[Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data
Launchpad Bug Tracker
2106320 at bugs.launchpad.net
Wed Apr 23 13:47:46 UTC 2025
This bug was fixed in the package libapache2-mod-auth-openidc -
2.4.15.1-1ubuntu0.1
---------------
libapache2-mod-auth-openidc (2.4.15.1-1ubuntu0.1) noble-security; urgency=medium
* SECURITY UPDATE: Data leak (LP: #2106320)
- debian/patches/CVE-2025-31492.patch: fix OIDCProviderAuthRequestMethod
POST
- CVE-2025-31492
-- Eduardo Barretto <eduardo.barretto at canonical.com> Mon, 14 Apr 2025
19:23:44 +0200
** Changed in: libapache2-mod-auth-openidc (Ubuntu Jammy)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to libapache2-mod-auth-openidc in Ubuntu.
https://bugs.launchpad.net/bugs/2106320
Title:
OIDCProviderAuthRequestMethod POST leaks protected data
Status in libapache2-mod-auth-openidc package in Ubuntu:
Fix Committed
Status in libapache2-mod-auth-openidc source package in Bionic:
New
Status in libapache2-mod-auth-openidc source package in Focal:
New
Status in libapache2-mod-auth-openidc source package in Jammy:
Fix Released
Status in libapache2-mod-auth-openidc source package in Noble:
Fix Released
Status in libapache2-mod-auth-openidc source package in Oracular:
Fix Released
Status in libapache2-mod-auth-openidc source package in Plucky:
Fix Released
Bug description:
Versions up to and including 2.4.16.10
CVE-2025-31492
When doing authentication, and when configured with
OIDCProviderAuthRequestMethod POST, the protected resource is appended
to the normal http response. This exposes protected data to people who
have not been authenticated/authorised.
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-59jp-
rwph-878r
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list