Descriptionmod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version contains a patch for this issue. As a workaround, avoid using `OIDCStripCookies`.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3409-1, DSA-5405-1
Debian Bugs1033916

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libapache2-mod-auth-openidc (PTS)buster2.3.10.2-1+deb10u1vulnerable
buster (security)
bullseye (security)
sid, trixie2.4.14.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Notes (v2.4.13.2)

Search for package or bug name: Reporting problems