发布于3月6日3月6日 Members Oracle Linux: CVE-2023-28625: ELSA-2023-6940:mod_auth_openidc:2.3 security and bug fix update (MODERATE) (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 04/03/2023 Created 11/24/2023 Added 11/22/2023 Modified 12/06/2024 Description mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using `OIDCStripCookies`. A flaw was found in mod_auth_openidc, an OpenID Certified™ authentication and authorization module for the Apache HTTP server. It is possible to trigger a NULL pointer dereference when `OIDCStripCookies` is set and a crafted `Cookie` header is supplied, leading to a segmentation fault and a denial of service. Solution(s) oracle-linux-upgrade-mod-auth-openidc References https://attackerkb.com/topics/cve-2023-28625 CVE - 2023-28625 ELSA-2023-6940 ELSA-2023-6365
