- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3751-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
March 05, 2024                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : libapache2-mod-auth-openidc
Version        : 2.3.10.2-1+deb10u4
CVE ID         : CVE-2024-24814
Debian Bug     : 1064183

It was discovered that there was a potential Denial of Service (DoS)
attack in libapache2-mod-auth-openidc, an OpenID Connect (OpenIDC)
module for the Apache web server.

Missing input validation on mod_auth_openidc_session_chunks cookie
value made the server vulnerable to this attack. If an attacker
manipulated the value of the OpenIDC cookie to a very large integer
like 99999999, the server struggled with the request for a long time
and finally returned a 500 error. Making a few requests of this kind
caused servers to become unresponsive, and so attackers could thereby
craft requests that would make the server work very hard and/or crash
with minimal effort.

For Debian 10 buster, this problem has been fixed in version
2.3.10.2-1+deb10u4.

We recommend that you upgrade your libapache2-mod-auth-openidc packages.

For the detailed security status of libapache2-mod-auth-openidc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/libapache2-mod-auth-openidc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS