CVE-2025-31492 - mod_auth_openidc

jjackzhn · April 24, 2025, 8:35pm

Our security team alerted me to a recently announced vulnerability in mod_auth_openidc:

We have some RHEL 8 systems running OOD. While Red Hat has released updated packages to fix this issue, I see a higher version of mod_auth_openidc hosted in the OOD repo which was last updated in 2023. Could you tell me:

if you are planning on backporting this fix?
or, is there some significant difference in functionality that would prevent me from blacklisting the package in OOD repo (2.4.14.1) and using the latest RHEL 8 release (2.4.9.4)?

Thanks,
Yan

jeff.ohrstrom · April 25, 2025, 2:40pm

We’re not planning to backport this fix and yes you can likely exclude this package from your yum repos.

Indeed - I don’t see we distribute this anymore. It appears on our 2.0 repos, but it’s not on our 3.0 and beyond versions. So upgrading is also a OnDemand is also a way to get rid of this package as it’s only on the 2.0 repositories and below.

Topic		Replies	Views
OOD on CentOS 8 Get Help question	4	1524	May 26, 2022
Rocky 9 - Apache calls LuaHookFixups called before OIDC authn Get Help	6	87	December 4, 2024
Tried Dex again, help with openidc errors? Get Help	4	1151	April 20, 2022
Ondemand + keycloak + RHEL8 issues Get Help question	4	355	January 30, 2023
How to add ondemand-web repo and install httpd24-mod_auth_openidc Get Help	6	1072	May 26, 2022

CVE-2025-31492 - mod_auth_openidc

Related topics