Bug 11872

Summary: apache-mod_nss new security issue CVE-2013-4566
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs, thomas, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/575640/
Whiteboard: has_procedure advisory mga3-64-ok mga3-32-ok
Source RPM: apache-mod_nss-1.0.8-25.mga4.src.rpm CVE:
Status comment:

Description David Walser 2013-12-04 19:14:46 CET 
RedHat has issued an advisory on December 3:
https://rhn.redhat.com/errata/RHSA-2013-1779.html

Reproducible: 

Steps to Reproduce:
David Walser 2013-12-04 19:14:53 CET

Whiteboard: (none) => MGA3TOO

Thomas Spuhler 2013-12-04 19:24:31 CET

Status: NEW => ASSIGNED

Comment 1 Thomas Spuhler 2013-12-05 00:32:25 CET 
solved in Cauldron
Comment 2 David Walser 2013-12-05 00:34:00 CET 
Thanks Thomas.  Fixed in Cauldron in apache-mod_nss-1.0.8-26.mga4.

Version: Cauldron => 3
Whiteboard: MGA3TOO => (none)

Comment 3 David Walser 2013-12-19 03:44:13 CET 
I see apache-mod_nss-1.0.8-16.4.mga3 was uploaded in updates_testing by Thomas.

Is this ready for QA?
Comment 4 Thomas Spuhler 2013-12-19 16:10:12 CET 
The policy says, I should do some preliminary test, so I will and let you know.
Comment 5 Thomas Spuhler 2013-12-19 17:34:57 CET 
This package is now ready for QA.
I upgraded a working VM with this fix. I used a reconfigured (using port 8443) roundcubemail and logged in, received and sent e-mail successfully.
I also logged in as https://localhost:8443 and receive the nice default message "It works"
I didn't do a fresh install.
I am now going to reassign it to QA

The update package are:
apache-mod_nss-1.0.8-16.4.mga3.srpm
apache-mod_nss-1.0.8-16.4.mga3.i586.rpm
apache-mod_nss-1.0.8-16.4.mga3.x86_64.rpm

CC: (none) => thomas
Assignee: thomas => qa-bugs

Comment 6 David Walser 2013-12-19 19:05:21 CET 
Thanks Thomas!

Advisory:
========================

Updated apache-mod_nss package fixes security vulnerability:

A flaw was found in the way mod_nss handled the NSSVerifyClient setting for
the per-directory context. When configured to not require a client
certificate for the initial connection and only require it for a specific
directory, mod_nss failed to enforce this requirement and allowed a client
to access the directory when no valid client certificate was provided
(CVE-2013-4566).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4566
https://rhn.redhat.com/errata/RHSA-2013-1779.html
========================

Updated packages in core/updates_testing:
========================
apache-mod_nss-1.0.8-16.4.mga3

from apache-mod_nss-1.0.8-16.4.mga3.src.rpm
Comment 7 claire robinson 2013-12-20 15:04:56 CET 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=11364#c3

Testing mga3 64

%post issues in this one Thomas.

installing apache-mod_nss-1.0.8-16.4.mga3.x86_64.rpm from /var/cache/urpmi/rpms  
Preparing...                     ###############################################
      1/1: apache-mod_nss        ###############################################
Failed to issue method call: Unit httpd-prefork.service failed to load: No such file or directory. See system logs and 'systemctl status httpd-prefork.service' for details.
warning: %post(apache-mod_nss-1.0.8-16.4.mga3.x86_64) scriptlet failed, exit status 6
ERROR: 'script' failed for apache-mod_nss-1.0.8-16.4.mga3.x86_64: 
      1/1: removing apache-mod_nss-1.0.8-16.3.mga3.x86_64
                                 ###############################################
----------------------------------------------------------------------
More information on package apache-mod_nss-1.0.8-16.4.mga3.x86_64

NOTE: You may need to convert your existing ssl certs
These links provide a good how-to:

http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html
http://directory.fedora.redhat.com/wiki/Mod_nss

----------------------------------------------------------------------

Whiteboard: (none) => feedback

Comment 8 claire robinson 2013-12-20 15:11:29 CET 
cleared any old certs to confirm but still the same

# urpme apache-mod_nss
removing apache-mod_nss-1.0.8-16.4.mga3.x86_64
Failed to issue method call: Unit httpd-prefork.service not loaded.
Failed to issue method call: No such file or directory
removing package apache-mod_nss-1.0.8-16.4.mga3.x86_64
      1/1: removing apache-mod_nss-1.0.8-16.4.mga3.x86_64
                                 ###############################################

# rm -rf /etc/pki/nss/apache-mod_nss/
Comment 9 David Walser 2013-12-20 15:22:03 CET 
The apache-mod_nss %post scripts refer to the httpd service, not httpd-prefork, and the reason you're seeing this is you have a dangling symlink left over from a Mageia 2 upgrade:
[david@mageia ~]$ ls -l /etc/systemd/system/httpd.service 
lrwxrwxrwx 1 root root 41 Mar 19  2013 /etc/systemd/system/httpd.service -> /lib/systemd/system/httpd-prefork.service

Remove that symlink in /etc and you should be OK.

Whiteboard: feedback => (none)

Comment 10 claire robinson 2013-12-20 15:32:20 CET 
That is indeed what it was David, thanks.

With the dangling link removed it's fine and testing complete mga3 64.

Whiteboard: (none) => has_procedure mga3-64-ok

Comment 11 claire robinson 2013-12-20 16:36:46 CET 
Testing complete mga3 32

Validating. Advisory uploaded.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-64-ok => has_procedure advisory mga3-64-ok mga3-32-ok
CC: (none) => sysadmin-bugs

Comment 12 Thomas Backlund 2013-12-20 18:31:50 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0381.html

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED