-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 18 Apr 2024 14:20:00 +0200 Source: libapache2-mod-auth-openidc Architecture: source Version: 2.4.12.3-2+deb12u1 Distribution: bookworm Urgency: medium Maintainer: Moritz Schlarb <schlarbm@uni-mainz.de> Changed-By: Moritz Schlarb <schlarbm@uni-mainz.de> Closes: 1064183 Changes: libapache2-mod-auth-openidc (2.4.12.3-2+deb12u1) bookworm; urgency=medium . * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks cookie value made the server vulnerable to a Denial of Service (DoS) attack. If an attacker manipulated the value of the OpenIDC cookie to a very large integer like 99999999, the server struggled with the request for a long time and finally returned a 500 error. Making a few requests of this kind caused servers to become unresponsive, and so attackers could thereby craft requests that would make the server work very hard and/or crash with minimal effort. (Closes: #1064183) Checksums-Sha1: 48152d4f7c03317dc578ea4845a20c15cd315a75 2325 libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1.dsc 1c4e5d1781006ff9a29cfa350b15a776adf1cb1a 7764 libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1.debian.tar.xz f5624c86bc0ae6c1fe0bdf90dca4d35a6455dabc 8448 libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1_amd64.buildinfo Checksums-Sha256: 4f5904073b8562a7a3b982b01dd1c75c10f4b29e3d698abc9be4001fdd6e9e98 2325 libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1.dsc 2d12ef29195cc123400752e91eb61eb78d86762f22a312faff5ed7dd22db1064 7764 libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1.debian.tar.xz 2b0a6a9811ef289acdccf6a254604cba5fec1894f6986d807a2f3e0c18e25c61 8448 libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1_amd64.buildinfo Files: fd5cc9b4e7a18f975d121d49b88d4a26 2325 httpd optional libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1.dsc 9f0659dc1a46f0b45c6473723ed86e69 7764 httpd optional libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1.debian.tar.xz 176fdc1870d781962f19b40ab903356b 8448 httpd optional libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJKBAEBCgA0FiEE3wEiR7/GVQGv8oRFDCS4Qcfduq8FAmYhEu0WHHNjaGxhcmJt QHVuaS1tYWluei5kZQAKCRAMJLhBx926r6j8D/9Gopp36dLgy9ck9IG9vW3gB/qm 30/gR+smGLaEzu6Hf4YHu1qRl4Dz4LMgx3hKlG2bNAxEfzjmt56H+uWNRiiO90rz 8dAJVGVADm4M6VH6CAXeVe44YwI5Jo/9wVkzUWBANDgIXvC4+0iO7KHwM8X5tbyq cyJQrG99X1k2BSfbpZHje3bbg1bkFVu3uOOAqWpTaWGZweVjR2Ep7o+FdnDJvA5Q WKs0zfO7hxyHDUZYyiFqxJa4GTTYT9MWk/0BTD0qyRO8WAA20eENvoG3vkv0plUb HLhMM0847rYXEIxKLv58ao/Y1rGmDHbAeGqhUkvIuyemdT5yYO/bmDjQ+U9K6ZFA 2qO3vaz7qipDPRgzlouEXcjEwzjNavrQ9N7zLusraXVq4TZ3SQwr3St7th7TgLjz vd9DS63XyMu/BHAbNbxZvNBJbfS3ZeVhgjxkswq0i26XQId//KmR63B4l+llvabR 4dV73MYrH1lOOcMnfHYqxhgsWWH4dvCBmZGBZmqAVhRRj4xVcHVTfqVkj96U/N6/ ryLZUmv1MbcChzLIxegKWl9mk1bblX/mC12dUmwMP0IsT/ncJ1sF26H+Iv3wGsbi h8s6jjG7a/cAcFtU45ze7+uwTblo/7U35Ob+LgD46K9F4swYAV1u11gHm8N/EtbX ByktFjekB59YNfL9ag== =D0Nz -----END PGP SIGNATURE-----
Attachment:
pgpdQXhyE3L4C.pgp
Description: PGP signature