!32 [sync] PR-27: Update to 2.4.16.11 for fix CVE-2025-31492 and Sync code

From: @openeuler-sync-bot 
Reviewed-by: @wk333 
Signed-off-by: @wk333

CVE-2019-20479.patch

@@ -1,28 +0,0 @@
-From 2d20c58597c9f7065e5362e603a5c348141c45ea Mon Sep 17 00:00:00 2001
-From: AIMOTO NORIHITO <aimoto@osstech.co.jp>
-Date: Tue, 12 Nov 2019 17:09:23 +0900
-Subject: [PATCH] Fix open redirect starting with a slash and backslash
-
----
- src/mod_auth_openidc.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
-index 2467a42..b47a697 100644
---- a/src/mod_auth_openidc.c
-+++ b/src/mod_auth_openidc.c
-@@ -3063,6 +3063,14 @@ static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url,
-                                                 url);
-                 oidc_error(r, "%s: %s", *err_str, *err_desc);
-                 return FALSE;
-+        } else if ((uri.hostname == NULL) && (strstr(url, "/\\") == url)) {
-+                *err_str = apr_pstrdup(r->pool, "Malformed URL");
-+                *err_desc =
-+                                apr_psprintf(r->pool,
-+                                                "No hostname was parsed and starting with '/\\': %s",
-+                                                url);
-+                oidc_error(r, "%s: %s", *err_str, *err_desc);
-+                return FALSE;
- 	}
- 
- 	/* validate the URL to prevent HTTP header splitting */

mod_auth_openidc.spec

@@ -6,16 +6,16 @@
 %global httpd_pkg_cache_dir /var/cache/httpd/mod_auth_openidc
 
 Name:           mod_auth_openidc
-Version:        2.4.0.3
+Version:        2.4.16.11
-Release:        3
+Release:        1
 Summary:        OpenID Connect Relying Party module for Apache 2.x HTTP Server
-License:        ASL 2.0
+License:        Apache-2.0
-URL:            https://github.com/zmartzone/mod_auth_openidc
+URL:            https://github.com/OpenIDC/mod_auth_openidc
-Source0:        https://github.com/zmartzone/mod_auth_openidc/archive/v%{version}.tar.gz
+Source0:        %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz
-Patch0000:      CVE-2019-20479.patch
 
 BuildRequires:  gcc httpd-devel openssl-devel curl-devel jansson-devel
-BuildRequires:  pcre-devel autoconf automake cjose-devel jq-devel
+BuildRequires:  pcre2-devel autoconf automake cjose-devel jq-devel
+BuildRequires:  libtool
 Requires:       httpd-mmn = %{_httpd_mmn}
 
 %description
@@ -28,18 +28,18 @@ an OpenID Connect Relying Party(RP) to an OpenID Connect Provider(OP).
 %build
 export MODULES_DIR=%{_httpd_moddir}
 export APXS2_OPTS='-S LIBEXECDIR=${MODULES_DIR}'
-autoreconf
+autoreconf -vfi
 %configure --with-jq=/usr/lib64/ --without-hiredis
 make %{?_smp_mflags}
 
 %check
 export MODULES_DIR=%{_httpd_moddir}
 export APXS2_OPTS='-S LIBEXECDIR=${MODULES_DIR}'
-make test
+make check
 
 %install
 install -d $RPM_BUILD_ROOT%{_httpd_moddir}
-make install MODULES_DIR=$RPM_BUILD_ROOT%{_httpd_moddir}
+make install DESTDIR=$RPM_BUILD_ROOT MODULES_DIR=$RPM_BUILD_ROOT%{_httpd_moddir}
 
 install -m 755 -d $RPM_BUILD_ROOT%{_httpd_modconfdir}
 echo 'LoadModule auth_openidc_module modules/mod_auth_openidc.so' > \
@@ -48,6 +48,7 @@ echo 'LoadModule auth_openidc_module modules/mod_auth_openidc.so' > \
 install -m 755 -d $RPM_BUILD_ROOT%{_httpd_confdir}
 install -m 644 auth_openidc.conf $RPM_BUILD_ROOT%{_httpd_confdir}
 sed -i 's!/var/cache/apache2/!/var/cache/httpd/!' $RPM_BUILD_ROOT%{_httpd_confdir}/auth_openidc.conf
+install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}
 install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/{metadata,cache}
 
 %files
@@ -59,6 +60,34 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/{metadata,cache}
 %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/{metadata,cache}
 
 %changelog
+* Wed Apr 09 2025 yaoxin <1024769339@qq.com> - 2.4.16.11-1
+- Update to 2.4.16.11 for fix CVE-2025-31492
+
+* Mon Jan 13 2025 yaoxin <1024769339@qq.com> - 2.4.16.6-1
+- Update to 2.4.16.6:
+  * metadata: fix caching of JWKs from jwks_uri when using the default expiry setting
+  * info: fix requests to the info hook with extend_session=false
+  * cookie: OIDCCookieSameSite default behaviour Lax
+  * cookie: apply OIDCCookieSameSite Off/None properly to state cookies instead of always setting Lax
+  * cache: avoid segfault and improve error reporting in case apr_temp_dir_get fails when a temp directory
+    cannot be found on the system upon initaliizing cache mutexes and the file cache
+  * metadata: allow plain HTTP URLs in metadata elements jwks_uri and signed_jwks_uri to ensure backwards
+    compatibility with <=2.4.15.7 and to support private/test deployments
+  * code: address warnings from static code analysis tool CodeChecker
+
+* Sat Feb 17 2024 yaoxin <yao_xin001@hoperun.com> - 2.4.15.3-1
+- Upgrade to 2.4.15.3 for fix CVE-2024-24814
+
+* Wed Apr 12 2023 yaoxin <yao_xin001@hoperun.com> - 2.4.13.2-1
+- Update to 2.4.13.2 to fix CVE-2023-28625
+
+* Wed Sep 15 2021 houyingchao <houyingchao@huawei.com> 2.4.9.4-1
+- Upgrade to 2.4.9.4
+- Fix CVE-2021-39191
+
+* Thu Jun 10 2021 wangyue <wangyue92@huawei.com> 2.4.0.3-4
+- Fix CVE-2021-20718
+
 * Fri Feb 19 2021 wangxiao <wangxiao65@huawei.com> 2.4.0.3-3
 - Fix CVE-2019-20479
 

mod_auth_openidc.yaml

@@ -1,4 +1,4 @@
 version_control: github
-src_repo: zmartzone/mod_auth_openidc
+src_repo: OpenIDC/mod_auth_openidc
-tag_prefix: ^
+tag_prefix: ^v
 seperator: .