-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 18 Apr 2024 14:27:26 +0200 Source: libapache2-mod-auth-openidc Binary: libapache2-mod-auth-openidc libapache2-mod-auth-openidc-dbgsym Architecture: armhf Version: 2.4.9.4-0+deb11u4 Distribution: bullseye Urgency: high Maintainer: arm Build Daemon (arm-ubc-04) Changed-By: Moritz Schlarb Description: libapache2-mod-auth-openidc - OpenID Connect authentication module for Apache Closes: 1064183 Changes: libapache2-mod-auth-openidc (2.4.9.4-0+deb11u4) bullseye; urgency=high . * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks cookie value made the server vulnerable to a Denial of Service (DoS) attack. If an attacker manipulated the value of the OpenIDC cookie to a very large integer like 99999999, the server struggled with the request for a long time and finally returned a 500 error. Making a few requests of this kind caused servers to become unresponsive, and so attackers could thereby craft requests that would make the server work very hard and/or crash with minimal effort. (Closes: #1064183) Checksums-Sha1: 1d1d86a0b620068a08b9bde688a1525b4447770a 319428 libapache2-mod-auth-openidc-dbgsym_2.4.9.4-0+deb11u4_armhf.deb e5e9a34c7dae69d2a83215d564a22358f6097367 8140 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_armhf-buildd.buildinfo b92c29a3bc21b907483ed1422933655788ce9d29 173984 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_armhf.deb Checksums-Sha256: 71e62c2ff3f6ff2ab7d10ced6e80e0b2cf65e7c505972f16cd53346356ca5f80 319428 libapache2-mod-auth-openidc-dbgsym_2.4.9.4-0+deb11u4_armhf.deb 813f6f985dd24421e43b5f7be746b2605ef56982588c1ce009a7fc2fe526c6f8 8140 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_armhf-buildd.buildinfo c8283e664a0a806b24f5cdbaea90d0095e60e37212fe33d16a874ce1fe9727f5 173984 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_armhf.deb Files: b4e5819a46a74edfe13b7830fb315620 319428 debug optional libapache2-mod-auth-openidc-dbgsym_2.4.9.4-0+deb11u4_armhf.deb c58b45fb0d1db21c518a560e6b827e3d 8140 httpd optional libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_armhf-buildd.buildinfo 72ca948518ef761a6df134465fd5345e 173984 httpd optional libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_armhf.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEhIjlhCbW26iJ+mP42f5Ql/MVJ7kFAmYm0D8ACgkQ2f5Ql/MV J7mbXw/5AdxppxKBQ28qFkMZdRuTJVJNV7FH7R7Z1HrF660lmZT65gc0IiVSAVrA 4fr8Hf8qQlniLpYygu+hlV+5BmK/PYo0Tqs39ZVQBDB8GCG6KTbGdojPwHk5WMQ8 aE5SAmiU7FO29jOvrWYAl7HazAwGfrSUGZq8BJapZhpCmJgyTbxjAFd/9RnWTcdN amQ025osj5gDAQhIuhJBLB4R0+cu3Y+2e3vdZV9xB1zkKS5l9jyMwoEBxonr6h86 xkkeNJrepuO8QPxf27kT5mBOhkNvqNgoNcVS7My0v/FVbZ/QyfE2taRMyj5/6vX2 IQPRvdGiPo0dPbcKRc54FqC/d9gBWd/lbpIsOeznkefMxWwVQqQER911fTWULEon 9V4vH53PXbV75ounnSv3317z0pA7ql5OLe4oeLUF/4Vw5WFcH+3SqLy4k6gCSl70 nSkE+Psawn7e3aSVJ1vCuu6ngcwHFxn31ANMg3QWsMzO1gRnsVDDAIuIOI3hc0rs yqh2a2inlkE1tzvjJ0/uRrPfEzSw8nNEIdxJNOv5h0e2Em+XxKR77THnkLjJ/XOW f9XqvADEak0lVVejVo1UOzVno+P2ba0swmQkwpdBfBTDYlUQPGTrnpkzdaYMGoLe x99h5meObWaUU3zZh/wYbhz9G0ffvvdVhiKdniGPB8S3A7XVWUw= =r7Qy -----END PGP SIGNATURE-----