libapache2-mod-auth-openidc (2.3.10.2-1+deb10u4) buster-security; urgency=high * Non-maintainer upload by the LTS Security Team. * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks cookie value made the server vulnerable to a Denial of Service (DoS) attack. If an attacker manipulated the value of the OpenIDC cookie to a very large integer like 99999999, the server struggled with the request for a long time and finally returned a 500 error. Making a few requests of this kind caused servers to become unresponsive, and so attackers could thereby craft requests that would make the server work very hard and/or crash with minimal effort. (Closes: #1064183) -- Chris Lamb Tue, 05 Mar 2024 17:43:32 +0000 libapache2-mod-auth-openidc (2.3.10.2-1+deb10u3) buster-security; urgency=high * Non-maintainer upload by the LTS Security Team. * Fix CVE-2021-39191: URL Redirection to Untrusted Site ('Open Redirect') in mod_auth_openidc. (Closes: #993648) * Backport upstream fix to prevent open redirect on refresh token requests. * Fix CVE-2022-23527: Open Redirect in oidc_validate_redirect_url() using tab character. (Closes: #1026444) -- Guilhem Moulin Tue, 18 Jul 2023 22:01:12 +0200 libapache2-mod-auth-openidc (2.3.10.2-1+deb10u2) buster-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * CVE-2019-20479: Insufficient validatation of URLs beginning with a slash and backslash. * CVE-2021-32785: Crash when using an unencrypted Redis cache. * CVE-2021-32786: Open Redirect vulnerability in the logout functionality. * CVE-2021-32791: AES GCM encryption in used static IV and AAD. * CVE-2021-32792: XSS vulnerability when using OIDCPreservePost. * CVE-2023-28625: NULL pointer dereference with OIDCStripCookies. -- Adrian Bunk Sun, 30 Apr 2023 22:31:27 +0300 libapache2-mod-auth-openidc (2.3.10.2-1+deb10u1) buster; urgency=medium * Add patch for CVE-2019-14857 (Closes: #942165) -- Moritz Schlarb Wed, 27 Nov 2019 11:09:17 +0100 libapache2-mod-auth-openidc (2.3.10.2-1) unstable; urgency=medium * New upstream version 2.3.10.2 -- Moritz Schlarb Tue, 29 Jan 2019 21:40:30 +0100 libapache2-mod-auth-openidc (2.3.10-1) unstable; urgency=medium [ Frédéric Bonnard ] * Fix parallel build (Closes: #913631) [ Moritz Schlarb ] * Update Maintainer and Standards-Version fields * New upstream version 2.3.10 -- Moritz Schlarb Wed, 02 Jan 2019 14:58:25 +0100 libapache2-mod-auth-openidc (2.3.8-1) unstable; urgency=medium [ Ondřej Nový ] * d/copyright: Use https protocol in Format field * d/changelog: Remove trailing whitespaces [ Moritz Schlarb ] * Update Standards-Version * New upstream version 2.3.8 -- Moritz Schlarb Fri, 09 Nov 2018 09:43:22 +0100 libapache2-mod-auth-openidc (2.3.7-1) unstable; urgency=medium * New upstream version 2.3.7 * Move Vcs-* to Salsa -- Moritz Schlarb Mon, 06 Aug 2018 16:05:03 +0200 libapache2-mod-auth-openidc (2.3.3-1) unstable; urgency=medium * New upstream version 2.3.3 * Update debian/control -- Moritz Schlarb Tue, 20 Feb 2018 12:27:15 +0100 libapache2-mod-auth-openidc (2.3.2-1) unstable; urgency=medium * New upstream version 2.3.2 * link against openssl 1.1 (closes: #858993) -- Christoph Martin Tue, 14 Nov 2017 12:14:22 +0100 libapache2-mod-auth-openidc (2.3.1-2) unstable; urgency=medium * Fix maintainer script generation to enable/disable the module on installation and removal. This is safe to do because the example configuration does not do anything. This also closes: #868949 since it actually restarts Apache2 after enabling the module. -- Moritz Schlarb Tue, 08 Aug 2017 09:31:43 +0200 libapache2-mod-auth-openidc (2.3.1-1) unstable; urgency=medium * New upstream version 2.3.1 -- Moritz Schlarb Mon, 31 Jul 2017 11:03:02 +0200 libapache2-mod-auth-openidc (2.1.6-1) unstable; urgency=high * New upstream version 2.1.6 "This is a security release: Those using AuthType oauth20 together with applications that interpret headers set by mod_auth_openidc on paths that disclose sensitive information are affected and should upgrade." -- Moritz Schlarb Thu, 23 Feb 2017 13:33:55 +0100 libapache2-mod-auth-openidc (2.1.5-1) unstable; urgency=high * Imported Upstream version 2.1.5 fixes two security issues: https://github.com/pingidentity/mod_auth_openidc/issues/212 https://github.com/pingidentity/mod_auth_openidc/issues/222 -- Christoph Martin Mon, 06 Feb 2017 10:56:03 +0100 libapache2-mod-auth-openidc (2.1.3-1) unstable; urgency=medium * Fix watch file * New upstream version 2.1.3 * Fix lintian warning: apache2-module-depends-on-real-apache2-package -- Moritz Schlarb Fri, 13 Jan 2017 15:52:26 +0100 libapache2-mod-auth-openidc (2.1.2-2) unstable; urgency=medium * new upload excluding archs which don't build -- Christoph Martin Mon, 09 Jan 2017 11:59:21 +0100 libapache2-mod-auth-openidc (2.1.2-1) unstable; urgency=medium * add Vcs Tags to control * Imported Upstream version 2.1.2 -- Christoph Martin Fri, 09 Dec 2016 09:57:49 +0100 libapache2-mod-auth-openidc (1.8.10.1-1.2) unstable; urgency=medium * NMU: change depends to libssl1.0 to make it build again with apache (closes: # 844803) -- Christoph Martin Tue, 22 Nov 2016 09:46:30 +0100 libapache2-mod-auth-openidc (1.8.10.1-1.1) unstable; urgency=medium * NMU: fix watch file * fix openssl 1.1 FTBS (closes: #828380) patch from https://github.com/pingidentity/mod_auth_openidc/commit/82ee7cf68811662e93f9aea9b9a10beb095ee3df -- Christoph Martin Thu, 10 Nov 2016 13:33:27 +0100 libapache2-mod-auth-openidc (1.8.10.1-1) unstable; urgency=medium * fix Elliptic Curve signature verification -- Hans Zandbelt Mon, 11 Jul 2016 15:12:50 +0200 libapache2-mod-auth-openidc (1.8.10-1) unstable; urgency=medium * build with OpenSSL 1.1.0 -- Hans Zandbelt Mon, 27 Jun 2016 08:49:31 +0200 libapache2-mod-auth-openidc (1.8.9-1) unstable; urgency=medium * improve X-Forwarded-Host handling over Host -- Hans Zandbelt Tue, 07 Jun 2016 17:01:45 +0200 libapache2-mod-auth-openidc (1.8.8-1) unstable; urgency=medium * pass bearer token in alternative ways -- Hans Zandbelt Thu, 10 Mar 2016 12:22:38 +0100 libapache2-mod-auth-openidc (1.8.7-1) unstable; urgency=medium * tighten up protocol checks -- Hans Zandbelt Fri, 08 Jan 2016 21:50:25 +0100 libapache2-mod-auth-openidc (1.8.6-1) unstable; urgency=medium * add cookie-domain check -- Hans Zandbelt Mon, 26 Oct 2015 08:43:15 +0100 libapache2-mod-auth-openidc (1.8.5-1) unstable; urgency=medium * HTTP-based logout -- Hans Zandbelt Mon, 21 Sep 2015 08:59:17 +0200 libapache2-mod-auth-openidc (1.8.4-1) unstable; urgency=medium * allow for compilation on MS Windows -- Hans Zandbelt Fri, 03 Jul 2015 19:39:11 +0200 libapache2-mod-auth-openidc (1.8.3-1) unstable; urgency=medium * remove accounts.google.com exceptions -- Hans Zandbelt Fri, 19 Jun 2015 19:15:02 +0200 libapache2-mod-auth-openidc (1.8.2-1) unstable; urgency=medium * Elliptic Curve fixes -- Hans Zandbelt Mon, 18 May 2015 09:40:08 +0200 libapache2-mod-auth-openidc (1.8.1-1) unstable; urgency=medium * avoid timing attacks; build with OpenSSL < 1.0 -- Hans Zandbelt Tue, 05 May 2015 11:40:13 +0200 libapache2-mod-auth-openidc (1.8.0-1) unstable; urgency=medium * enable local JWT validation -- Hans Zandbelt Thu, 26 Feb 2015 16:21:02 +0100 libapache2-mod-auth-openidc (1.7.3-1) unstable; urgency=medium * fix symmetric key decryption of JWTs -- Hans Zandbelt Thu, 05 Feb 2015 18:28:15 +0100 libapache2-mod-auth-openidc (1.7.2-1) unstable; urgency=medium * add support for OIDCOAuthIntrospectionTokenParamName -- Hans