and validation log

**oauth2-server**

Dates: December 2016 - January 2017

oauth2-server is a standards compliant implementation of an OAuth 2.0 authorization server written in PHP. The audit was performed by independent auditor Brian Carpenter.

The team found the following problems:

*   1 Low

There is no fix and validation log; the subsystem in which the issue was found is being removed.

*   Audit report

**dovecot**

Dates: October 2016 - January 2017

dovecot is a POP and IMAP mailserver; it is used in 68% of IMAP server deployments worldwide. The audit was performed by Cure53.

The team found the following problems:

*   3 Low

The Cure53 team were extremely impressed with the quality of the dovecot code. They wrote: "Despite much effort and thoroughly all-encompassing approach, the Cure53 testers only managed to assert the excellent security-standing of Dovecot. More specifically, only three minor security issues have been found in the codebase, thus translating to an exceptionally good outcome for Dovecot, and a true testament to the fact that keeping security promises is at the core of the Dovecot development and operations."

*   Audit report
*   Fix and validation log
*   Developer blog post

**ntp**

Dates: December 2016 - March 2017

ntp is a implementation of the Network Time Protocol. The audit was performed by Cure53.

The team found the following problems:

*   1 Critical
*   2 High
*   1 Medium
*   8 Low
*   2 Informational

This audit was performed at the same time as an audit of ntpsec, which is based on a version of the ntp code.

*   Audit report
*   Fix and validation log
*   Developer security announcement

**ntpsec**

Dates: December 2016 - March 2017

ntpsec is a implementation of the Network Time Protocol, a fork of ntp. The audit was performed by Cure53.

The team found the following problems:

*   3 High
*   1 Medium
*   3 Low
*   1 Informational

This audit was performed at the same time as an audit of ntp, of which this codebase is a fork.

*   Audit report
*   Fix and validation log
*   Developer blog post

**2016****PCRE**

Dates: October 2015 - June 2016

PCRE (Perl-Compatible Regular Expressions) is a C library for implementing regular expressions in a codebase. It is used in various open source projects including Exim, Apache, PHP and KDE, as well as Apple Safari. We audited PCRE2, a newer version which is currently less commonly-used but which is expected to become increasingly common. The audit was performed by Cure53.

The team found the following problems:

*   1 Critical
*   5 Medium
*   20 Low
*   3 Informational

The critical vulnerability was a stack buffer overflow which could have led to arbitrary code execution when compiling untrusted regular expressions.

*   Audit report
*   Fix and validation log

**libjpeg-turbo**

Dates: November 2015 - June 2016

libjpeg-turbo is a fork of the libjpeg codebase which is particularly focussed on speed, and on compatibility with the most commonly-used standard profiles of JPEG. It is used by a number of open source projects, including Chrome, LibreOffice, Firefox and various flavours of VNC. The audit was performed by Cure53.

The team found the following problems:

*   1 High
*   2 Medium
*   2 Low

The high vulnerability was an out-of-bounds read. It is unclear exactly how exploitable it was. However, more interesting were the two medium vulnerabilities, which were initially reported as DoS bugs in the libjpeg-turbo library but on further investigation were found to be issues with the JPEG standard itself. These issues were reproduced across multiple JPEG implementations, can be triggered by entirely legal JPEGs, and so are not easy to mitigate in any JPEG library itself. We have written up these issues in a separate report, along with our suggestions as to how applications using JPEG can mitigate them in their own code.

*   Audit report
*   Fix and validation log
*   Special report on issues in the JPEG standard

**phpMyAdmin**

Dates: May - June 2016

phpMyAdmin is a web-based administration tool for MySQL databases. The audit was performed by NCC Group.

The team found the following problems:

*   3 Medium
*   5 Low
*   1 Informational

NCC Group found no serious issues in this codebase.

*   Audit report
*   Fix and validation log
*   Developer blog post

**dnsmasq**

Dates: May - August 2016

dnsmasq is a lightweight implementation of DNS, DHCP, router advertisement and network boot. It is used in resource-constrained environments such as routers and firewalls (e.g. openWRT and DD-WRT), Android, and OpenStack. The audit was performed by Cure53.

The team found the following problems:

*   1 Medium
*   5 Low

*   Audit report
*   Fix and validation log

**zlib**

Dates: July - September 2016

zlib is a compression library implementing the 'deflate' compression algorithm, used in countless applications. The audit was performed by Trail of Bits.

The team found the following problems:

*   1 Medium
*   4 Low

*   Audit report
*   Fix and validation log

One of the Low severity issues is still under discussion between the zlib development team and the auditors, as they are working out how to resolve it without performance degradation.

**curl**

Dates: August - November 2016

curl is a command-line application for transferring data, most usually over HTTP or HTTPS. The audit was performed by Cure53.

The team found the following problems:

*   4 High
*   5 Medium
*   9 Low
*   5 Informational

8 of the vulnerabilities resulted in security advisories being produced by the curl team on November 2nd, 2016.

*   Audit report
*   Fix and validation log
*   Developer blog post

CVE-2016-9840: MOSS/Secure Open Source/Completed - MozillaWiki

The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.

This is a security release :

_Those using AuthType oauth20 together with applications that interpret headers set by mod\_auth\_openidc on paths that disclose sensitive information are affected and should upgrade._

**Security**

*   scrub headers for AuthType oauth20

On accessing paths protected with AuthType oauth20 no headers would be scrubbed before mod\_auth\_openidc sets its own headers, so malicious software/users could set OIDC_CLAIM_ and OIDCAuthNHeader headers that applications would interpret as set by mod\_auth\_openidc **only if** those headers are not set and overwritten by mod\_auth\_openidc itself.

**Bugfixes**

*   handle OIDCUnAuthAction after max session duration is exceeded; see #220; thanks @phybros
*   fix parse OIDCOAuthTokenExpiryClaim; closes #225; thanks Alessandro Papacci
*   correctly parse kid in OIDCPublicKeyFiles and OIDCOAuthVerifyCertFiles; thanks Alessandro Papacci

**Other**

*   improve logging wrt. session management availability; closes #223
*   handle only X-Requested-With: XMLHttpRequest as non-browser request; closes #228; thanks @mguillem
*   improve error message on state timeout; closes #226; thanks @security4java
*   a call to the refresh hook now also resets the session inactivity timeout

**Packaging Notes**

*   _Accompanying libcjose packages can be found in the 2.1.3 release_
*   _Ubuntu Wily packages can also be used on Xenial and Yakkety_
*   _Centos 6 RPMs depend on libhiredis-0.12 now e.g. from https://pkgs.org/centos-6/puias-unsupported-x86\_64/_

CVE-2017-6413: Release release 2.1.6 · OpenIDC/mod_auth_openidc

The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.5 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "OIDCUnAuthAction pass" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.

This is a security release :

_Those using AuthType openid-connect together with OIDCUnAuthAction pass on paths that disclose sensitive information based on the authenticated user are affected and should upgrade._

**Security**

*   scrub headers on OIDCUnAuthAction pass; closes #222; thanks @wouterhund

On accessing paths protected with OIDCUnAuthAction pass no headers would be scrubbed when a user is not authenticated, so malicious software/users could set OIDC_CLAIM_ and OIDCAuthNHeader headers that applications would interpret as set by mod\_auth\_openidc even though the user has no authenticated session.

**Bugfixes**

*   fix error message about passing id\_token with session type client-cookie; see: #220; thanks @phybros

**Packaging Notes**

*   _Accompanying libcjose packages can be found in the 2.1.3 release_
*   _Ubuntu Wily packages can also be used on Xenial and Yakkety_
*   _Centos 6 RPMs depend on libhiredis-0.12 now e.g. from https://pkgs.org/centos-6/puias-unsupported-x86\_64/_

CVE-2017-6062: Release release 2.1.5 · OpenIDC/mod_auth_openidc

spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.

CVE-2016-5771: PHP: PHP 5 ChangeLog

The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.

Tag

#oauth