diff --git a/.gitignore b/.gitignore index dd46cf5..c5cb2ec 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -mod_auth_openidc-2.4.15.tar.gz +mod_auth_openidc-2.4.16.11.tar.gz diff --git a/0001-CVE-2024-24814.patch b/0001-CVE-2024-24814.patch deleted file mode 100644 index 2da5b9d..0000000 --- a/0001-CVE-2024-24814.patch +++ /dev/null @@ -1,111 +0,0 @@ -diff -up mod_auth_openidc-2.4.15/src/metrics.c.orig mod_auth_openidc-2.4.15/src/metrics.c ---- mod_auth_openidc-2.4.15/src/metrics.c.orig 2025-04-11 11:29:39.633387587 +0200 -+++ mod_auth_openidc-2.4.15/src/metrics.c 2025-04-11 11:44:45.879336464 +0200 -@@ -151,6 +151,7 @@ const oidc_metrics_counter_info_t _oidc_ - { OM_CLASS_CONTENT, "request", "jwks", "JWKs requests to the content handler" }, - { OM_CLASS_CONTENT, "request", "discovery", "discovery requests to the content handler" }, - { OM_CLASS_CONTENT, "request", "post-preserve", "HTTP POST preservation requests to the content handler" }, -+ { OM_CLASS_CONTENT, "request", "authn-post", "HTTP POST authentication requests to the content handler" }, - { OM_CLASS_CONTENT, "request", "unknown", "unknown requests to the content handler" }, - - // KEEP THIS: end-of-counters -diff -up mod_auth_openidc-2.4.15/src/metrics.h.orig mod_auth_openidc-2.4.15/src/metrics.h ---- mod_auth_openidc-2.4.15/src/metrics.h.orig 2025-04-11 11:29:39.635387593 +0200 -+++ mod_auth_openidc-2.4.15/src/metrics.h 2025-04-11 11:45:48.802537835 +0200 -@@ -174,6 +174,7 @@ typedef enum { - OM_CONTENT_REQUEST_JWKS, - OM_CONTENT_REQUEST_DISCOVERY, - OM_CONTENT_REQUEST_POST_PRESERVE, -+ OM_CONTENT_REQUEST_AUTHN_POST, - OM_CONTENT_REQUEST_UNKNOWN, - - } oidc_metrics_counter_type_t; -diff -up mod_auth_openidc-2.4.15/src/mod_auth_openidc.c.orig mod_auth_openidc-2.4.15/src/mod_auth_openidc.c ---- mod_auth_openidc-2.4.15/src/mod_auth_openidc.c.orig 2025-04-11 11:29:39.637387600 +0200 -+++ mod_auth_openidc-2.4.15/src/mod_auth_openidc.c 2025-04-11 11:41:36.817731409 +0200 -@@ -4638,11 +4638,18 @@ int oidc_content_handler(request_rec *r) - /* discovery may result in a 200 HTML page or a redirect to an external URL */ - rc = oidc_discovery(r, c); - -- } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN) != NULL) { -+ } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST) != NULL) { - -+ /* sending POST authentication request */ -+ OIDC_METRICS_COUNTER_INC(r, c, OM_CONTENT_REQUEST_AUTHN_POST); -+ -+ rc = OK; -+ -+ } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE) != NULL) { -+ -+ /* sending POST preserve request */ - OIDC_METRICS_COUNTER_INC(r, c, OM_CONTENT_REQUEST_POST_PRESERVE); - -- /* sending POST preserve */ - rc = OK; - - } /* else: an authenticated request for which content is produced downstream */ -diff -up mod_auth_openidc-2.4.15/src/mod_auth_openidc.h.orig mod_auth_openidc-2.4.15/src/mod_auth_openidc.h ---- mod_auth_openidc-2.4.15/src/mod_auth_openidc.h.orig 2025-04-11 11:29:39.637387600 +0200 -+++ mod_auth_openidc-2.4.15/src/mod_auth_openidc.h 2025-04-11 11:31:41.085068464 +0200 -@@ -127,7 +127,8 @@ APLOG_USE_MODULE(auth_openidc); - #define OIDC_REQUEST_STATE_KEY_IDTOKEN "i" - #define OIDC_REQUEST_STATE_KEY_CLAIMS "c" - #define OIDC_REQUEST_STATE_KEY_DISCOVERY "d" --#define OIDC_REQUEST_STATE_KEY_AUTHN "a" -+#define OIDC_REQUEST_STATE_KEY_AUTHN_POST "a" -+#define OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE "p" - #define OIDC_REQUEST_STATE_KEY_SAVE "s" - #define OIDC_REQUEST_STATE_TRACE_ID "t" - -diff -up mod_auth_openidc-2.4.15/src/proto.c.orig mod_auth_openidc-2.4.15/src/proto.c ---- mod_auth_openidc-2.4.15/src/proto.c.orig 2025-04-11 11:29:39.645387627 +0200 -+++ mod_auth_openidc-2.4.15/src/proto.c 2025-04-11 12:10:15.546127971 +0200 -@@ -493,7 +493,7 @@ static int oidc_proto_add_form_post_para - /* - * make the browser POST parameters through Javascript auto-submit - */ --static int oidc_proto_html_post(request_rec *r, const char *url, apr_table_t *params) { -+static void oidc_proto_html_post(request_rec *r, const char *url, apr_table_t *params) { - - oidc_debug(r, "enter"); - -@@ -510,7 +510,7 @@ static int oidc_proto_html_post(request_ - "

\n" - " \n"); - -- return oidc_util_html_send(r, "Submitting...", NULL, "document.forms[0].submit", html_body, OK); -+ oidc_util_html_send(r, "Submitting...", NULL, "document.forms[0].submit", html_body, OK); - } - - void add_auth_request_params(request_rec *r, apr_table_t *params, const char *auth_request_params) { -@@ -637,7 +637,12 @@ int oidc_proto_authorization_request(req - if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_POST) { - - /* construct a HTML POST auto-submit page with the authorization request parameters */ -- rv = oidc_proto_html_post(r, provider->authorization_endpoint_url, params); -+ oidc_proto_html_post(r, provider->authorization_endpoint_url, params); -+ -+ /* signal this to the content handler */ -+ oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST, ""); -+ r->user = ""; -+ rv = OK; - - } else if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_GET) { - -@@ -645,7 +650,6 @@ int oidc_proto_authorization_request(req - authorization_request = - oidc_util_http_query_encoded_url(r, provider->authorization_endpoint_url, params); - -- // TODO: should also enable this when using the POST binding for the auth request - /* see if we need to preserve POST parameters through Javascript/HTML5 storage */ - if (oidc_post_preserve_javascript(r, authorization_request, NULL, NULL) == FALSE) { - -@@ -658,7 +662,7 @@ int oidc_proto_authorization_request(req - } else { - - /* signal this to the content handler */ -- oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN, ""); -+ oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE, ""); - r->user = ""; - rv = OK; - } diff --git a/mod_auth_openidc.spec b/mod_auth_openidc.spec index 023e60e..e165ba0 100644 --- a/mod_auth_openidc.spec +++ b/mod_auth_openidc.spec @@ -14,14 +14,13 @@ %global httpd_pkg_cache_dir /var/cache/httpd/mod_auth_openidc Name: mod_auth_openidc -Version: 2.4.15 -Release: 4%{?dist}.1 +Version: 2.4.16.11 +Release: 1%{?dist} Summary: OpenID Connect auth module for Apache HTTP Server License: Apache-2.0 URL: https://github.com/OpenIDC/mod_auth_openidc Source0: https://github.com/OpenIDC/mod_auth_openidc/releases/download/v%{version}/mod_auth_openidc-%{version}.tar.gz -Patch0: 0001-CVE-2024-24814.patch BuildRequires: make BuildRequires: gcc @@ -42,7 +41,7 @@ This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. %prep -%autosetup -p1 +%setup -q %build # workaround rpm-buildroot-usage @@ -97,9 +96,13 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache %changelog -* Fri Apr 11 2025 Tomas Halman - 2.4.15-4%{?dist}.1 - Resolves: RHEL-86212 - mod_auth_openidc allows OIDCProviderAuthRequestMethod - POSTs to leak protected data (CVE-2025-31492) +* Tue Apr 8 2025 Tomas Halman - 2.4.16.11-1 + Rebase to version 2.4.16.11 +- Resolves: RHEL-86213 + +* Mon Mar 31 2025 Tomas Halman - 2.4.16.10-1 + Rebase to version 2.4.16.10 +- Resolves: RHEL-85518 * Tue Oct 29 2024 Troy Dawson - 2.4.15-4 - Bump release for October 2024 mass rebuild: diff --git a/sources b/sources index dd93d38..35d1712 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (mod_auth_openidc-2.4.15.tar.gz) = d29f5d04b5e1ce38d346803efedddfcebdb4b6b634a8e48a33331f009065ea887d9972ba9383c8719da7797c4f7f1d8adc7802dfef65715c84eb84813a18964e +SHA512 (mod_auth_openidc-2.4.16.11.tar.gz) = b578278070f5acf3a4c14f7f1ff8784c7e8ab915385f3cb78912025fb6510377df9609d998885be04290f0bc7f433f3d5c7309243246bb593c839eb116056e54