-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 18 Apr 2024 14:27:26 +0200 Source: libapache2-mod-auth-openidc Binary: libapache2-mod-auth-openidc libapache2-mod-auth-openidc-dbgsym Architecture: armel Version: 2.4.9.4-0+deb11u4 Distribution: bullseye Urgency: high Maintainer: arm Build Daemon (arm-conova-04) Changed-By: Moritz Schlarb Description: libapache2-mod-auth-openidc - OpenID Connect authentication module for Apache Closes: 1064183 Changes: libapache2-mod-auth-openidc (2.4.9.4-0+deb11u4) bullseye; urgency=high . * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks cookie value made the server vulnerable to a Denial of Service (DoS) attack. If an attacker manipulated the value of the OpenIDC cookie to a very large integer like 99999999, the server struggled with the request for a long time and finally returned a 500 error. Making a few requests of this kind caused servers to become unresponsive, and so attackers could thereby craft requests that would make the server work very hard and/or crash with minimal effort. (Closes: #1064183) Checksums-Sha1: e3c293d1bc21617f3d543465c811c165f5b4a34f 311468 libapache2-mod-auth-openidc-dbgsym_2.4.9.4-0+deb11u4_armel.deb b2d8a674b8a92f720eca2d44d4a22b127d996b63 8138 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_armel-buildd.buildinfo fb54c5cf03d695a9adf73d3c84b1de51f607d507 170188 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_armel.deb Checksums-Sha256: 7a6271921834e4cd2d8ccf42a3c2e08855830f85a52a67b90dfda4701efa7bcb 311468 libapache2-mod-auth-openidc-dbgsym_2.4.9.4-0+deb11u4_armel.deb e19d972fdf72c6a20eaf2d0c3751a2de98ba2bfb5fc3356d3bea6331417021a0 8138 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_armel-buildd.buildinfo 6cc03c7755273bbc96c96164096ecc80a3de5ee309baa69e8c64359033200467 170188 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_armel.deb Files: 3957399412acc6c9b6c181671d32ba62 311468 debug optional libapache2-mod-auth-openidc-dbgsym_2.4.9.4-0+deb11u4_armel.deb 8ade2bc2f7427df7ccc8eda8071c5d27 8138 httpd optional libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_armel-buildd.buildinfo e941949bbb39e275f5c3ac4bfabee41d 170188 httpd optional libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_armel.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEElif5H+pIB11ZS5Aay8vyjiVDuNYFAmYm0GcACgkQy8vyjiVD uNY1ww//bWh2H1v/ugD9tUQQgS+pC9wSA+owPCDfXCrWYGK0zC9UM9uw7SqXKe/M FJjya/kVYQf3wi2zUiF7VOIY416ns6wZ99SYbdD8ncan/vzuHS4eTqyNg8XyQ+SL VH2IwpyhS62G+LNeU4DFZQOObKXbbq1OWPeDKJKdkLxV8NxowvIZx8QJ5IYxUwr6 2SRDgO1TfSJ4KtP3H8EBTRmygvgkBs0hTbrnTQ8stI25HFuv17r+ibFHhONZu62T bUj/A/8bs2hWz/+zKNgsy9FD87TOQc5+EeN2bZphEpkSRvQ29Wxmv2vFxFl24CsK KljbTEPJf9Bk4knZydOFy+gd/klv9SNRSn9yERU/W7y3jlofpE9g7ybhx9lHLRBG oa6s13CYUV/153gyXHdtWN3FsEZeSylif17WyWK+wzLRS89A6SvlTN8dEEZBx0n/ X0DNYFVfYtelmaE8KDI1Hv6Q68mB7JmmwEFls7zKXpLLGk9tIPM6VIFkrdeuoICy VdFYu/EsXatNuujCKE1t35rvnHx9PISCB8UxKQkeY/qGWUVA6XNydP/PeEx/9Q4Z cjAfxHPTSZNU0Z8Xtjl/v6cnKSg0CxuoCao9pKllm/lplUVAUqGLQOYkt9tqoOka ums0eLJ1aO5hyARNcSTGWS2CqToSUJ/3tfFWNbUNpQIgzgvNW+I= =KJ45 -----END PGP SIGNATURE-----