Zandbelt Wed, 21 Jan 2015 08:57:59 +0100 libapache2-mod-auth-openidc (1.7.1-1) unstable; urgency=medium * Redis reconnect, OIDCCacheShmEntrySizeMax, OIDCReturn401, OIDCPassCookies -- Hans Zandbelt Fri, 12 Dec 2014 13:19:43 +0100 libapache2-mod-auth-openidc (1.7.0-1) unstable; urgency=medium * Redis caching, refresh flow, token introspection -- Hans Zandbelt Wed, 05 Nov 2014 12:09:52 +0100 libapache2-mod-auth-openidc (1.6.0-1) unstable; urgency=medium * new upstream release; add libssl-dev dependency -- Hans Zandbelt Mon, 13 Oct 2014 12:23:35 +0200 libapache2-mod-auth-openidc (1.5.5-1) unstable; urgency=medium * use HttpOnly on cookies; set OIDCCookiePath to / -- Hans Zandbelt Tue, 26 Aug 2014 09:23:43 +0200 libapache2-mod-auth-openidc (1.5.4-3) unstable; urgency=medium * changelog line was too long; correct/simplify watch file -- Hans Zandbelt Thu, 14 Aug 2014 15:51:02 +0200 libapache2-mod-auth-openidc (1.5.4-2) unstable; urgency=medium * correct debian directory for wheezy/jessie; watch file check .orig.tar.gz -- Hans Zandbelt Thu, 14 Aug 2014 15:03:52 +0200 libapache2-mod-auth-openidc (1.5.4-1) unstable; urgency=medium * fix big endian issue -- Hans Zandbelt Thu, 14 Aug 2014 12:59:11 +0200 libapache2-mod-auth-openidc (1.5.3-2) unstable; urgency=medium * build/test on big endian arch -- Hans Zandbelt Sun, 3 Aug 2014 22:27:07 +0200 libapache2-mod-auth-openidc (1.5.3-1) unstable; urgency=medium * fix initialization leak -- Hans Zandbelt Fri, 1 Aug 2014 12:37:53 +0200 libapache2-mod-auth-openidc (1.5.2-1) unstable; urgency=medium * fix OAuth 2.0 authorization and passes JSON claims in HTTP headers -- Hans Zandbelt Tue, 1 Jul 2014 15:22:38 +0200 libapache2-mod-auth-openidc (1.5.1-1) unstable; urgency=medium * add pkg-config to Build-Depends -- Hans Zandbelt Thu, 12 Jun 2014 14:33:10 +0200 libapache2-mod-auth-openidc (1.5-6) unstable; urgency=medium * drop lintian-overrides -- Hans Zandbelt Tue, 10 Jun 2014 13:36:02 +0200 libapache2-mod-auth-openidc (1.5-5) unstable; urgency=medium * support both Apache 2.2 and 2.4 config layouts -- Hans Zandbelt Fri, 06 Jun 2014 19:05:59 +0200 libapache2-mod-auth-openidc (1.5-4) unstable; urgency=medium * include .postinst script for setting permissions -- Hans Zandbelt Fri, 06 Jun 2014 18:07:12 +0200 libapache2-mod-auth-openidc (1.5-3) unstable; urgency=medium * more Debian packaging fixes -- Hans Zandbelt Fri, 06 Jun 2014 13:46:56 +0200 libapache2-mod-auth-openidc (1.5-2) unstable; urgency=medium * include original source -- Hans Zandbelt Thu, 05 Jun 2014 21:05:12 +0200 libapache2-mod-auth-openidc (1.5-1) unstable; urgency=medium * use Debian non-native packaging -- Hans Zandbelt Thu, 05 Jun 2014 20:32:44 +0200 libapache2-mod-auth-openidc (1.5) unstable; urgency=medium * switch to JSON parser jansson -- Hans Zandbelt Thu, 05 Jun 2014 11:11:25 +0200 libapache2-mod-auth-openidc (1.4) unstable; urgency=medium * OpenSSL fixes -- Hans Zandbelt Mon, 02 Jun 2014 13:43:50 +0200 libapache2-mod-auth-openidc (1.3) unstable; urgency=medium * fix running on non-standard port -- Hans Zandbelt Tue, 20 May 2014 10:51:29 +0200 libapache2-mod-auth-openidc (1.2) unstable; urgency=medium * session timeout handling, use shared memory as cache by default -- Hans Zandbelt Tue, 22 Apr 2014 13:54:07 +0200 libapache2-mod-auth-openidc (1.1) unstable; urgency=low * add issuer to REMOTE_USER; included INSTALL -- Hans Zandbelt Thu, 03 Apr 2014 19:28:31 +0200 libapache2-mod-auth-openidc (1.0.1) unstable; urgency=low * fix Require keyword issue for Apache 2.4 -- Hans Zandbelt Fri, 28 Mar 2014 22:33:07 +0100 libapache2-mod-auth-openidc (1.0) unstable; urgency=low * Initial release under new name and flag. -- Hans Zandbelt Thu, 27 Mar 2014 20:47:00 +0100