You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa mod_auth_openidc

Sigurnosni nedostaci programskog paketa mod_auth_openidc

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Low: mod_auth_openidc security update
Advisory ID: RHSA-2020:3970-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:3970
Issue date: 2020-09-29
CVE Names: CVE-2019-14857 CVE-2019-20479
=====================================================================

1. Summary:

An update for mod_auth_openidc is now available for Red Hat Enterprise
Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server (v. 7) – ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) – x86_64

3. Description:

The mod_auth_openidc is an OpenID Connect authentication module for Apache
HTTP Server. It enables an Apache HTTP Server to operate as an OpenID
Connect Relying Party and/or OAuth 2.0 Resource Server.

Security Fix(es):

* mod_auth_openidc: Open redirect in logout url when using URLs with
leading slashes (CVE-2019-14857)

* mod_auth_openidc: Open redirect issue exists in URLs with slash and
backslash (CVE-2019-20479)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.9 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1760613 – CVE-2019-14857 mod_auth_openidc: Open redirect in logout url when using URLs with leading slashes
1805102 – CVE-2019-20479 mod_auth_openidc: Open redirect issue exists in URLs with slash and backslash

6. Package List:

Red Hat Enterprise Linux Server (v. 7):

Source:
mod_auth_openidc-1.8.8-7.el7.src.rpm

ppc64:
mod_auth_openidc-1.8.8-7.el7.ppc64.rpm
mod_auth_openidc-debuginfo-1.8.8-7.el7.ppc64.rpm

ppc64le:
mod_auth_openidc-1.8.8-7.el7.ppc64le.rpm
mod_auth_openidc-debuginfo-1.8.8-7.el7.ppc64le.rpm

s390x:
mod_auth_openidc-1.8.8-7.el7.s390x.rpm
mod_auth_openidc-debuginfo-1.8.8-7.el7.s390x.rpm

x86_64:
mod_auth_openidc-1.8.8-7.el7.x86_64.rpm
mod_auth_openidc-debuginfo-1.8.8-7.el7.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
mod_auth_openidc-1.8.8-7.el7.src.rpm

x86_64:
mod_auth_openidc-1.8.8-7.el7.x86_64.rpm
mod_auth_openidc-debuginfo-1.8.8-7.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-14857
https://access.redhat.com/security/cve/CVE-2019-20479
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBX3OhbNzjgjWX9erEAQhsDw/+NQRLTTewJofhF31TnH4FBqJKkS0W1lGw
d5kiapcynaV7l2/gwsVbyMKv3jgW42WGlAvc360g6tSthCO0/ZhHX1MW8KLjjWLh
aILafoTJ/wr4dAO6X0TODTFMWsUaJcO23Pt1bIACTiMWVIkzXHvznEq1HdsrRTGS
H7HhiR/+ZG1bJ+1PN/HU+FGYABizMCkeRSepYEOhnjs5pk9Aqf1BWFV3ljfptYcu
AT4EdPjDWAyoAQf6dYflEB9afw4noS2kxujfh6IOfzvAqv2t7Djm7iY7NQNJQ/q1
VWf/3elffxsRsefpWVJPMpIy0xURLMOwVA3DOm5P0Rzysc6I4Vc6KdQRaEWazVnD
h0Hq5+PVHIPjrwPFkWHAqF9F9iQqIfaqS2xx+iRyymZC9/99OXoYtJD3Vz9SAne9
hP+AxnyoTrr8xyhZ4JL/ZUrPw7/xkfRljs7Yq7sbtamKHrhEf/YuTLe15I92H1BT
kTJQ7RTwQSMRSkhKKkIGOHBS+XWtAG1HhhWcBn9nXgLFzOzpcwwYZXFnWPmnQxeH
QYbLh4oJUiIYi52o+VBCUe2XG07KvsPHvA3/wROmdyxuUWAbfJnRf0IBfG90HT0v
7/FkHblv7Ext8xI21mgpn9mR9xNR91v9K97lYa91Vj1BruPYqlBHwMwGGaEEkJl4
W6gJZGS+tow=
=VoDy
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Top
More in Preporuke
Sigurnosni nedostaci programske biblioteke libvpx

Otkriveni su sigurnosni nedostaci programske biblioteke libvpx za operacijski sustav RHEL. Otkriveni nedostaci potencijalnim napadačima omogućuju izazivanje DoS stanja ili...

Close