[Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data
Sebastien Bacher
2106320 at bugs.launchpad.net
Tue Jul 1 13:47:20 UTC 2025
The fix seems to have landed in
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-
openidc/2.4.17-1 for questing
** Changed in: libapache2-mod-auth-openidc (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to libapache2-mod-auth-openidc in Ubuntu.
https://bugs.launchpad.net/bugs/2106320
Title:
OIDCProviderAuthRequestMethod POST leaks protected data
Status in libapache2-mod-auth-openidc package in Ubuntu:
Fix Released
Status in libapache2-mod-auth-openidc source package in Bionic:
Won't Fix
Status in libapache2-mod-auth-openidc source package in Focal:
Won't Fix
Status in libapache2-mod-auth-openidc source package in Jammy:
Fix Released
Status in libapache2-mod-auth-openidc source package in Noble:
Fix Released
Status in libapache2-mod-auth-openidc source package in Oracular:
Fix Released
Status in libapache2-mod-auth-openidc source package in Plucky:
Fix Released
Bug description:
Versions up to and including 2.4.16.10
CVE-2025-31492
When doing authentication, and when configured with
OIDCProviderAuthRequestMethod POST, the protected resource is appended
to the normal http response. This exposes protected data to people who
have not been authenticated/authorised.
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-59jp-
rwph-878r
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list