CVE-2025-31492 - mod_auth_openidc

jjackzhn · April 24, 2025, 8:35pm

Our security team alerted me to a recently announced vulnerability in mod_auth_openidc:

We have some RHEL 8 systems running OOD. While Red Hat has released updated packages to fix this issue, I see a higher version of mod_auth_openidc hosted in the OOD repo which was last updated in 2023. Could you tell me:

if you are planning on backporting this fix?
or, is there some significant difference in functionality that would prevent me from blacklisting the package in OOD repo (2.4.14.1) and using the latest RHEL 8 release (2.4.9.4)?

Thanks,
Yan

jeff.ohrstrom · April 25, 2025, 2:40pm

We’re not planning to backport this fix and yes you can likely exclude this package from your yum repos.

Indeed - I don’t see we distribute this anymore. It appears on our 2.0 repos, but it’s not on our 3.0 and beyond versions. So upgrading is also a OnDemand is also a way to get rid of this package as it’s only on the 2.0 repositories and below.

system · October 22, 2025, 2:40pm

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Where can I get mod_auth_openidc? Get Help	6	109	August 28, 2025
OOD on CentOS 8 Get Help question	4	1545	May 26, 2022
Rocky 9 - Apache calls LuaHookFixups called before OIDC authn Get Help	6	145	December 4, 2024
Failed to upgrade OOD from 2.0.32 to 3.0.0 on RHEL 8 Get Help question	6	311	October 4, 2023
How to add ondemand-web repo and install httpd24-mod_auth_openidc Get Help	6	1113	May 26, 2022

CVE-2025-31492 - mod_auth_openidc

Related topics