CVE-2019-20479.patch

@@ -0,0 +1,28 @@
+From 2d20c58597c9f7065e5362e603a5c348141c45ea Mon Sep 17 00:00:00 2001
+From: AIMOTO NORIHITO <aimoto@osstech.co.jp>
+Date: Tue, 12 Nov 2019 17:09:23 +0900
+Subject: [PATCH] Fix open redirect starting with a slash and backslash
+
+---
+ src/mod_auth_openidc.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
+index 2467a42..b47a697 100644
+--- a/src/mod_auth_openidc.c
++++ b/src/mod_auth_openidc.c
+@@ -3063,6 +3063,14 @@ static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url,
+                                                 url);
+                 oidc_error(r, "%s: %s", *err_str, *err_desc);
+                 return FALSE;
++        } else if ((uri.hostname == NULL) && (strstr(url, "/\\") == url)) {
++                *err_str = apr_pstrdup(r->pool, "Malformed URL");
++                *err_desc =
++                                apr_psprintf(r->pool,
++                                                "No hostname was parsed and starting with '/\\': %s",
++                                                url);
++                oidc_error(r, "%s: %s", *err_str, *err_desc);
++                return FALSE;
+ 	}
+ 
+ 	/* validate the URL to prevent HTTP header splitting */

mod_auth_openidc.spec

@@ -6,16 +6,16 @@
 %global httpd_pkg_cache_dir /var/cache/httpd/mod_auth_openidc
 
 Name:           mod_auth_openidc
-Version:        2.4.16.11
-Release:        1
+Version:        2.4.0.3
+Release:        3
 Summary:        OpenID Connect Relying Party module for Apache 2.x HTTP Server
-License:        Apache-2.0
-URL:            https://github.com/OpenIDC/mod_auth_openidc
-Source0:        %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz
+License:        ASL 2.0
+URL:            https://github.com/zmartzone/mod_auth_openidc
+Source0:        https://github.com/zmartzone/mod_auth_openidc/archive/v%{version}.tar.gz
+Patch0000:      CVE-2019-20479.patch
 
 BuildRequires:  gcc httpd-devel openssl-devel curl-devel jansson-devel
-BuildRequires:  pcre2-devel autoconf automake cjose-devel jq-devel
-BuildRequires:  libtool
+BuildRequires:  pcre-devel autoconf automake cjose-devel jq-devel
 Requires:       httpd-mmn = %{_httpd_mmn}
 
 %description
@@ -28,18 +28,18 @@ an OpenID Connect Relying Party(RP) to an OpenID Connect Provider(OP).
 %build
 export MODULES_DIR=%{_httpd_moddir}
 export APXS2_OPTS='-S LIBEXECDIR=${MODULES_DIR}'
-autoreconf -vfi
+autoreconf
 %configure --with-jq=/usr/lib64/ --without-hiredis
 make %{?_smp_mflags}
 
 %check
 export MODULES_DIR=%{_httpd_moddir}
 export APXS2_OPTS='-S LIBEXECDIR=${MODULES_DIR}'
-make check
+make test
 
 %install
 install -d $RPM_BUILD_ROOT%{_httpd_moddir}
-make install DESTDIR=$RPM_BUILD_ROOT MODULES_DIR=$RPM_BUILD_ROOT%{_httpd_moddir}
+make install MODULES_DIR=$RPM_BUILD_ROOT%{_httpd_moddir}
 
 install -m 755 -d $RPM_BUILD_ROOT%{_httpd_modconfdir}
 echo 'LoadModule auth_openidc_module modules/mod_auth_openidc.so' > \
@@ -48,7 +48,6 @@ echo 'LoadModule auth_openidc_module modules/mod_auth_openidc.so' > \
 install -m 755 -d $RPM_BUILD_ROOT%{_httpd_confdir}
 install -m 644 auth_openidc.conf $RPM_BUILD_ROOT%{_httpd_confdir}
 sed -i 's!/var/cache/apache2/!/var/cache/httpd/!' $RPM_BUILD_ROOT%{_httpd_confdir}/auth_openidc.conf
-install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}
 install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/{metadata,cache}
 
 %files
@@ -60,34 +59,6 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/{metadata,cache}
 %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/{metadata,cache}
 
 %changelog
-* Wed Apr 09 2025 yaoxin <1024769339@qq.com> - 2.4.16.11-1
-- Update to 2.4.16.11 for fix CVE-2025-31492
-
-* Mon Jan 13 2025 yaoxin <1024769339@qq.com> - 2.4.16.6-1
-- Update to 2.4.16.6:
-  * metadata: fix caching of JWKs from jwks_uri when using the default expiry setting
-  * info: fix requests to the info hook with extend_session=false
-  * cookie: OIDCCookieSameSite default behaviour Lax
-  * cookie: apply OIDCCookieSameSite Off/None properly to state cookies instead of always setting Lax
-  * cache: avoid segfault and improve error reporting in case apr_temp_dir_get fails when a temp directory
-    cannot be found on the system upon initaliizing cache mutexes and the file cache
-  * metadata: allow plain HTTP URLs in metadata elements jwks_uri and signed_jwks_uri to ensure backwards
-    compatibility with <=2.4.15.7 and to support private/test deployments
-  * code: address warnings from static code analysis tool CodeChecker
-
-* Sat Feb 17 2024 yaoxin <yao_xin001@hoperun.com> - 2.4.15.3-1
-- Upgrade to 2.4.15.3 for fix CVE-2024-24814
-
-* Wed Apr 12 2023 yaoxin <yao_xin001@hoperun.com> - 2.4.13.2-1
-- Update to 2.4.13.2 to fix CVE-2023-28625
-
-* Wed Sep 15 2021 houyingchao <houyingchao@huawei.com> 2.4.9.4-1
-- Upgrade to 2.4.9.4
-- Fix CVE-2021-39191
-
-* Thu Jun 10 2021 wangyue <wangyue92@huawei.com> 2.4.0.3-4
-- Fix CVE-2021-20718
-
 * Fri Feb 19 2021 wangxiao <wangxiao65@huawei.com> 2.4.0.3-3
 - Fix CVE-2019-20479
 

mod_auth_openidc.yaml

@@ -1,4 +1,4 @@
 version_control: github
-src_repo: OpenIDC/mod_auth_openidc
-tag_prefix: ^v
+src_repo: zmartzone/mod_auth_openidc
+tag_prefix: ^
 seperator: .