libapache2-mod-auth-openidc (2.4.15.7-1)
[PTS] [DDPO]
OK: VCS matches the version in the archive
- Git: https://salsa.debian.org/debian/libapache2-mod-auth-openidc.git
-
- Branch: master
- Path: debian/changelog
- Repo size: 397312
- Browser: https://salsa.debian.org/debian/libapache2-mod-auth-openidc
- Last scan: 2024-04-25 08:22:11+00
- Next scan: 2024-05-01 08:10:00+00
- CI pipeline status: failed
- Debian changelog in Git:
libapache2-mod-auth-openidc (2.4.15.7-1) unstable; urgency=medium
[ Hans Zandbelt ]
* update to OpenIDC Github repository/organization
[ Moritz Schlarb ]
* Bump Standards-Version
* New upstream version 2.4.15.7
* CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks
cookie value made the server vulnerable to a Denial of Service (DoS)
attack. If an attacker manipulated the value of the OpenIDC cookie to a
very large integer like 99999999, the server struggled with the request for
a long time and finally returned a 500 error. Making a few requests of this
kind caused servers to become unresponsive, and so attackers could thereby
craft requests that would make the server work very hard and/or crash with
minimal effort. (Closes: #1064183)
-- Moritz Schlarb <schlarbm@uni-mainz.de> Thu, 18 Apr 2024 13:46:00 +0200
- This branch is even with tag debian/2.4.15.7-1