Bug 16403

Summary: apache new security issues CVE-2015-3183 and CVE-2015-3185
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/651762/
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK has_procedure advisory
Source RPM: apache-2.4.7-5.6.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-07-18 01:32:52 CEST 
Upstream has released version 2.4.16, fixing multiple security issues:
http://www.apache.org/dist/httpd/Announcement2.4.html
http://www.apache.org/dist/httpd/CHANGES_2.4.16

Note that we already patched for CVE-2015-0228 earlier.

Mageia 4 and Mageia 5 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-07-18 01:33:32 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-07-20 20:35:44 CEST 
CVE-2015-0253 was introduced in 2.4.11, therefore doesn't affect us.

URL: (none) => http://lwn.net/Vulnerabilities/651762/
Summary: apache new security issues CVE-2015-0253, CVE-2015-3183, and CVE-2015-3185 => apache new security issues CVE-2015-3183 and CVE-2015-3185

Comment 2 David Walser 2015-07-21 21:12:33 CEST 
Debian located these two commits to fix these issues:
http://svn.apache.org/viewvc?view=revision&revision=1684515
http://svn.apache.org/viewvc?view=revision&revision=1684525

apache-2.4.10-17.mga6 uploaded for Cauldron.

Updates for Mageia 4 and Mageia 5 are checked into SVN and will be built shortly.

Version: Cauldron => 5
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO
Severity: normal => major

Comment 3 David Walser 2015-07-21 23:09:31 CEST 
Patched packages uploaded for Mageia 4 and Mageia 5.

Advisory:
========================

Updated apache packages fix security vulnerabilities:

The chunked transfer coding implementation in the Apache HTTP Server before
2.4.14 does not properly parse chunk headers, which allows remote attackers to
conduct HTTP request smuggling attacks via a crafted request, related to
mishandling of large chunk-size values and invalid chunk-extension characters
in modules/http/http_filters.c (CVE-2015-3183).

The ap_some_auth_required function in server/request.c in the Apache HTTP
Server 2.4.x before 2.4.14 does not consider that a Require directive may be
associated with an authorization setting rather than an authentication setting,
which allows remote attackers to bypass intended access restrictions in
opportunistic circumstances by leveraging the presence of a module that relies
on the 2.2 API behavior (CVE-2015-3185).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3185
http://www.apache.org/dist/httpd/Announcement2.4.html
========================

Updated packages in core/updates_testing:
========================
apache-2.4.7-5.7.mga4
apache-mod_dav-2.4.7-5.7.mga4
apache-mod_ldap-2.4.7-5.7.mga4
apache-mod_session-2.4.7-5.7.mga4
apache-mod_cache-2.4.7-5.7.mga4
apache-mod_proxy-2.4.7-5.7.mga4
apache-mod_proxy_html-2.4.7-5.7.mga4
apache-mod_suexec-2.4.7-5.7.mga4
apache-mod_userdir-2.4.7-5.7.mga4
apache-mod_ssl-2.4.7-5.7.mga4
apache-mod_dbd-2.4.7-5.7.mga4
apache-htcacheclean-2.4.7-5.7.mga4
apache-devel-2.4.7-5.7.mga4
apache-doc-2.4.7-5.7.mga4
apache-2.4.10-16.3.mga5
apache-mod_dav-2.4.10-16.3.mga5
apache-mod_ldap-2.4.10-16.3.mga5
apache-mod_session-2.4.10-16.3.mga5
apache-mod_cache-2.4.10-16.3.mga5
apache-mod_proxy-2.4.10-16.3.mga5
apache-mod_proxy_html-2.4.10-16.3.mga5
apache-mod_suexec-2.4.10-16.3.mga5
apache-mod_userdir-2.4.10-16.3.mga5
apache-mod_ssl-2.4.10-16.3.mga5
apache-mod_dbd-2.4.10-16.3.mga5
apache-htcacheclean-2.4.10-16.3.mga5
apache-devel-2.4.10-16.3.mga5
apache-doc-2.4.10-16.3.mga5

from SRPMS:
apache-2.4.7-5.7.mga4.src.rpm
apache-2.4.10-16.3.mga5.src.rpm

Assignee: bugsquad => qa-bugs

Comment 4 Samuel Verschelde 2015-07-22 17:25:50 CEST 
Updates well.

Tested some webapps:  phpmyadmin, awstats, ampache (I didn't go further than the installation page), zoneminder.
Served a static web page:  OK.
Samuel Verschelde 2015-07-22 17:26:03 CEST

Whiteboard: MGA4TOO => MGA4TOO MGA4-64-OK has_procedure

Comment 5 David Walser 2015-07-22 23:27:34 CEST 
It might be worth looking for PoC information, which I haven't done, but a static page and CGI work fine for me on Mageia 4 i586.

Whiteboard: MGA4TOO MGA4-64-OK has_procedure => MGA4TOO MGA4-32-OK MGA4-64-OK has_procedure

Dave Hodgins 2015-07-23 02:34:18 CEST

CC: (none) => davidwhodgins
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK has_procedure => MGA4TOO MGA4-32-OK MGA4-64-OK has_procedure advisory

Comment 6 William Kenney 2015-07-23 19:09:23 CEST 
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.10-16.mga5.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.10-16.mga5.i586 is already installed

http://localhost/~wilcal/  ( works )
192.168.1.143/~wilcal/  ( local LAN IP works )
awstats tracks httpd traffic

install apache apache-mod_userdir from updates_testing

stop then restart httpd

[root@localhost wilcal]# urpmi apache
Package apache-2.4.10-16.3.mga5.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.10-16.3.mga5.i586 is already installed

http://localhost/~wilcal/  ( works )
192.168.1.143/~wilcal/  ( local LAN IP works )
awstats tracks httpd traffic

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.26-1.mga4.x86_64
virtualbox-guest-additions-4.3.26-1.mga4.x86_64

CC: (none) => wilcal.int

Comment 7 William Kenney 2015-07-23 19:30:30 CEST 
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.10-16.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.10-16.mga5.x86_64 is already installed

http://localhost/~wilcal/  ( works )
192.168.1.143/~wilcal/  ( local LAN IP works )
awstats tracks httpd traffic

install apache apache-mod_userdir from updates_testing

stop then restart httpd

[root@localhost wilcal]# urpmi apache
Package apache-2.4.10-16.3.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.10-16.3.mga5.x86_64 is already installed

http://localhost/~wilcal/  ( works )
192.168.1.143/~wilcal/  ( local LAN IP works )
awstats tracks httpd traffic

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.28-1.mga4.x86_64
virtualbox-guest-additions-4.3.28-1.mga4.x86_64
Comment 8 William Kenney 2015-07-23 19:31:29 CEST 
For me this works fine. What say yee?
William Kenney 2015-07-23 19:31:51 CEST

Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK has_procedure advisory => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK has_procedure advisory

Comment 9 David Walser 2015-07-23 19:43:49 CEST 
It'd be nice if someone could do a quick check to see if there is any PoC or reproducing information on the CVEs.  If there isn't, go ahead and validate it.
Comment 10 Samuel Verschelde 2015-07-27 10:53:07 CEST 
I don't think we have resources for checking the POC right now unfortunately given all the updates awaiting testing, so I'm validating it.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 11 Mageia Robot 2015-07-27 11:53:51 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0281.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED