-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 18 Apr 2024 14:20:00 +0200 Source: libapache2-mod-auth-openidc Binary: libapache2-mod-auth-openidc libapache2-mod-auth-openidc-dbgsym Architecture: armel Version: 2.4.12.3-2+deb12u1 Distribution: bookworm Urgency: medium Maintainer: arm Build Daemon (arm-conova-02) Changed-By: Moritz Schlarb Description: libapache2-mod-auth-openidc - OpenID Connect Relying Party implementation for Apache Closes: 1064183 Changes: libapache2-mod-auth-openidc (2.4.12.3-2+deb12u1) bookworm; urgency=medium . * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks cookie value made the server vulnerable to a Denial of Service (DoS) attack. If an attacker manipulated the value of the OpenIDC cookie to a very large integer like 99999999, the server struggled with the request for a long time and finally returned a 500 error. Making a few requests of this kind caused servers to become unresponsive, and so attackers could thereby craft requests that would make the server work very hard and/or crash with minimal effort. (Closes: #1064183) Checksums-Sha1: 3df0d81ca08ad1d6233b78222f0474ffa9197c05 322592 libapache2-mod-auth-openidc-dbgsym_2.4.12.3-2+deb12u1_armel.deb 39e6a670b769019793518c0d7b2620654aaee262 7859 libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1_armel-buildd.buildinfo a16365f6b471917bb7ac2bd7daf2e544a1329abe 175784 libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1_armel.deb Checksums-Sha256: f9728b3edb53418f69805291e45188037792aa5f6c5e5e555007bd27e0cc463b 322592 libapache2-mod-auth-openidc-dbgsym_2.4.12.3-2+deb12u1_armel.deb 517feffd1bee625a8c340a62573f09d44764675eb8fc56732614d813518b7494 7859 libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1_armel-buildd.buildinfo eac8963b842214e3100ce4656a10223ef9aec84c2aee29e269c8534e9ac3325a 175784 libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1_armel.deb Files: ff23e5bc0dbb5b0fd49ef165900ace9b 322592 debug optional libapache2-mod-auth-openidc-dbgsym_2.4.12.3-2+deb12u1_armel.deb d92353a09230e14bc919e4c4a31fdee9 7859 httpd optional libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1_armel-buildd.buildinfo 8b5b155edd6959a78329953266f9ff76 175784 httpd optional libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1_armel.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEBv+o19JDIRm4yIQ5CeROIpkCGwcFAmYmm4MACgkQCeROIpkC GweYNQ/8CCl0lPfSC28BK5auJsUHZ+Phf9PoFLuW0K1OkSLWSvnui49Wps4uyADy nO9pwVcmn8ync95xir/9ghILanjj/NR64F3uPcGyt0886fsO+9GlkBu8ks2StFrj MZaf3dn/Rfo++e8M/LAHb470IwM6i5dJhDXDOTY0Zt3uUZCvPPevMclYjm2eKXhB HZk1kf8bTRv7OkhX5hCIVLuUrYceYC6qi/mHsU6qxEF+5yBcBdrF2ktuRFm4+bqo 4hsqCZi0Absb6BUVq+NSRfq3GApxAA17V+3EC9r+y2DTEaZNrlJ5ofnH3UigcCAL FjiU4gdrdbuXYxmC0O64ZFtuQ5li+TB2N0xLiZQgOoETEcnWm+es2SLeKRLgNeiF K6JKEBOUH1/P1+LOChp3wjau1ntThwvRXCfLgJPs/QhigBt8damG6fK/zaD8jV4p 897vpP4a3uZB3WNmPfNW+9JfUhT03JLm7tV5ABiY8CirXzWKFrSBpnFwowSXVNI1 dN9SXhOFshhZ7dZwA59xxTBMbKW32Rf6EdCauJysIxBNQoE72U4dSeW6a/5Z0vvi LiNhdbYdFiQUBk1PAJF+KV73Oabpdmc43QTl++mpJRspE4TPg7Lo0U6kjAEZr4sl x7nlAB4sKH/cnx6Tq6LfyE/Bucza0g5vHaQiAJdOgqr4lDYeICc= =Q/Ra -----END PGP SIGNATURE-----