-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 28 Jul 2020 21:03:02 +0200 Source: libapache2-mod-auth-openidc Binary: libapache2-mod-auth-openidc Architecture: source amd64 Version: 2.1.6-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Hans Zandbelt <hzandbelt@pingidentity.com> Changed-By: Thorsten Alteholz <debian@alteholz.de> Description: libapache2-mod-auth-openidc - OpenID Connect authentication module for Apache Changes: libapache2-mod-auth-openidc (2.1.6-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the LTS Team. * CVE-2019-1010247 The OIDCRedirectURI page contains generated JavaScript code that uses a poll parameter as a string variable, thus might contain additional JavaScript code. This might result in Cross-Site Scripting (XSS) * CVE-2019-20479 Insufficient validatation of URLs leads to an Open Redirect vulnerability for URLs beginning with a slash and backslash. * CVE-2019-14857 Insufficient validatation of URLs leads to an Open Redirect vulnerability. An attacker may trick a victim into providing credentials for an OpenID provider by forwarding the request to an illegitimate website. Checksums-Sha1: 1c8b5ac54df7b0689bd14fd000cfa1002da5d96d 2753 libapache2-mod-auth-openidc_2.1.6-1+deb9u1.dsc d23578cbbe6534e0c7b66d90a5044416fbf9b6ed 207675 libapache2-mod-auth-openidc_2.1.6.orig.tar.gz f053324a947f7b9974ba4d328e6b35b76c5b1911 8744 libapache2-mod-auth-openidc_2.1.6-1+deb9u1.debian.tar.xz 581f551ce0b7ddbc3b7a05eb471112ac3f0ef6b5 286016 libapache2-mod-auth-openidc-dbgsym_2.1.6-1+deb9u1_amd64.deb bdcffe3e387e08097bc3a7bb5aed5af2515dab29 8079 libapache2-mod-auth-openidc_2.1.6-1+deb9u1_amd64.buildinfo 041472d769dc280c50f3c34abb5f3f50ba2da621 132874 libapache2-mod-auth-openidc_2.1.6-1+deb9u1_amd64.deb Checksums-Sha256: f8200b2881ed8c735ffe40ae620de640871dc3b69c8c1f7671eac101f189e17d 2753 libapache2-mod-auth-openidc_2.1.6-1+deb9u1.dsc 0319ec332f264ab73115ec1c9d04d06f886ae7771323f97254e3e77c4d165a63 207675 libapache2-mod-auth-openidc_2.1.6.orig.tar.gz e47a68dc98ee5fa62a0d2b917dbe3a1e085324072aa9b0f9713ba442438c5076 8744 libapache2-mod-auth-openidc_2.1.6-1+deb9u1.debian.tar.xz 73c82997af0a12c3b740174c8ec4efe386ee0c569d60f9fda93e4b8e01a9e6ec 286016 libapache2-mod-auth-openidc-dbgsym_2.1.6-1+deb9u1_amd64.deb 1f9819345a57f3ae5ce375572e27941e9aaa651b513b5bd7c9ea6b7657e3ee5b 8079 libapache2-mod-auth-openidc_2.1.6-1+deb9u1_amd64.buildinfo f9d52a5c6d76c0323bfb5b01a4b89a13782efd1e12e20123ea9562c494e2a953 132874 libapache2-mod-auth-openidc_2.1.6-1+deb9u1_amd64.deb Files: 9a260a247b745a97c15f5fc6540c1de1 2753 web extra libapache2-mod-auth-openidc_2.1.6-1+deb9u1.dsc ceb1493634e347a84642b50680abbe17 207675 web extra libapache2-mod-auth-openidc_2.1.6.orig.tar.gz 69f37df242cd416377e60b8855e5ba78 8744 web extra libapache2-mod-auth-openidc_2.1.6-1+deb9u1.debian.tar.xz 6a36014a805bf10312004f8875985cc9 286016 debug extra libapache2-mod-auth-openidc-dbgsym_2.1.6-1+deb9u1_amd64.deb 35814230af6917d77d5cf9c9be842862 8079 web extra libapache2-mod-auth-openidc_2.1.6-1+deb9u1_amd64.buildinfo 3d26dc68df155b52982c137347b90a61 132874 web extra libapache2-mod-auth-openidc_2.1.6-1+deb9u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl8hhm5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh bHRlaG9sei5kZQAKCRCW/KwNOHtYR/zaD/9B1YQsmDEiugKBH7LL7FDCDJdd/JaV qgu513KuCsnZON+sF/vxP9x4r/6cC0MLPvpJYkGv95NJkSG+4sk5VvV0JnAyjAwr T0kQC7mZm5iHSPjRbW4kmzOpIsbp/Ml1Ojca5lWwNNfSYIANI6M+WAh2pVqGY2Lq koUHiFhn+u2LJZczTCHsv0MmQj9+QIdbDX3VbFI/aii0oiQg+Gu/JyjHvBP3Sp5z 5c3m9vz/lRPDksgeG50kyF0cuUjNWHICLpCi1oJTBFRWhQiz0w+/Npl/xmo/1yuB +GomQeBriecLuzPYV6Q+YDoQ7bnikaMWhPzuSh2vFw4U2cyE5Z/SklUYFATGJORa Drvhhq8Le2T6UCxO3waTomRBp3u9hMy4snsTq74PEmZoiQaHehxNxFU2XVGYMpyt 1GFMAZrPELWfIIJ+pqyXJmZDgGihBYjKmCbiMSp3h0HJ2SRn9aIkQOnM9O/0P/Me RLmfdAUARvcFRnL0Papq+Gfats34+P11b2ed3LEIaD1qjGIq7AqFPB+bHpVMI3Ed yZMXE4EvtAefq6jI4l0Vfgnv0ceYJ0JdxVF5IY+u89PZtCSNk4bSoIGchyDDYMMR fId4fQUX1ol2vWBomdCgZ/LgoaGOBFPGQOhdi7LXMkDPp9xQonTnKbbX/K+MSjIg V50R7e4fjFIlew== =o879 -----END PGP SIGNATURE-----
