A libapache2-mod-auth-openidc security update has been released for Debian GNU/Linux 10 LTS to address several vulnerabilities.

DLA 3409-1: libapache2-mod-auth-openidc security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3409-1 debian-lts@lists.debian.org
  https://www.debian.org/lts/security/ Adrian Bunk
April 30, 2023   https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libapache2-mod-auth-openidc
Version : 2.3.10.2-1+deb10u2
CVE ID : CVE-2019-20479 CVE-2021-32785 CVE-2021-32786 CVE-2021-32791
CVE-2021-32792 CVE-2023-28625
Debian Bug : 991580 991581 991582 991583 1033916

Several vulnerabilities were fixed in libapache2-mod-auth-openidc,
an OpenID Connect Relying Party implementation for Apache.

CVE-2019-20479

Insufficient validatation of URLs beginning with a slash and backslash.

CVE-2021-32785

Crash when using an unencrypted Redis cache.

CVE-2021-32786

Open Redirect vulnerability in the logout functionality.

CVE-2021-32791

AES GCM encryption in used static IV and AAD.

CVE-2021-32792

XSS vulnerability when using OIDCPreservePost.

CVE-2023-28625

NULL pointer dereference with OIDCStripCookies.

For Debian 10 buster, these problems have been fixed in version
2.3.10.2-1+deb10u2.

We recommend that you upgrade your libapache2-mod-auth-openidc packages.

For the detailed security status of libapache2-mod-auth-openidc please refer to
its security tracker page at:
  https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at:   https://wiki.debian.org/LTS