Sync from SUSE:SLFO:Main apache2-mod_auth_openidc revision a466541c215c835c0f679704a08021d2

apache2-mod_auth_openidc.changes

@@ -1,3 +1,39 @@
+-------------------------------------------------------------------
+Tue Apr  8 06:53:53 UTC 2025 - pgajdos@suse.com
+
+- version update to 2.4.16.11 (CVE-2025-31492 [bsc#1240893])
+  - fix protected content leakage when using OIDCProviderAuthRequestMethod POST, see:
+      https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-59jp-rwph-878r
+  - allow for regular Apache processing (e.g. setting response headers) when using OIDCProviderAuthRequestMethod POST
+  - core: complete case-insensitive protocol/hostname/domain-name comparisons
+
+  2.4.16.10
+  - core: compare hostnames and domains in a case insensitive way in:
+      oidc_request_check_cookie_domain
+      oidc_util_cookie_domain_valid
+      oidc_validate_redirect_url
+      oidc_cfg_parse_is_valid_url_scheme
+      oidc_discovery_target_link_uri_match
+  - cookie: fix oidc_util_cookie_domain_valid so that it checks the incoming request against OIDCCookieDomain
+    rather than the OIDCRedirectURI and displays the correct error message if they don't match
+  
+  2.4.16.9
+  - cookie: use case insensitive hostname/domain comparison in oidc_check_cookie_domain
+  - authz: remove the Location header from HTML based step up authentication redirects
+    as it may conflict with its HTTP 200 status code and confuse middle boxes
+  - metrics: avoid double-free on shutdown by not calling pthread_exit; fixes #1207; thanks @studersi
+  - metrics: upon exit, do write cached metrics into shared memory before exiting
+
+-------------------------------------------------------------------
+Fri Mar 14 22:11:35 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- update to 2.4.16.8:
+  * add support for claim value counters in OIDCMetricsData
+  * do not reset Prometheus counters by default, only when
+    explicitly specified
+  * metrics: reset to 0 in case of an integer overflow
+- build with pcre2
+
 -------------------------------------------------------------------
 Mon Feb 10 11:16:24 UTC 2025 - pgajdos@suse.com
 

apache2-mod_auth_openidc.spec

@@ -2,6 +2,7 @@
 # spec file for package apache2-mod_auth_openidc
 #
 # Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 Andreas Stieger <Andreas.Stieger@gmx.de>
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +18,7 @@
 
 
 Name:           apache2-mod_auth_openidc
-Version:        2.4.16.7
+Version:        2.4.16.11
 Release:        0
 Summary:        Apache2.x module for an OpenID Connect enabled Identity Provider
 License:        Apache-2.0
@@ -30,7 +31,7 @@ BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(cjose) >= 0.5.1
 BuildRequires:  pkgconfig(jansson) >= 2.0
 BuildRequires:  pkgconfig(libcurl)
-BuildRequires:  pkgconfig(libpcre)
+BuildRequires:  pkgconfig(libpcre2-8)
 BuildRequires:  pkgconfig(openssl) >= 1.0.1
 Requires:       %{apache_mmn}
 Requires:       %{apache_suse_maintenance_mmn}
@@ -42,7 +43,7 @@ BuildRequires:  hiredis-devel
 This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
 
 %prep
-%setup -q -n mod_auth_openidc-%{version}
+%autosetup -p1 -n mod_auth_openidc-%{version}
 
 %build
 %configure \