Описание
ELSA-2023-6940: mod_auth_openidc:2.3 security and bug fix update (MODERATE)
cjose [0.6.1-4]
- CVE-2023-37464 cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE Resolves: rhbz#2223308
mod_auth_openidc [2.4.9.4-5] Related: rhbz#2141850 - fix cjose version dependency
[2.4.9.4-4] Resolves: rhbz#2141850 - auth_openidc.conf mode 0640 by default
[2.4.9.4-3]
- Resolves: rhbz#2184144 - CVE-2023-28625 NULL pointer dereference when OIDCStripCookies is set and a crafted Cookie header is supplied
[2.4.9.4-2]
- Resolves: rhbz#2153659 - CVE-2022-23527 - Open Redirect in oidc_validate_redirect_url() using tab character
Обновленные пакеты
Oracle Linux 8
Oracle Linux aarch64
Module mod_auth_openidc:2.3 is enabled
cjose
0.6.1-4.module+el8.9.0+90009+6a7196cf
cjose-devel
0.6.1-4.module+el8.9.0+90009+6a7196cf
mod_auth_openidc
2.4.9.4-5.module+el8.9.0+90009+6a7196cf
Oracle Linux x86_64
Module mod_auth_openidc:2.3 is enabled
cjose
0.6.1-4.module+el8.9.0+90009+6a7196cf
cjose-devel
0.6.1-4.module+el8.9.0+90009+6a7196cf
mod_auth_openidc
2.4.9.4-5.module+el8.9.0+90009+6a7196cf
Связанные CVE
Связанные уязвимости
ELSA-2023-6365: mod_auth_openidc security and bug fix update (MODERATE)
mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\t, leading to an open redirect. This issue has been patched in version 2.4.12.2. Users unable to upgrade can mitigate the issue by configuring mod_auth_openidc to only allow redirection when the destination matches a given regular expression with OIDCRedirectURLsAllowed.
mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\t, leading to an open redirect. This issue has been patched in version 2.4.12.2. Users unable to upgrade can mitigate the issue by configuring mod_auth_openidc to only allow redirection when the destination matches a given regular expression with OIDCRedirectURLsAllowed.
mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\t, leading to an open redirect. This issue has been patched in version 2.4.12.2. Users unable to upgrade can mitigate the issue by configuring mod_auth_openidc to only allow redirection when the destination matches a given regular expression with OIDCRedirectURLsAllowed.