[Git][security-tracker-team/security-tracker][master] CVE-2025-31492/libapache2-mod-auth-openidc: introductory commit

Tue Dec 2 22:04:00 GMT 2025


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a1eee9f7 by Sylvain Beucler at 2025-12-02T23:03:52+01:00
CVE-2025-31492/libapache2-mod-auth-openidc: introductory commit

Checked by setting up the PoC from:
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-59jp-rwph-878r
with precisions from:
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-31492

Bisecting shows that version 6890b13c481f12debbd7c65a79e9dc5197deb794
introduces a 500 error, which is fixed by
5854e766a18b3d196e625222ef112f7a49ade1c7. Cherry-picking that fix
shows that 6890b13c481f12debbd7c65a79e9dc5197deb794 also introduces
the CVE.

  v2.3.11                                   -> !vuln
  6890b13c481f12debbd7c65a79e9dc5197deb794^ -> !vuln
  6890b13c481f12debbd7c65a79e9dc5197deb794  -> 500 | w/fix: vuln
  1ff9abc91a160c92027974952aeb108d0f34e9f5  -> 500 | w/fix: vuln
  a2b62793e17ab04c59ef4d956253339c77a350aa  -> 500 | w/fix: vuln
  5854e766a18b3d196e625222ef112f7a49ade1c7^ -> 500 | w/fix: vuln
  5854e766a18b3d196e625222ef112f7a49ade1c7  -> vuln (500 fix)
  3d95b4a3fbc493c6acc745626ac33143eb4968bf  -> vuln
  v2.4.0 -> vuln

Note: OpenSUSE has a patch for 2.3.8, which backports bits of new code
in an old code base, but I can't reproduce the CVE on that version.
I have to assume they were just being extra cautious, though with the
risk of introducing functional regressions.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -77077,6 +77077,8 @@ CVE-2025-31492 (mod_auth_openidc is an OpenID Certified authentication and autho
 	{DSA-5904-1 DLA-4129-1}
 	- libapache2-mod-auth-openidc 2.4.16.11-1 (bug #1102413)
 	NOTE: https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-59jp-rwph-878r
+	NOTE: OIDCProviderAuthRequestMethod introduced by: https://github.com/OpenIDC/mod_auth_openidc/commit/d77ec0228901d25bcbc873950d964d5c1e00254a (2.3.1rc2)
+	NOTE: Introduced by: https://github.com/OpenIDC/mod_auth_openidc/commit/6890b13c481f12debbd7c65a79e9dc5197deb794 (2.4.0rc11)
 	NOTE: Fixed by: https://github.com/OpenIDC/mod_auth_openidc/commit/b59b8ad63411857090ba1088e23fe414c690c127 (v2.4.16.11)
 CVE-2025-31488 (Plain Craft Launcher (PCL) is a launcher for Minecraft. PCL allows use ...)
 	NOT-FOR-US: Plain Craft Launcher (PCL)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1eee9f7451be5645a5ae3dc572adced82111ae9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1eee9f7451be5645a5ae3dc572adced82111ae9
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251202/d9dc2494/attachment.htm>
