import UBI mod_auth_openidc-2.4.16.11-1.el10

2025-11-11 21:55:28 +00:00 · 2025-11-11 21:55:28 +00:00 · 5e6c624c76
commit 5e6c624c76
parent c283799b3f
4 changed files with 12 additions and 120 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-mod_auth_openidc-2.4.15.tar.gz
+mod_auth_openidc-2.4.16.11.tar.gz
--- a/0001-CVE-2024-24814.patch
+++ b/0001-CVE-2024-24814.patch
@ -1,111 +0,0 @@
-diff -up mod_auth_openidc-2.4.15/src/metrics.c.orig mod_auth_openidc-2.4.15/src/metrics.c
--- mod_auth_openidc-2.4.15/src/metrics.c.orig	2025-04-11 11:29:39.633387587 +0200
-+++ mod_auth_openidc-2.4.15/src/metrics.c	2025-04-11 11:44:45.879336464 +0200
-@@ -151,6 +151,7 @@ const oidc_metrics_counter_info_t _oidc_
-   { OM_CLASS_CONTENT, "request", "jwks",          "JWKs requests to the content handler" },
-   { OM_CLASS_CONTENT, "request", "discovery",     "discovery requests to the content handler" },
-   { OM_CLASS_CONTENT, "request", "post-preserve", "HTTP POST preservation requests to the content handler" },
-+  { OM_CLASS_CONTENT, "request", "authn-post",    "HTTP POST authentication requests to the content handler" },
-   { OM_CLASS_CONTENT, "request", "unknown",       "unknown requests to the content handler" },
- 
-   // KEEP THIS: end-of-counters
-diff -up mod_auth_openidc-2.4.15/src/metrics.h.orig mod_auth_openidc-2.4.15/src/metrics.h
--- mod_auth_openidc-2.4.15/src/metrics.h.orig	2025-04-11 11:29:39.635387593 +0200
-+++ mod_auth_openidc-2.4.15/src/metrics.h	2025-04-11 11:45:48.802537835 +0200
-@@ -174,6 +174,7 @@ typedef enum {
- 	OM_CONTENT_REQUEST_JWKS,
- 	OM_CONTENT_REQUEST_DISCOVERY,
- 	OM_CONTENT_REQUEST_POST_PRESERVE,
-+	OM_CONTENT_REQUEST_AUTHN_POST,
- 	OM_CONTENT_REQUEST_UNKNOWN,
- 
- } oidc_metrics_counter_type_t;
-diff -up mod_auth_openidc-2.4.15/src/mod_auth_openidc.c.orig mod_auth_openidc-2.4.15/src/mod_auth_openidc.c
--- mod_auth_openidc-2.4.15/src/mod_auth_openidc.c.orig	2025-04-11 11:29:39.637387600 +0200
-+++ mod_auth_openidc-2.4.15/src/mod_auth_openidc.c	2025-04-11 11:41:36.817731409 +0200
-@@ -4638,11 +4638,18 @@ int oidc_content_handler(request_rec *r)
- 		/* discovery may result in a 200 HTML page or a redirect to an external URL */
- 		rc = oidc_discovery(r, c);
- 
-	} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN) != NULL) {
-+	} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST) != NULL) {
- 
-+		/* sending POST authentication request */
-+		OIDC_METRICS_COUNTER_INC(r, c, OM_CONTENT_REQUEST_AUTHN_POST);
-+
-+		rc = OK;
-+
-+	} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE) != NULL) {
-+
-+		/* sending POST preserve request */
- 		OIDC_METRICS_COUNTER_INC(r, c, OM_CONTENT_REQUEST_POST_PRESERVE);
- 
-		/* sending POST preserve */
- 		rc = OK;
- 
- 	} /* else: an authenticated request for which content is produced downstream */
-diff -up mod_auth_openidc-2.4.15/src/mod_auth_openidc.h.orig mod_auth_openidc-2.4.15/src/mod_auth_openidc.h
--- mod_auth_openidc-2.4.15/src/mod_auth_openidc.h.orig	2025-04-11 11:29:39.637387600 +0200
-+++ mod_auth_openidc-2.4.15/src/mod_auth_openidc.h	2025-04-11 11:31:41.085068464 +0200
-@@ -127,7 +127,8 @@ APLOG_USE_MODULE(auth_openidc);
- #define OIDC_REQUEST_STATE_KEY_IDTOKEN "i"
- #define OIDC_REQUEST_STATE_KEY_CLAIMS "c"
- #define OIDC_REQUEST_STATE_KEY_DISCOVERY "d"
-#define OIDC_REQUEST_STATE_KEY_AUTHN "a"
-+#define OIDC_REQUEST_STATE_KEY_AUTHN_POST "a"
-+#define OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE "p"
- #define OIDC_REQUEST_STATE_KEY_SAVE "s"
- #define OIDC_REQUEST_STATE_TRACE_ID "t"
- 
-diff -up mod_auth_openidc-2.4.15/src/proto.c.orig mod_auth_openidc-2.4.15/src/proto.c
--- mod_auth_openidc-2.4.15/src/proto.c.orig	2025-04-11 11:29:39.645387627 +0200
-+++ mod_auth_openidc-2.4.15/src/proto.c	2025-04-11 12:10:15.546127971 +0200
-@@ -493,7 +493,7 @@ static int oidc_proto_add_form_post_para
- /*
-  * make the browser POST parameters through Javascript auto-submit
-  */
-static int oidc_proto_html_post(request_rec *r, const char *url, apr_table_t *params) {
-+static void oidc_proto_html_post(request_rec *r, const char *url, apr_table_t *params) {
- 
- 	oidc_debug(r, "enter");
- 
-@@ -510,7 +510,7 @@ static int oidc_proto_html_post(request_
- 				 "      </p>\n"
- 				 "    </form>\n");
- 
-	return oidc_util_html_send(r, "Submitting...", NULL, "document.forms[0].submit", html_body, OK);
-+	oidc_util_html_send(r, "Submitting...", NULL, "document.forms[0].submit", html_body, OK);
- }
- 
- void add_auth_request_params(request_rec *r, apr_table_t *params, const char *auth_request_params) {
-@@ -637,7 +637,12 @@ int oidc_proto_authorization_request(req
- 	if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_POST) {
- 
- 		/* construct a HTML POST auto-submit page with the authorization request parameters */
-		rv = oidc_proto_html_post(r, provider->authorization_endpoint_url, params);
-+		oidc_proto_html_post(r, provider->authorization_endpoint_url, params);
-+
-+		/* signal this to the content handler */
-+		oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST, "");
-+		r->user = "";
-+		rv = OK;
- 
- 	} else if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_GET) {
- 
-@@ -645,7 +650,6 @@ int oidc_proto_authorization_request(req
- 		authorization_request =
- 		    oidc_util_http_query_encoded_url(r, provider->authorization_endpoint_url, params);
- 
-		// TODO: should also enable this when using the POST binding for the auth request
- 		/* see if we need to preserve POST parameters through Javascript/HTML5 storage */
- 		if (oidc_post_preserve_javascript(r, authorization_request, NULL, NULL) == FALSE) {
- 
-@@ -658,7 +662,7 @@ int oidc_proto_authorization_request(req
- 		} else {
- 
- 			/* signal this to the content handler */
-			oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN, "");
-+			oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE, "");
- 			r->user = "";
- 			rv = OK;
- 		}
--- a/mod_auth_openidc.spec
+++ b/mod_auth_openidc.spec
@ -14,14 +14,13 @@
 %global httpd_pkg_cache_dir /var/cache/httpd/mod_auth_openidc

 Name:		mod_auth_openidc
-Version:	2.4.15
-Release:	4%{?dist}.1
+Version:	2.4.16.11
+Release:	1%{?dist}
 Summary:	OpenID Connect auth module for Apache HTTP Server

 License:	Apache-2.0
 URL:		https://github.com/OpenIDC/mod_auth_openidc
 Source0:	https://github.com/OpenIDC/mod_auth_openidc/releases/download/v%{version}/mod_auth_openidc-%{version}.tar.gz
-Patch0:		0001-CVE-2024-24814.patch

 BuildRequires: make
 BuildRequires:  gcc
@ -42,7 +41,7 @@ This module enables an Apache 2.x web server to operate as
 an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.

 %prep
-%autosetup -p1
+%setup -q

 %build
 # workaround rpm-buildroot-usage
@ -97,9 +96,13 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache
 %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache

 %changelog
-* Fri Apr 11 2025 Tomas Halman <thalman@redhat.com> - 2.4.15-4%{?dist}.1
-  Resolves: RHEL-86212 - mod_auth_openidc allows OIDCProviderAuthRequestMethod
-            POSTs to leak protected data (CVE-2025-31492)
+* Tue Apr 8 2025 Tomas Halman <thalman@redhat.com> - 2.4.16.11-1
+  Rebase to version 2.4.16.11
+- Resolves: RHEL-86213
+
+* Mon Mar 31 2025 Tomas Halman <thalman@redhat.com> - 2.4.16.10-1
+  Rebase to version 2.4.16.10
+- Resolves: RHEL-85518

 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2.4.15-4
 - Bump release for October 2024 mass rebuild:
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (mod_auth_openidc-2.4.15.tar.gz) = d29f5d04b5e1ce38d346803efedddfcebdb4b6b634a8e48a33331f009065ea887d9972ba9383c8719da7797c4f7f1d8adc7802dfef65715c84eb84813a18964e
+SHA512 (mod_auth_openidc-2.4.16.11.tar.gz) = b578278070f5acf3a4c14f7f1ff8784c7e8ab915385f3cb78912025fb6510377df9609d998885be04290f0bc7f433f3d5c7309243246bb593c839eb116056e54