diff --git a/CVE-2019-20479.patch b/CVE-2019-20479.patch deleted file mode 100644 index 71c8978..0000000 --- a/CVE-2019-20479.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 2d20c58597c9f7065e5362e603a5c348141c45ea Mon Sep 17 00:00:00 2001 -From: AIMOTO NORIHITO -Date: Tue, 12 Nov 2019 17:09:23 +0900 -Subject: [PATCH] Fix open redirect starting with a slash and backslash - ---- - src/mod_auth_openidc.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c -index 2467a42..b47a697 100644 ---- a/src/mod_auth_openidc.c -+++ b/src/mod_auth_openidc.c -@@ -3063,6 +3063,14 @@ static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url, - url); - oidc_error(r, "%s: %s", *err_str, *err_desc); - return FALSE; -+ } else if ((uri.hostname == NULL) && (strstr(url, "/\\") == url)) { -+ *err_str = apr_pstrdup(r->pool, "Malformed URL"); -+ *err_desc = -+ apr_psprintf(r->pool, -+ "No hostname was parsed and starting with '/\\': %s", -+ url); -+ oidc_error(r, "%s: %s", *err_str, *err_desc); -+ return FALSE; - } - - /* validate the URL to prevent HTTP header splitting */ diff --git a/CVE-2021-20718-pre1.patch b/CVE-2021-20718-pre1.patch deleted file mode 100644 index d50ebd9..0000000 --- a/CVE-2021-20718-pre1.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 9793565ade06dcea0626e8c05137725141ef827b Mon Sep 17 00:00:00 2001 -From: Hans Zandbelt -Date: Fri, 28 Aug 2020 19:05:52 +0200 -Subject: [PATCH] allow Content-Type check on backchannel logout to have postfixes utf-8 etc. ; bump to 2.4.4rc8 - -Signed-off-by: Hans Zandbelt ---- - configure.ac | 2 +- - src/util.c | 7 +++++-- - 2 files changed, 6 insertions(+), 3 deletions(-) - -diff --git a/configure.ac b/configure.ac -index c976c5c..7e8353c 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1,4 +1,4 @@ --AC_INIT([mod_auth_openidc],[2.4.0.3],[hans.zandbelt@zmartzone.eu]) -+AC_INIT([mod_auth_openidc],[2.4.4rc8],[hans.zandbelt@zmartzone.eu]) - - AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION()) - -diff --git a/src/util.c b/src/util.c -index 617136e..ca13512 100644 ---- a/src/util.c -+++ b/src/util.c -@@ -1526,9 +1526,12 @@ apr_byte_t oidc_util_read_post_params(request_rec *r, apr_table_t *table, - const char *content_type = NULL; - - content_type = oidc_util_hdr_in_content_type_get(r); -- if ((r->method_number != M_POST) || (apr_strnatcmp(content_type, -- OIDC_CONTENT_TYPE_FORM_ENCODED) != 0)) -+ if ((r->method_number != M_POST) || (strstr(content_type, -+ OIDC_CONTENT_TYPE_FORM_ENCODED) != content_type)) { -+ oidc_debug(r, "required content-type %s not found", -+ OIDC_CONTENT_TYPE_FORM_ENCODED); - goto end; -+ } - - if (oidc_util_read(r, &data) != TRUE) - goto end; --- -2.23.0 - diff --git a/CVE-2021-20718.patch b/CVE-2021-20718.patch deleted file mode 100644 index 1101be9..0000000 --- a/CVE-2021-20718.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 42a14e1d7a3fff62fc6b20df56f6dc38f086effd Mon Sep 17 00:00:00 2001 -From: Hans Zandbelt -Date: Fri, 30 Apr 2021 19:33:38 +0200 -Subject: [PATCH] fix potential crash when Content-Type is not set in -POST requests thanks JPCERT/CC; release 2.4.8 - -Signed-off-by: Hans Zandbelt ---- - configure.ac | 2 +- - src/util.c | 5 ++--- - 2 files changed, 3 insertions(+), 4 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 7e8353c..50b555f 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1,4 +1,4 @@ --AC_INIT([mod_auth_openidc],[2.4.4rc8],[hans.zandbelt@zmartzone.eu]) -+AC_INIT([mod_auth_openidc],[2.4.8],[hans.zandbelt@zmartzone.eu]) - - AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION()) - -diff --git a/src/util.c b/src/util.c -index ca13512..2306c3a 100644 ---- a/src/util.c -+++ b/src/util.c -@@ -1526,10 +1526,9 @@ apr_byte_t oidc_util_read_post_params(request_rec *r, apr_table_t *table, - const char *content_type = NULL; - - content_type = oidc_util_hdr_in_content_type_get(r); -- if ((r->method_number != M_POST) || (strstr(content_type, -+ if ((r->method_number != M_POST) || (content_type == NULL) || (strstr(content_type, - OIDC_CONTENT_TYPE_FORM_ENCODED) != content_type)) { -- oidc_debug(r, "required content-type %s not found", -- OIDC_CONTENT_TYPE_FORM_ENCODED); -+ oidc_debug(r, "required content-type %s not found", OIDC_CONTENT_TYPE_FORM_ENCODED); - goto end; - } - --- -2.23.0 - diff --git a/mod_auth_openidc.spec b/mod_auth_openidc.spec index 71f3d89..299d117 100644 --- a/mod_auth_openidc.spec +++ b/mod_auth_openidc.spec @@ -6,15 +6,12 @@ %global httpd_pkg_cache_dir /var/cache/httpd/mod_auth_openidc Name: mod_auth_openidc -Version: 2.4.0.3 -Release: 4 +Version: 2.4.9.4 +Release: 1 Summary: OpenID Connect Relying Party module for Apache 2.x HTTP Server License: ASL 2.0 URL: https://github.com/zmartzone/mod_auth_openidc -Source0: https://github.com/zmartzone/mod_auth_openidc/archive/v%{version}.tar.gz -Patch0000: CVE-2019-20479.patch -Patch0001: CVE-2021-20718-pre1.patch -Patch0002: CVE-2021-20718.patch +Source0: https://github.com/zmartzone/mod_auth_openidc/archive/refs/tags/v%{version}.tar.gz BuildRequires: gcc httpd-devel openssl-devel curl-devel jansson-devel BuildRequires: pcre-devel autoconf automake cjose-devel jq-devel @@ -61,6 +58,10 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/{metadata,cache} %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/{metadata,cache} %changelog +* Wed Sep 15 2021 houyingchao 2.4.9.4-1 +- Upgrade to 2.4.9.4 +- Fix CVE-2021-39191 + * Thu Jun 10 2021 wangyue 2.4.0.3-4 - Fix CVE-2021-20718 diff --git a/v2.4.0.3.tar.gz b/v2.4.0.3.tar.gz deleted file mode 100644 index ba62312..0000000 Binary files a/v2.4.0.3.tar.gz and /dev/null differ diff --git a/v2.4.9.4.tar.gz b/v2.4.9.4.tar.gz new file mode 100644 index 0000000..87b64f7 Binary files /dev/null and b/v2.4.9.4.tar.gz differ