Bug 15428

Summary: apache new security issue CVE-2015-0228
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs, wilcal.int
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/635487/
Whiteboard: has_procedure advisory mga4-32-ok mga4-64-ok
Source RPM: apache-2.4.7-5.5.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-03-04 20:22:10 CET 
OpenSuSE has issued an advisory today (March 4):
http://lists.opensuse.org/opensuse-updates/2015-03/msg00006.html

Patch checked into Mageia 4 and Cauldron SVN.  Freeze push requested for Cauldron.

This is yet another mod_lua issue, like our last update (Bug 14916).

Reproducible: 

Steps to Reproduce:
David Walser 2015-03-04 20:22:21 CET

Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2015-03-05 22:14:16 CET 
Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated apache packages fix security vulnerability:

In the mod_lua module in the Apache HTTP Server through 2.4.10, a maliciously
crafted websockets PING after a script calls r:wsupgrade() can cause a child
process crash (CVE-2015-0228).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0228
http://lists.opensuse.org/opensuse-updates/2015-03/msg00006.html
========================

Updated packages in core/updates_testing:
========================
apache-2.4.7-5.6.mga4
apache-mod_dav-2.4.7-5.6.mga4
apache-mod_ldap-2.4.7-5.6.mga4
apache-mod_session-2.4.7-5.6.mga4
apache-mod_cache-2.4.7-5.6.mga4
apache-mod_proxy-2.4.7-5.6.mga4
apache-mod_proxy_html-2.4.7-5.6.mga4
apache-mod_suexec-2.4.7-5.6.mga4
apache-mod_userdir-2.4.7-5.6.mga4
apache-mod_ssl-2.4.7-5.6.mga4
apache-mod_dbd-2.4.7-5.6.mga4
apache-htcacheclean-2.4.7-5.6.mga4
apache-devel-2.4.7-5.6.mga4
apache-doc-2.4.7-5.6.mga4

from apache-2.4.7-5.6.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO => (none)

Comment 2 claire robinson 2015-03-06 15:43:28 CET 
No PoC so just checking with various webapps.

Whiteboard: (none) => has_procedure

Comment 3 William Kenney 2015-03-06 16:11:06 CET 
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.5.mga4.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.7-5.5.mga4.i586 is already installed

http://localhost/~wilcal/  ( works )
192.168.1.88/~wilcal/  ( local LAN IP works )
awstats tracks httpd traffic

install apache apache-mod_userdir from updates_testing

stop and restart httpd

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.6.mga4.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.7-5.6.mga4.i586 is already installed

http://localhost/~wilcal/  ( works )
192.168.1.88/~wilcal/  ( local LAN IP works )
awstats tracks httpd traffic

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

William Kenney 2015-03-06 16:11:26 CET

Whiteboard: has_procedure => has_procedure MGA4-32-OK

William Kenney 2015-03-06 16:12:27 CET

Whiteboard: has_procedure MGA4-32-OK => has_procedure

Comment 4 William Kenney 2015-03-06 16:26:07 CET 
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.5.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.7-5.5.mga4.x86_64 is already installed

http://localhost/~wilcal/  ( works )
192.168.1.130/~wilcal/  ( local LAN IP works )
awstats tracks httpd traffic

install apache apache-mod_userdir from updates_testing

stop and restart httpd

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.6.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.7-5.6.mga4.x86_64 is already installed

http://localhost/~wilcal/  ( works )
192.168.1.130/~wilcal/  ( local LAN IP works )
awstats tracks httpd traffic

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 5 William Kenney 2015-03-06 16:26:23 CET 
This looks good to me.
Comment 6 claire robinson 2015-03-06 17:19:46 CET 
Adding the OK's, tested this also with phpmyadmin, wordpress etc

Whiteboard: has_procedure => has_procedure mga4-32-ok mga4-64-ok

Comment 7 claire robinson 2015-03-06 17:49:10 CET 
Validating. Advisory uploaded,

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-03-06 19:09:43 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0099.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED