Amazon Linux 2 Security Advisory: ALAS-2019-1329
Advisory Release Date: 2019-10-21 18:01 Pacific
Advisory Updated Date: 2019-10-23 23:53 Pacific
A text injection flaw was found in how mod_auth_openidc handled error pages. An attacker could potentially use this flaw to conduct content spoofing and phishing attacks by tricking users into opening specially crafted URLs.(CVE-2017-6059)
It was found that mod_auth_openidc did not properly sanitize HTTP headers for certain request paths. A remote attacker could potentially use this flaw to bypass authentication and access sensitive information by sending crafted HTTP requests.(CVE-2017-6413)
Affected Packages:
mod_auth_openidc
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update mod_auth_openidc to update your system.
aarch64:
mod_auth_openidc-1.8.8-5.amzn2.aarch64
mod_auth_openidc-debuginfo-1.8.8-5.amzn2.aarch64
i686:
mod_auth_openidc-1.8.8-5.amzn2.i686
mod_auth_openidc-debuginfo-1.8.8-5.amzn2.i686
src:
mod_auth_openidc-1.8.8-5.amzn2.src
x86_64:
mod_auth_openidc-1.8.8-5.amzn2.x86_64
mod_auth_openidc-debuginfo-1.8.8-5.amzn2.x86_64