ALAS-2020-1448


Amazon Linux AMI Security Advisory: ALAS-2020-1448
Advisory Release Date: 2020-11-14 01:23 Pacific
Advisory Updated Date: 2020-11-16 20:52 Pacific
Severity: Medium

Issue Overview:

An open redirect flaw was discovered in mod_auth_openidc, where it handles logout redirection. The module does not correctly validate the URL, allowing a URL with leading slashes to bypass the protection checks. A victim user may be tricked into visiting a trusted vulnerable web site, which would redirect them to another possibly malicious URL. (CVE-2019-14857 )

An open redirect flaw was discovered in mod_auth_openidc where it handles logout redirection. The module does not correctly validate the URL, allowing a URL with slash and backslash at the beginning to bypass the protection checks. A victim user may be tricked into visiting a trusted vulnerable web site, which would redirect him to another, possibly malicious, URL. (CVE-2019-20479 )


Affected Packages:

mod24_auth_openidc


Issue Correction:
Run yum update mod24_auth_openidc to update your system.

New Packages:
i686:
    mod24_auth_openidc-debuginfo-1.8.8-7.6.amzn1.i686
    mod24_auth_openidc-1.8.8-7.6.amzn1.i686

src:
    mod24_auth_openidc-1.8.8-7.6.amzn1.src

x86_64:
    mod24_auth_openidc-1.8.8-7.6.amzn1.x86_64
    mod24_auth_openidc-debuginfo-1.8.8-7.6.amzn1.x86_64