[Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data
Dave Jones
2106320 at bugs.launchpad.net
Mon Jun 30 11:47:10 UTC 2025
Focal and bionic are both out of standard support at this point, so both
should be "won't fix" (ESM may patch separately to this).
** Changed in: libapache2-mod-auth-openidc (Ubuntu Bionic)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to libapache2-mod-auth-openidc in Ubuntu.
https://bugs.launchpad.net/bugs/2106320
Title:
OIDCProviderAuthRequestMethod POST leaks protected data
Status in libapache2-mod-auth-openidc package in Ubuntu:
Fix Committed
Status in libapache2-mod-auth-openidc source package in Bionic:
Won't Fix
Status in libapache2-mod-auth-openidc source package in Focal:
Won't Fix
Status in libapache2-mod-auth-openidc source package in Jammy:
Fix Released
Status in libapache2-mod-auth-openidc source package in Noble:
Fix Released
Status in libapache2-mod-auth-openidc source package in Oracular:
Fix Released
Status in libapache2-mod-auth-openidc source package in Plucky:
Fix Released
Bug description:
Versions up to and including 2.4.16.10
CVE-2025-31492
When doing authentication, and when configured with
OIDCProviderAuthRequestMethod POST, the protected resource is appended
to the normal http response. This exposes protected data to people who
have not been authenticated/authorised.
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-59jp-
rwph-878r
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list