Bug 14773

Summary: apache new security issues CVE-2013-5704 and CVE-2014-3581
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, sysadmin-bugs, wilcal.int
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/610938/
Whiteboard: advisory MGA4-32-OK MGA4-64-OK
Source RPM: apache-2.4.7-5.3.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-12-10 18:51:24 CET 
RedHat has issued an advisory on December 9:
https://rhn.redhat.com/errata/RHSA-2014-1972.html

They added patches in this commit:
https://git.centos.org/commit/rpms!httpd24-httpd.git/62b79381389dd11cbaefc91635e37114f0e75fdb

The issues will be fixed in httpd 2.4.11, which has not yet been released.

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated apache packages fix security vulnerabilities:

A NULL pointer dereference flaw was found in the way the mod_cache httpd
module handled Content-Type headers. A malicious HTTP server could cause
the httpd child process to crash when the Apache HTTP server was configured
to proxy to a server with caching enabled (CVE-2014-3581).

A flaw was found in the way httpd handled HTTP Trailer headers when
processing requests using chunked encoding. A malicious client could use
Trailer headers to set additional HTTP headers after header processing was
performed by other modules. This could, for example, lead to a bypass of
header restrictions defined with mod_headers (CVE-2013-5704).

Note: With this update, httpd has been modified to not merge HTTP Trailer
headers with other HTTP request headers. A newly introduced configuration
directive MergeTrailers can be used to re-enable the old method of
processing Trailer headers, which also re-introduces the aforementioned
flaw.

This update also fixes the following bug:

Prior to this update, the mod_proxy_wstunnel module failed to set up an
SSL connection when configured to use a back end server using the "wss:"
URL scheme, causing proxied connections to fail. In these updated packages,
SSL is used when proxying to "wss:" back end servers (rhbz#1141950).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5704
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3581
https://bugzilla.redhat.com/show_bug.cgi?id=1141950
https://rhn.redhat.com/errata/RHSA-2014-1972.html
========================

Updated packages in core/updates_testing:
========================
apache-2.4.7-5.4.mga4
apache-mod_dav-2.4.7-5.4.mga4
apache-mod_ldap-2.4.7-5.4.mga4
apache-mod_session-2.4.7-5.4.mga4
apache-mod_cache-2.4.7-5.4.mga4
apache-mod_proxy-2.4.7-5.4.mga4
apache-mod_proxy_html-2.4.7-5.4.mga4
apache-mod_suexec-2.4.7-5.4.mga4
apache-mod_userdir-2.4.7-5.4.mga4
apache-mod_ssl-2.4.7-5.4.mga4
apache-mod_dbd-2.4.7-5.4.mga4
apache-htcacheclean-2.4.7-5.4.mga4
apache-devel-2.4.7-5.4.mga4
apache-doc-2.4.7-5.4.mga4

from apache-2.4.7-5.4.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-12-10 19:04:20 CET 
LWN reference for CVE-2014-3581:
http://lwn.net/Vulnerabilities/625491/
Comment 2 Herman Viaene 2014-12-11 13:48:18 CET 
MGA4-64 on HP Probook 6555b
Installed packages, no problem.
Basically, http runs, can be stopped and started and responds to http://localhost:80

CC: (none) => herman.viaene

Comment 3 William Kenney 2014-12-11 20:23:09 CET 
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.3.mga4.i586 is already installed
[root@shermanm4 wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.7-5.3.mga4.i586 is already installed

Apache works on localhost and is accessable from another system on the LAN

install apache & apache-mod_userdir from updates_testing
stop and restart apache

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.4.mga4.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.7-5.4.mga4.i586 is already installed

Apache works on localhost and is accessable from another system on the LAN
apache-mod_session apache-mod_ssl apache-mod_dbd apache-doc and their associated
packages install without a problem.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 4 William Kenney 2014-12-11 20:23:29 CET 
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.3.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.7-5.3.mga4.x86_64 is already installed

Apache works on localhost and is accessable from another system on the LAN

install apache & apache-mod_userdir from updates_testing
stop and restart apache

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.4.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.7-5.4.mga4.x86_64 is already installed

Apache works on localhost and is accessable from another system on the LAN
apache-mod_session apache-mod_ssl apache-mod_dbd apache-doc and their associated
packages install without a problem.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 5 William Kenney 2014-12-11 20:24:16 CET 
This update works fine.
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: (none) => MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 6 claire robinson 2014-12-12 00:47:26 CET 
Advisory uploaded.

Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK

Comment 7 Mageia Robot 2014-12-13 21:16:41 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0527.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED