6 changed files with 103 additions and 137 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/mod_auth_openidc-2.4.10.tar.gz
+SOURCES/v2.4.9.4.tar.gz
--- a/.mod_auth_openidc.metadata
+++ b/.mod_auth_openidc.metadata
@ -1 +1 @@
-d909f783d719ffd86b3d919ca6590b0eed4d8a51 SOURCES/mod_auth_openidc-2.4.10.tar.gz
+47f8b949552c3d32f019c5cf785c4672dc0f8aae SOURCES/v2.4.9.4.tar.gz
--- a/SOURCES/0000-destdir.patch
+++ b/SOURCES/0000-destdir.patch
@ -1,15 +0,0 @@
-diff --git a/Makefile.am b/Makefile.am
-index e5d0a4d..e5bfa67 100644
--- a/Makefile.am
-+++ b/Makefile.am
-@@ -69,8 +69,8 @@ mod_auth_openidc.la: libauth_openidc.la
- 	${APXS} -c -o $@ $< ${AM_CFLAGS} ${LIBADD}
- 
- install-exec-local:
-	@APXS@ -i -a -n auth_openidc mod_auth_openidc.la
-#	${INSTALL} -p -m 755 -D .libs/mod_auth_openidc.so @APACHE_MODULEDIR@/mod_auth_openidc.so
-+#	@APXS@ -i -a -n auth_openidc mod_auth_openidc.la
-+	${INSTALL} -p -m 755 -D .libs/mod_auth_openidc.so $(DESTDIR)@APACHE_MODULEDIR@/mod_auth_openidc.so
- 
- LDADD = libauth_openidc.la ${LIBADD}
- 
--- a/SOURCES/0001-CVE-2022-23527.patch
+++ b/SOURCES/0001-CVE-2022-23527.patch
@ -1,7 +1,19 @@
-diff -up mod_auth_openidc-2.4.10/src/mod_auth_openidc.c.orig mod_auth_openidc-2.4.10/src/mod_auth_openidc.c
--- mod_auth_openidc-2.4.10/src/mod_auth_openidc.c.orig	2021-11-05 11:55:03.000000000 +0100
-+++ mod_auth_openidc-2.4.10/src/mod_auth_openidc.c	2024-04-15 17:53:49.601539683 +0200
-@@ -2537,6 +2537,20 @@ static apr_byte_t oidc_validate_redirect
+commit 4c494e4a59a15580e3226dcd6c02b24076b73421
+Author: Tomas Halman <thalman@redhat.com>
+Date:   Mon Feb 27 13:18:55 2023 +0100
+
+    Backport of fixes for CVE-2022-23527
+    
+    CVE-2022-23527 prevent open redirect in default setup
+    
+    This patch is based on 87119f44, f38af0e2, 1a394a86 and
+    1c808c58 updates.
+
+diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
+index b36f6c1..099c716 100644
+--- a/src/mod_auth_openidc.c
+++ b/src/mod_auth_openidc.c
+@@ -2543,6 +2543,20 @@ static apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c,
 		oidc_error(r, "%s: %s", *err_str, *err_desc);
 		return FALSE;
 	}
@ -22,21 +34,23 @@ diff -up mod_auth_openidc-2.4.10/src/mod_auth_openidc.c.orig mod_auth_openidc-2.
 
 	return TRUE;
 }
-diff -up mod_auth_openidc-2.4.10/src/mod_auth_openidc.h.orig mod_auth_openidc-2.4.10/src/mod_auth_openidc.h
--- mod_auth_openidc-2.4.10/src/mod_auth_openidc.h.orig	2021-11-09 10:00:40.000000000 +0100
-+++ mod_auth_openidc-2.4.10/src/mod_auth_openidc.h	2024-04-15 17:53:49.601539683 +0200
-@@ -819,6 +819,7 @@ char *oidc_util_http_query_encoded_url(r
+diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
+index 2218d76..8757411 100644
+--- a/src/mod_auth_openidc.h
+++ b/src/mod_auth_openidc.h
+@@ -800,6 +800,7 @@ char *oidc_util_http_query_encoded_url(request_rec *r, const char *url, const ap
 char *oidc_util_get_full_path(apr_pool_t *pool, const char *abs_or_rel_filename);
 apr_byte_t oidc_enabled(request_rec *r);
 char *oidc_util_http_form_encoded_data(request_rec *r, const apr_table_t *params);
 +char* oidc_util_strcasestr(const char *s1, const char *s2);
 
 /* HTTP header constants */
- #define OIDC_HTTP_HDR_COOKIE                            "Cookie"
-diff -up mod_auth_openidc-2.4.10/src/util.c.orig mod_auth_openidc-2.4.10/src/util.c
--- mod_auth_openidc-2.4.10/src/util.c.orig	2021-11-05 11:55:03.000000000 +0100
-+++ mod_auth_openidc-2.4.10/src/util.c	2024-04-15 17:53:49.602539684 +0200
-@@ -435,6 +435,24 @@ char* oidc_util_javascript_escape(apr_po
+ #define OIDC_HTTP_HDR_COOKIE							"Cookie"
+diff --git a/src/util.c b/src/util.c
+index 4c46156..c6453d0 100644
+--- a/src/util.c
+++ b/src/util.c
+@@ -446,6 +446,24 @@ char* oidc_util_javascript_escape(apr_pool_t *pool, const char *s) {
     return output;
 }
 
--- a/SOURCES/0002-CVE-2023-28625.patch
+++ b/SOURCES/0002-CVE-2023-28625.patch
@ -1,7 +1,19 @@
-diff -up mod_auth_openidc-2.4.10/src/mod_auth_openidc.c.orig mod_auth_openidc-2.4.10/src/mod_auth_openidc.c
--- mod_auth_openidc-2.4.10/src/mod_auth_openidc.c.orig	2024-04-15 17:56:53.022820648 +0200
-+++ mod_auth_openidc-2.4.10/src/mod_auth_openidc.c	2024-04-15 17:57:23.325867066 +0200
-@@ -175,6 +175,8 @@ void oidc_strip_cookies(request_rec *r)
+commit 1a24e08ce506c2c19dd92a1bc9c2b9a1d9354934
+Author: Tomas Halman <thalman@redhat.com>
+Date:   Tue Apr 11 11:39:55 2023 +0200
+
+    Backport fixe of CVE-2023-28625
+    
+    CVE-2023-28625 mod_auth_openidc: NULL pointer dereference when
+    OIDCStripCookies is set and a crafted Cookie header is supplied
+    
+    This patch is based on commit c0e1edac3c4c19988ccdc7713d7aebfce6ff916a
+
+diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
+index 099c716..51eb53e 100644
+--- a/src/mod_auth_openidc.c
+++ b/src/mod_auth_openidc.c
+@@ -191,6 +191,8 @@ void oidc_strip_cookies(request_rec *r) {
 		do {
 			while (cookie != NULL && *cookie == OIDC_CHAR_SPACE)
 				cookie++;
--- a/SPECS/mod_auth_openidc.spec
+++ b/SPECS/mod_auth_openidc.spec
@ -14,14 +14,13 @@
 %global httpd_pkg_cache_dir /var/cache/httpd/mod_auth_openidc

 Name:		mod_auth_openidc
-Version:	2.4.10
-Release:	1%{?dist}
+Version:	2.4.9.4
+Release:	6%{?dist}
 Summary:	OpenID Connect auth module for Apache HTTP Server

 License:	ASL 2.0
-URL:		https://github.com/OpenIDC/mod_auth_openidc
-Source0:	https://github.com/OpenIDC/mod_auth_openidc/releases/download/v%{version}/mod_auth_openidc-%{version}.tar.gz
-Patch0:		0000-destdir.patch
+URL:		https://github.com/zmartzone/mod_auth_openidc
+Source0:	https://github.com/zmartzone/mod_auth_openidc/archive/v%{version}.tar.gz
 Patch1:		0001-CVE-2022-23527.patch
 Patch2:		0002-CVE-2023-28625.patch
 Patch3:		0003-CVE-2024-24814.patch
@ -39,6 +38,7 @@ BuildRequires:	cjose-devel
 BuildRequires:	jq-devel
 %{?_with_hiredis:BuildRequires: hiredis-devel}
 Requires:	httpd-mmn = %{_httpd_mmn}
+Requires:	cjose >= 0.6.1

 %description
 This module enables an Apache 2.x web server to operate as
@ -58,6 +58,7 @@ autoreconf
  %{?_without_hiredis} \
  --with-apxs2=%{_httpd_apxs}

+
 %{make_build}

 %check
@ -67,7 +68,7 @@ make test

 %install
 mkdir -p $RPM_BUILD_ROOT%{_httpd_moddir}
-make DESTDIR=$RPM_BUILD_ROOT MODULES_DIR=%{_httpd_moddir} install
+make install MODULES_DIR=$RPM_BUILD_ROOT%{_httpd_moddir}

 install -m 755 -d $RPM_BUILD_ROOT%{_httpd_modconfdir}
 echo 'LoadModule auth_openidc_module modules/mod_auth_openidc.so' > \
@ -99,122 +100,76 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache
 %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache

 %changelog
-* Fri Apr 12 2024 Tomas Halman <thalman@redhat.com> - 2.4.10-1
-  Rebase to 2.4.10 version improves `state cookies piling up` problem
-  Resolves: RHEL-32450 Race condition in mod_auth_openidc filecache
-  Resolves: RHEL-25422 mod_auth_openidc: DoS when using
-            `OIDCSessionType client-cookie` and manipulating cookies
-            (CVE-2024-24814)
+* Fri Apr 12 2024 Tomas Halman <thalman@redhat.com> - 2.4.9.4-6
+- Resolves: RHEL-36492 Race condition in mod_auth_openidc filecache
+- Resolves: RHEL-25421 mod_auth_openidc: DoS when using
+    `OIDCSessionType client-cookie` and manipulating cookies
+    (CVE-2024-24814)
+
+* Tue Apr 25 2023 Tomas Halman <thalman@redhat.com> - 2.4.9.4-5
+  Related: rhbz#2141850 - fix cjose version dependency

 * Mon Apr 24 2023 Tomas Halman <thalman@redhat.com> - 2.4.9.4-4
-  Resolves: rhbz#2189268 - auth_openidc.conf mode 0640 by default
+  Resolves: rhbz#2141850 - auth_openidc.conf mode 0640 by default

 * Tue Apr 11 2023  Tomas Halman <thalman@redhat.com> - 2.4.9.4-3
- Resolves: rhbz#2184145 - CVE-2023-28625 NULL pointer dereference
-  when OIDCStripCookies is set and a crafted Cookie header is supplied
+- Resolves: rhbz#2184144 - CVE-2023-28625 NULL pointer dereference
+      when OIDCStripCookies is set and a crafted Cookie header is supplied

 * Tue Feb 21 2023 Tomas Halman <thalman@redhat.com> - 2.4.9.4-2
- Resolves: rhbz#2153656 - CVE-2022-23527 - Open Redirect in
-  oidc_validate_redirect_url() using tab character
+- Resolves: rhbz#2153659 - CVE-2022-23527 - Open Redirect in
+      oidc_validate_redirect_url() using tab character

-* Tue Nov 30 2021 Tomas Halman <thalman@redhat.com> - 2.4.9.4-1
- Resolves: rhbz#2001852 - CVE-2021-39191 mod_auth_openidc: open redirect
-                           by supplying a crafted URL in the target_link_uri
-                           parameter
+* Fri Apr 8 2022 Tomas Halman <thalman@redhat.com> - 2.4.9.4-1
+- Resolves: rhbz#2025368 - Rebase to new version

-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.8.2-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
+* Fri Jan 28 2022 Tomas Halman <thalman@redhat.com> - 2.3.7-11
+- Resolves: rhbz#1987222 - CVE-2021-32792 XSS when using OIDCPreservePost On

-* Fri Jul 30 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.4.9.1-1
- Resolves: rhbz#1987223 - CVE-2021-32792 mod_auth_openidc: XSS when using
-                           OIDCPreservePost On [rhel-9.0]
- Resolves: rhbz#1987217 - CVE-2021-32791 mod_auth_openidc: hardcoded
-                           static IV and AAD with a reused key in AES GCM
-                           encryption [rhel-9.0]
- Resolves: rhbz#1987204 - CVE-2021-32786 mod_auth_openidc: open redirect in
-                           oidc_validate_redirect_url() [rhel-9.0]
+* Fri Jan 28 2022 Tomas Halman <thalman@redhat.com> - 2.3.7-10
+- Resolves: rhbz#1987216 - CVE-2021-32791 hardcoded static IV and AAD with a
+                           reused key in AES GCM encryption [rhel-8] (edit) 

-* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.8.2-2
- Rebuilt for RHEL 9 BETA for openssl 3.0
-  Related: rhbz#1971065
+* Fri Oct 29 2021 Tomas Halman <thalman@redhat.com> - 2.3.7-9
+- Resolves: rhbz#2001853 - CVE-2021-39191 open redirect by supplying a crafted URL
+                           in the target_link_uri parameter

-* Mon May 10 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.4.8.2-1
- New upstream release
- Resolves: rhbz#1958466 - mod_auth_openidc-2.4.8.2 is available
+* Tue Nov 17 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.3.7-8
+- Resolves: rhbz#1823756 - Backport SameSite=None cookie from
+                           mod_auth_openidc upstream to support latest browsers

-* Thu May  6 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.4.7.2-1
- New upstream release
- Resolves: rhbz#1900913 - mod_auth_openidc-2.4.7.2 is available
+* Tue Nov 17 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.3.7-7
+- Resolves: rhbz#1897992 - OIDCStateInputHeaders &
+                           OIDCStateMaxNumberOfCookies in existing
+                           mod_auth_openidc version
+- Backport the OIDCStateMaxNumberOfCookies option
+- Configure which header value is used to calculate the fingerprint of
+  the auth state

-* Fri Apr 30 2021 Tomas Halman <thalman@redhat.com> - 2.4.4.1-3
- Resolves: rhbz#1951277 - Remove unnecessary LTO patch 
+* Sun May 10 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.3.7-6
+- Fix the previous backport
+- Related: rhbz#1805749 - CVE-2019-14857 mod_auth_openidc:2.3/mod_auth_openidc:
+                          Open redirect in logout url when using URLs with
+                          leading slashes
+- Related: rhbz#1805068 - CVE-2019-20479 mod_auth_openidc:2.3/mod_auth_openidc:
+                          open redirect issue exists in URLs with slash and
+                          backslash

-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.4.1-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-
-* Fri Sep  4 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.4.4.1-1
- New upstream version 2.4.4.1
-
-* Tue Sep  1 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.4.4-1
- New upstream version 2.4.4
-
-* Thu Aug 27 2020 Joe Orton <jorton@redhat.com> - 2.4.3-5
- update to use correct apxs via _httpd_apxs macro
-
-* Thu Aug 27 2020 Joe Orton <jorton@redhat.com> - 2.4.3-4
- work around LTO build failure
-
-* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-3
- Second attempt - Rebuilt for
-  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue Jul 14 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.4.3
- New upstream version 2.4.3
-
-* Sun May 10 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.4.2.1-1
- New upstream version 2.4.2.1
- Resolves: rhbz#1805104 - CVE-2019-20479 mod_auth_openidc: open redirect
-                           issue exists in URLs with slash and backslash
-                           [fedora-all]
- Resolves: rhbz#1816883 - mod_auth_openidc-2.4.2.1 is available
-
-* Thu Feb 13 2020 Tom Stellard <tstellar@redhat.com> - 2.4.1-2
- Use make_build macro instead of just make
- https://docs.fedoraproject.org/en-US/packaging-guidelines/#_parallel_make
-
-* Mon Feb  3 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.4.1-1
- New upstream version 2.4.1
-
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.0.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Thu Nov 21 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.4.0.4-1
- New upstream version 2.4.0.4
-
-* Fri Oct  4 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.4.0.3-1
- New upstream version 2.4.0.3
-
-* Fri Aug 23 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.4.0
- New upstream version 2.4.0
- Resolves: rhbz#1374884 - mod_auth_openidc-2.4.0 is available
-
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.7-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.7-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+* Sun May 10 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.3.7-5
+- Resolves: rhbz#1805749 - CVE-2019-14857 mod_auth_openidc:2.3/mod_auth_openidc:
+                           Open redirect in logout url when using URLs with
+                           leading slashes
+- Resolves: rhbz#1805068 - CVE-2019-20479 mod_auth_openidc:2.3/mod_auth_openidc:
+                           open redirect issue exists in URLs with slash and
+                           backslash

 * Thu Aug 16 2018  <jdennis@redhat.com> - 2.3.7-3
- update test-segfault.patch to match upstream
-
-* Tue Aug 14 2018  <jdennis@redhat.com> - 2.3.7-2
 - Resolves: rhbz# 1614977 - fix unit test segfault,
  the problem was not limited exclusively to s390x, but s390x provoked it.

+* Fri Aug 10 2018  <jdennis@redhat.com> - 2.3.7-2
+- disable running check on s390x
+
 * Wed Aug  1 2018  <jdennis@redhat.com> - 2.3.7-1
 - upgrade to upstream 2.3.7