oss-sec mailing list archives

OpenID Connect authentication module for Apache: CVE-2017-6059 CVE-2017-6062

From: Salvatore Bonaccorso <carnil () debian org>
Date: Fri, 17 Feb 2017 21:23:19 +0100

Hi

MITRE has assigned two CVEs for the OpenID Connect authentication
module for Apache (https://github.com/pingidentity/mod_auth_openidc):

CVE-2017-6059:

https://github.com/pingidentity/mod_auth_openidc/issues/212

mod_auth_openidc showss user-supplied content on error pages.

CVE-2017-6062:

https://github.com/pingidentity/mod_auth_openidc/issues/222

OIDCUnAuthAction pass does not scrub request headers

Regards,
Salvatore

Current thread:

OpenID Connect authentication module for Apache: CVE-2017-6059 CVE-2017-6062 Salvatore Bonaccorso (Feb 17)