Test ID:	1.3.6.1.4.1.25623.1.1.9.2023.029984102101305
Category:	Fedora Local Security Checks
Title:	Fedora: Security Advisory (FEDORA-2023-02c84fe305)
Summary:	The remote host is missing an update for the 'mod_auth_openidc' package(s) announced via the FEDORA-2023-02c84fe305 advisory.
Description:	Summary: The remote host is missing an update for the 'mod_auth_openidc' package(s) announced via the FEDORA-2023-02c84fe305 advisory. Vulnerability Insight: Automatic update for mod_auth_openidc-2.4.12.3-2.fc39. ##### **Changelog** ``` * Tue Mar 7 2023 Tomas Halman - 2.4.12.3-2 migrated to SPDX license * Tue Feb 28 2023 Tomas Halman - 2.4.12.3-1 Rebase to 2.4.12.3 version - Resolves: rhbz#2164064 - mod_auth_openidc-2.4.12.3 is available * Thu Jan 19 2023 Fedora Release Engineering - 2.4.12.2-2 - Rebuilt for [link moved to references] * Fri Dec 16 2022 Tomas Halman - 2.4.12.2-1 Rebase to 2.4.12.2 version - Resolves: rhbz#2153658 - CVE-2022-23527 mod_auth_openidc: Open Redirect in oidc_validate_redirect_url() using tab character * Thu Sep 22 2022 Tomas Halman - 2.4.11.2-3 - Resolves: rhbz#2128328 - Port pcre dependency to pcre2 * Thu Jul 21 2022 Fedora Release Engineering - 2.4.11.2-2 - Rebuilt for [link moved to references] * Thu Jun 23 2022 Tomas Halman - 2.4.11.2-1 - Resolves: rhbz#2082376 - New version 2.4.11.2 available * Mon Apr 11 2022 Tomas Halman - 2.4.11.1-1 - Resolves: rhbz#1996926 - New version 2.4.11.1 available * Thu Mar 31 2022 Tomas Halman - 2.4.9.4-1 - Resolves: rhbz#2001647 - CVE-2021-39191 mod_auth_openidc: open redirect by supplying a crafted URL in the target_link_uri parameter * Thu Jan 20 2022 Fedora Release Engineering - 2.4.9.1-3 - Rebuilt for [link moved to references] * Tue Sep 14 2021 Sahana Prasad - 2.4.9.1-2 - Rebuilt with OpenSSL 3.0.0 * Wed Aug 18 2021 Jakub Hrozek - 2.4.9.1-1 - New upstream release - Resolves: rhbz#1993566 - mod_auth_openidc-2.4.9.1 is available * Fri Jul 30 2021 Jakub Hrozek - 2.4.9-1 - Resolves: rhbz#1985153 - mod_auth_openidc-2.4.9 is available - Resolves: rhbz#1986103 - CVE-2021-32786 mod_auth_openidc: open redirect in oidc_validate_redirect_url() - Resolves: rhbz#1986396 - CVE-2021-32791 mod_auth_openidc: hardcoded static IV and AAD with a reused key in AES GCM encryption - Resolves: rhbz#1986398 - CVE-2021-32792 mod_auth_openidc: XSS when using OIDCPreservePost On * Thu Jul 22 2021 Fedora Release Engineering - 2.4.8.4-2 - Rebuilt for [link moved to references] * Wed Jun 2 2021 Jakub Hrozek - 2.4.8.3-1 - New upstream release - Resolves: rhbz#1966756 - mod_auth_openidc-2.4.8.3 is available * Mon May 10 2021 Jakub Hrozek - 2.4.8.2-1 - New upstream release - Resolves: rhbz#1958466 - mod_auth_openidc-2.4.8.2 is available * Thu May 6 2021 Jakub Hrozek - 2.4.7.2-1 - New upstream release - Resolves: rhbz#1900913 - mod_auth_openidc-2.4.7.2 is available * Fri Apr 30 2021 Tomas Halman - 2.4.4.1-3 - Remove unnecessary LTO patch ``` Affected Software/OS: 'mod_auth_openidc' package(s) on Fedora 39. Solution: Please install the updated package(s). CVSS Score: 5.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2021-32786 https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-xm4c-5wm5-jqv7 https://security.netapp.com/advisory/ntap-20210902-0001/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXAWKPT5LXZSUTFSJ6IWSZC7RMYYQXQD/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FZVF6BSJLRQZ7PFFR4X5JSU6KUJYNOCU/ https://daniel.haxx.se/blog/2017/01/30/one-url-standard-please/ https://github.com/zmartzone/mod_auth_openidc/commit/3a115484eb927bc6daa5737dd84f88ff4bbc5544 https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9 https://www.oracle.com/security-alerts/cpuapr2022.html https://lists.debian.org/debian-lts-announce/2023/04/msg00034.html Common Vulnerability Exposure (CVE) ID: CVE-2021-32791 https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-px3c-6x7j-3r9r https://github.com/zmartzone/mod_auth_openidc/commit/375407c16c61a70b56fdbe13b0d2c8f11398e92c Common Vulnerability Exposure (CVE) ID: CVE-2021-32792 https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-458c-7pwg-3j7j https://github.com/zmartzone/mod_auth_openidc/commit/00c315cb0c8ab77c67be4a2ac08a71a83ac58751 https://github.com/zmartzone/mod_auth_openidc/commit/55ea0a085290cd2c8cdfdd960a230cbc38ba8b56 Common Vulnerability Exposure (CVE) ID: CVE-2021-39191 https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-2pgf-8h6h-gqg2 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/32RGPW5LZDLDTB7MKZIGAHPSLFOUNWR5/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RHXO4O4G2UQS7X6OQJCVZKHZAQ7SAIFB/ https://github.com/zmartzone/mod_auth_openidc/commit/03e6bfb446f4e3f27c003d30d6a433e5dd8e2b3d https://github.com/zmartzone/mod_auth_openidc/issues/672 https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9.4 https://lists.debian.org/debian-lts-announce/2023/07/msg00020.html Common Vulnerability Exposure (CVE) ID: CVE-2022-23527 https://github.com/zmartzone/mod_auth_openidc/blob/v2.4.12.1/auth_openidc.conf#L975-L984 https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53
Copyright	Copyright (C) 2024 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.