An update for mod_auth_openidc is now available for openEuler-22.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1236 Final 1.0 1.0 2023-04-21 Initial 2023-04-21 2023-04-21 openEuler SA Tool V1.0 2023-04-21 mod_auth_openidc security update An update for mod_auth_openidc is now available for openEuler-22.03-LTS-SP1. This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party(RP) to an OpenID Connect Provider(OP). Security Fix(es): mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\t, leading to an open redirect. This issue has been patched in version 2.4.12.2. Users unable to upgrade can mitigate the issue by configuring mod_auth_openidc to only allow redirection when the destination matches a given regular expression with OIDCRedirectURLsAllowed.(CVE-2022-23527) mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using `OIDCStripCookies`.(CVE-2023-28625) An update for mod_auth_openidc is now available for openEuler-22.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High mod_auth_openidc https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1236 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-23527 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-28625 https://nvd.nist.gov/vuln/detail/CVE-2022-23527 https://nvd.nist.gov/vuln/detail/CVE-2023-28625 openEuler-22.03-LTS-SP1 mod_auth_openidc-debugsource-2.4.13.2-1.oe2203sp1.aarch64.rpm mod_auth_openidc-2.4.13.2-1.oe2203sp1.aarch64.rpm mod_auth_openidc-debuginfo-2.4.13.2-1.oe2203sp1.aarch64.rpm mod_auth_openidc-2.4.13.2-1.oe2203sp1.src.rpm mod_auth_openidc-debugsource-2.4.13.2-1.oe2203sp1.x86_64.rpm mod_auth_openidc-debuginfo-2.4.13.2-1.oe2203sp1.x86_64.rpm mod_auth_openidc-2.4.13.2-1.oe2203sp1.x86_64.rpm mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with / t, leading to an open redirect. This issue has been patched in version 2.4.12.2. Users unable to upgrade can mitigate the issue by configuring mod_auth_openidc to only allow redirection when the destination matches a given regular expression with OIDCRedirectURLsAllowed. 2023-04-21 CVE-2022-23527 openEuler-22.03-LTS-SP1 Medium 6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N mod_auth_openidc security update 2023-04-21 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1236 mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using `OIDCStripCookies`. 2023-04-21 CVE-2023-28625 openEuler-22.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H mod_auth_openidc security update 2023-04-21 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1236