Bug 13215

Summary: apache-mod_security new security issue CVE-2013-5705
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/594893/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Source RPM: apache-mod_security-2.7.5-2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-04-15 19:39:12 CEST 
Fedora has issued an advisory on April 2:
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131375.html

The issue was fixed upstream in 2.7.6.

Updated (to 2.7.7) package uploaded for Cauldron.

Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated apache-mod_security packages fix security vulnerability:

Martin Holst Swende discovered a flaw in the way mod_security handled chunked
requests. A remote attacker could use this flaw to bypass intended
mod_security restrictions, allowing them to send requests containing content
that should have been removed by mod_security (CVE-2013-5705).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5705
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131375.html
========================

Updated packages in core/updates_testing:
========================
apache-mod_security-2.7.4-1.1.mga3
mlogc-2.7.4-1.1.mga3
apache-mod_security-2.7.5-2.1.mga4
mlogc-2.7.5-2.1.mga4

from SRPMS:
apache-mod_security-2.7.4-1.1.mga3.src.rpm
apache-mod_security-2.7.5-2.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-04-15 19:39:17 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 claire robinson 2014-04-16 14:49:22 CEST 
As previous updates for this, just checking it loads ok.
eg.

# httpd -M 2>/dev/null |grep security

security_module (shared)

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 2 claire robinson 2014-04-16 14:56:14 CEST 
Testing complete mga3 64 and mga4 32 & 64

# httpd -M 2>/dev/null | grep security
 security2_module (shared)

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-64-ok mga4-32-ok mga4-64-ok

Comment 3 claire robinson 2014-04-16 15:02:32 CEST 
Testing complete mga3 32

Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 4 claire robinson 2014-04-16 15:05:59 CEST 
Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 5 Thomas Backlund 2014-04-17 22:36:38 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0180.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED