Security update for apache2-mod_auth_openidc SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:1837-1 Final 1 1 2023-04-13T13:04:46Z current 2023-04-13T13:04:46Z 2023-04-13T13:04:46Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache2-mod_auth_openidc This update for apache2-mod_auth_openidc fixes the following issues: - CVE-2022-23527: Fixed open redirect in oidc_validate_redirect_url() using tab character (bsc#1206441). - CVE-2023-28625: Fixed NULL pointer dereference when OIDCStripCookies was set and a crafted Cookie header was supplied (bsc#1210073). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-1837,SUSE-OpenStack-Cloud-9-2023-1837,SUSE-OpenStack-Cloud-Crowbar-9-2023-1837,SUSE-SLE-SAP-12-SP4-2023-1837,SUSE-SLE-SERVER-12-SP4-ESPOS-2023-1837,SUSE-SLE-SERVER-12-SP4-LTSS-2023-1837,SUSE-SLE-SERVER-12-SP5-2023-1837 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20231837-1/ Link for SUSE-SU-2023:1837-1 https://lists.suse.com/pipermail/sle-security-updates/2023-May/014721.html E-Mail link for SUSE-SU-2023:1837-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1190855 SUSE Bug 1190855 https://bugzilla.suse.com/1206441 SUSE Bug 1206441 https://bugzilla.suse.com/1210073 SUSE Bug 1210073 https://www.suse.com/security/cve/CVE-2022-23527/ SUSE CVE CVE-2022-23527 page https://www.suse.com/security/cve/CVE-2023-28625/ SUSE CVE CVE-2023-28625 page SUSE Linux Enterprise Server 12 SP4-ESPOS SUSE Linux Enterprise Server 12 SP4-LTSS SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 9 apache2-mod_auth_openidc-2.4.0-7.9.1 apache2-mod_auth_openidc-2.4.0-7.9.1 as a component of SUSE Linux Enterprise Server 12 SP4-ESPOS apache2-mod_auth_openidc-2.4.0-7.9.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS apache2-mod_auth_openidc-2.4.0-7.9.1 as a component of SUSE Linux Enterprise Server 12 SP5 apache2-mod_auth_openidc-2.4.0-7.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 apache2-mod_auth_openidc-2.4.0-7.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 apache2-mod_auth_openidc-2.4.0-7.9.1 as a component of SUSE OpenStack Cloud 9 apache2-mod_auth_openidc-2.4.0-7.9.1 as a component of SUSE OpenStack Cloud Crowbar 9 mod_auth_openidc is an OpenID Certified(tm) authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\t, leading to an open redirect. This issue has been patched in version 2.4.12.2. Users unable to upgrade can mitigate the issue by configuring mod_auth_openidc to only allow redirection when the destination matches a given regular expression with OIDCRedirectURLsAllowed. CVE-2022-23527 SUSE Linux Enterprise Server 12 SP4-ESPOS:apache2-mod_auth_openidc-2.4.0-7.9.1 SUSE Linux Enterprise Server 12 SP4-LTSS:apache2-mod_auth_openidc-2.4.0-7.9.1 SUSE Linux Enterprise Server 12 SP5:apache2-mod_auth_openidc-2.4.0-7.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:apache2-mod_auth_openidc-2.4.0-7.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-mod_auth_openidc-2.4.0-7.9.1 SUSE OpenStack Cloud 9:apache2-mod_auth_openidc-2.4.0-7.9.1 SUSE OpenStack Cloud Crowbar 9:apache2-mod_auth_openidc-2.4.0-7.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20231837-1/ https://www.suse.com/security/cve/CVE-2022-23527.html CVE-2022-23527 https://bugzilla.suse.com/1206441 SUSE Bug 1206441 mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using `OIDCStripCookies`. CVE-2023-28625 SUSE Linux Enterprise Server 12 SP4-ESPOS:apache2-mod_auth_openidc-2.4.0-7.9.1 SUSE Linux Enterprise Server 12 SP4-LTSS:apache2-mod_auth_openidc-2.4.0-7.9.1 SUSE Linux Enterprise Server 12 SP5:apache2-mod_auth_openidc-2.4.0-7.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:apache2-mod_auth_openidc-2.4.0-7.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache2-mod_auth_openidc-2.4.0-7.9.1 SUSE OpenStack Cloud 9:apache2-mod_auth_openidc-2.4.0-7.9.1 SUSE OpenStack Cloud Crowbar 9:apache2-mod_auth_openidc-2.4.0-7.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20231837-1/ https://www.suse.com/security/cve/CVE-2023-28625.html CVE-2023-28625 https://bugzilla.suse.com/1210073 SUSE Bug 1210073