Fedora 39 : mod_auth_openidc (2023-02c84fe305)

medium Nessus Plugin ID 185201

Language:

Synopsis

The remote Fedora host is missing one or more security updates.

Description

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-02c84fe305 advisory.

Automatic update for mod_auth_openidc-2.4.12.3-2.fc39.

##### **Changelog**

```
* Tue Mar 7 2023 Tomas Halman <[email protected]> - 2.4.12.3-2 migrated to SPDX license
* Tue Feb 28 2023 Tomas Halman <[email protected]> - 2.4.12.3-1 Rebase to 2.4.12.3 version
- Resolves: rhbz#2164064 - mod_auth_openidc-2.4.12.3 is available
* Thu Jan 19 2023 Fedora Release Engineering <[email protected]> - 2.4.12.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Fri Dec 16 2022 Tomas Halman <[email protected]> - 2.4.12.2-1 Rebase to 2.4.12.2 version
- Resolves: rhbz#2153658 - CVE-2022-23527 mod_auth_openidc: Open Redirect in oidc_validate_redirect_url() using tab character
* Thu Sep 22 2022 Tomas Halman <[email protected]> - 2.4.11.2-3
- Resolves: rhbz#2128328 - Port pcre dependency to pcre2
* Thu Jul 21 2022 Fedora Release Engineering <[email protected]> - 2.4.11.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Jun 23 2022 Tomas Halman <[email protected]> - 2.4.11.2-1
- Resolves: rhbz#2082376 - New version 2.4.11.2 available
* Mon Apr 11 2022 Tomas Halman <[email protected]> - 2.4.11.1-1
- Resolves: rhbz#1996926 - New version 2.4.11.1 available
* Thu Mar 31 2022 Tomas Halman <[email protected]> - 2.4.9.4-1
- Resolves: rhbz#2001647 - CVE-2021-39191 mod_auth_openidc: open redirect by supplying a crafted URL in the target_link_uri parameter
* Thu Jan 20 2022 Fedora Release Engineering <[email protected]> - 2.4.9.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Tue Sep 14 2021 Sahana Prasad <[email protected]> - 2.4.9.1-2
- Rebuilt with OpenSSL 3.0.0
* Wed Aug 18 2021 Jakub Hrozek <[email protected]> - 2.4.9.1-1
- New upstream release
- Resolves: rhbz#1993566 - mod_auth_openidc-2.4.9.1 is available
* Fri Jul 30 2021 Jakub Hrozek <[email protected]> - 2.4.9-1
- Resolves: rhbz#1985153 - mod_auth_openidc-2.4.9 is available
- Resolves: rhbz#1986103 - CVE-2021-32786 mod_auth_openidc: open redirect in oidc_validate_redirect_url()
- Resolves: rhbz#1986396 - CVE-2021-32791 mod_auth_openidc: hardcoded static IV and AAD with a reused key in AES GCM encryption
- Resolves: rhbz#1986398 - CVE-2021-32792 mod_auth_openidc: XSS when using OIDCPreservePost On
* Thu Jul 22 2021 Fedora Release Engineering <[email protected]> - 2.4.8.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Wed Jun 2 2021 Jakub Hrozek <[email protected]> - 2.4.8.3-1
- New upstream release
- Resolves: rhbz#1966756 - mod_auth_openidc-2.4.8.3 is available
* Mon May 10 2021 Jakub Hrozek <[email protected]> - 2.4.8.2-1
- New upstream release
- Resolves: rhbz#1958466 - mod_auth_openidc-2.4.8.2 is available
* Thu May 6 2021 Jakub Hrozek <[email protected]> - 2.4.7.2-1
- New upstream release
- Resolves: rhbz#1900913 - mod_auth_openidc-2.4.7.2 is available
* Fri Apr 30 2021 Tomas Halman <[email protected]> - 2.4.4.1-3
- Remove unnecessary LTO patch

```

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected mod_auth_openidc package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2023-02c84fe305

Plugin Details

Severity: Medium

ID: 185201

File Name: fedora_2023-02c84fe305.nasl

Version: 1.3

Type: local

Agent: unix

Published: 11/7/2023

Updated: 11/14/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2021-39191

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2022-23527

Vulnerability Information

CPE: cpe:/o:fedoraproject:fedora:39, p-cpe:/a:fedoraproject:fedora:mod_auth_openidc

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/7/2023

Vulnerability Publication Date: 7/22/2021

Reference Information

CVE: CVE-2021-32786, CVE-2021-32791, CVE-2021-32792, CVE-2021-39191, CVE-2022-23527