-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 18 Apr 2024 14:27:26 +0200 Source: libapache2-mod-auth-openidc Architecture: source Version: 2.4.9.4-0+deb11u4 Distribution: bullseye Urgency: high Maintainer: Moritz Schlarb <schlarbm@uni-mainz.de> Changed-By: Moritz Schlarb <schlarbm@uni-mainz.de> Closes: 1064183 Changes: libapache2-mod-auth-openidc (2.4.9.4-0+deb11u4) bullseye; urgency=high . * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks cookie value made the server vulnerable to a Denial of Service (DoS) attack. If an attacker manipulated the value of the OpenIDC cookie to a very large integer like 99999999, the server struggled with the request for a long time and finally returned a 500 error. Making a few requests of this kind caused servers to become unresponsive, and so attackers could thereby craft requests that would make the server work very hard and/or crash with minimal effort. (Closes: #1064183) Checksums-Sha1: 59075b190efed8b5b0acc91beb6719f72950f871 2560 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4.dsc c2547eb068c4cf808254e22084bf38863ed65927 8180 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4.debian.tar.xz 5b57962345ba44d775627aa58e67c23270996c32 8775 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_amd64.buildinfo Checksums-Sha256: fdfdf2d1e8f29d9aeecc447f752f9d6c8fd197a17f41e9928bb0c9520cbc6095 2560 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4.dsc e180e64cb72b19bbb55a9b17ee6c9b6157b6ee79b0e38fee4f3af08be0de9656 8180 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4.debian.tar.xz 7163bc3c51b761633c1dee6881d715342daad6817f4afad1c9d7093765ada122 8775 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_amd64.buildinfo Files: db3f551e27cc7eb67b79ae17934e027b 2560 httpd optional libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4.dsc e6225a8e4af69e90ca7ed50d884358a6 8180 httpd optional libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4.debian.tar.xz 645b146646668d77485825efad8fcb2a 8775 httpd optional libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJKBAEBCgA0FiEE3wEiR7/GVQGv8oRFDCS4Qcfduq8FAmYhEhAWHHNjaGxhcmJt QHVuaS1tYWluei5kZQAKCRAMJLhBx926r+JaEACGpXKn4dQQBUzRzfHpy7I+h6d+ KhrZkahzHob6pesxyOhW6d+mbBYyaqzk7HTprOo1Xtu0mr5AvPnyJPkQQdoG6nmb COTbSyuIOKtykC28eTjm9nqcECm4NCNhCKeNocS0HXJr8juQvbmR6tb0u1sQt/WY nmrK1RPJFb7VaJw5lwVcCOUgFLD6SCfglVOxORFkmiU6btxM/soJvATYzDW4hPY8 z2awnGK4oQrREYB61OhbxvzS6aEfpPNWVcrGxlHsDXbKjcjq/DsnEcxN/1TVnjYR ehVKJjKhRL/sqsn5xoWPr3Yd2i4KsW7yXEmW6St3RvW5fhoL4ufAfWFFCYB3TX8r AlQZSaoW+kxuAVTlNp3X4syIibzOsRRq/TVRIFNkwFjCDMmKARARSmbg//NoVQqD 2/PYRjFr4WtDFqfnezGGtQHwocoRGDxlyD+FDTjmZq676E5vexpq1s6Dy5Pz6BJE 00Onbmqn8dN23ojD+SdKYwR2CQbLIkpnXx0voa5Hd7EeqqPdeKm1jmuEQjlSJM0T JQ8z4TBJvffeUCC7XxvHo/w3a5fVOipIcpg9VpQd+Bh2Of06Jk2W8Cr4yi1AW5Kx T1Pi0+a/q50JSeobrSpHgTRnW9ikhb0clFpAe445wEV70529ncFUmfG0CNS6PmaE 3ujZ3jN+aB2PDK6dxA== =buzI -----END PGP SIGNATURE-----