| Summary: | apache new security issues CVE-2016-0736, CVE-2016-2161, CVE-2016-8743, CVE-2017-316[79], CVE-2017-7679, CVE-2017-9788 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, mageia, marja11, sysadmin-bugs |
| Version: | 5 | Keywords: | Triaged, advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://lwn.net/Vulnerabilities/710214/ | ||
| Whiteboard: | MGA5-64-OK MGA5-32-OK | ||
| Source RPM: | apache-2.4.10-16.4.mga5.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | 21500 | ||
| Bug Blocks: | |||
|
Description
David Walser
2016-12-22 00:17:38 CET
David Walser
2016-12-22 00:18:21 CET
Whiteboard:
(none) =>
MGA5TOO Assigning to the registered apache maintainer Keywords:
(none) =>
Triaged CVE-2016-8740 had already been fixed in Cauldron, and CVE-2016-5387 had already been fixed in Mageia 5. Shlomi has updated Cauldron to 2.4.25. Version:
Cauldron =>
5
David Walser
2016-12-26 18:56:41 CET
URL:
(none) =>
https://lwn.net/Vulnerabilities/710214/ openSUSE has issued an advisory for this on March 31: https://lists.opensuse.org/opensuse-updates/2017-03/msg00117.html Apache HTTPD 2.4.26 has been announced on June 19: http://www.apache.org/dist/httpd/Announcement2.4.html The full changelog is here: http://www.apache.org/dist/httpd/CHANGES_2.4.26 Details on security issues: http://httpd.apache.org/security/vulnerabilities_24.html This adds a few more issues affecting Mageia 5. CVE-2017-7659 and CVE-2017-7668 only affect Cauldron. Whiteboard:
(none) =>
MGA5TOO Individual advisories including some patch links: http://openwall.com/lists/oss-security/2017/06/19/5 http://openwall.com/lists/oss-security/2017/06/19/10 http://openwall.com/lists/oss-security/2017/06/19/11 http://openwall.com/lists/oss-security/2017/06/19/12 http://openwall.com/lists/oss-security/2017/06/19/13 apache-2.4.26-1.mga6 uploaded for Cauldron by Shlomi. Thanks! Whiteboard:
MGA5TOO =>
(none) Debian has issued an advisory for this on June 22: https://www.debian.org/security/2017/dsa-3896 Apache 2.4.27 has been announced on July 11: http://www.apache.org/dist/httpd/Announcement2.4.html It fixes two new security issues: https://httpd.apache.org/security/vulnerabilities_24.html CVE-2017-9789 only affects Mageia 6; CVE-2017-9788 also affects Mageia 5. Whiteboard:
(none) =>
MGA6TOO, MGA5TOO Fedora has issued an advisory for the latest issues today (July 15): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/T5OCNPRR7PTGFKVGZGDQIFDT3R2ZLA2C/ apache-2.4.27-1.mga6 uploaded for Cauldron by Shlomi. Whiteboard:
MGA6TOO, MGA5TOO =>
MGA5TOO Debian has issued an advisory for CVE-2017-9788 on July 18: https://www.debian.org/security/2017/dsa-3913 pushed in updates_testing of mageia6
src.rpm:
apache-2.4.27-1.mga6CC:
(none) =>
mageia
David Walser
2017-08-11 14:17:41 CEST
Depends on:
(none) =>
21500 Mageia 6 moved to Bug 21500. Version:
6 =>
5 Despite the statement from upstream, Debian added a patch for CVE-2017-7668, so I've included that. Advisory: ======================== Updated apache packages fix security vulnerabilities: mod_sessioncrypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC (CVE-2016-0736). Malicious input to mod_auth_digest will cause the server to crash, and each instance continues to crash even for subsequently valid requests (CVE-2016-2161). Emmanuel Dreyfus reported that the use of ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed (CVE-2017-3167). Vasileios Panopoulos of AdNovum Informatik AG discovered that mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port leading to a denial of service (CVE-2017-3169). Javier Jimenez reported that the HTTP strict parsing contains a flaw leading to a buffer overread in ap_find_token(). A remote attacker can take advantage of this flaw by carefully crafting a sequence of request headers to cause a segmentation fault, or to force ap_find_token() to return an incorrect value (CVE-2017-7668). ChenQin and Hanno Boeck reported that mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header (CVE-2017-7679). Robert Swiecki reported that mod_auth_digest does not properly initialize or reset the value placeholder in [Proxy-]Authorization headers of type "Digest" between successive key=value assignments, leading to information disclosure or denial of service (CVE-2017-9788). Hanno Böck discovered that the Apache HTTP Server incorrectly handled Limit directives in .htaccess files. In certain configurations, a remote attacker could possibly use this issue to read arbitrary server memory, including sensitive information. This issue is known as Optionsbleed (CVE-2017-9798). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3167 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3169 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7668 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7679 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9788 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798 https://www.debian.org/security/2017/dsa-3896 https://www.debian.org/security/2017/dsa-3913 https://usn.ubuntu.com/usn/usn-3425-1/ https://httpd.apache.org/security/vulnerabilities_24.html ======================== Updated packages in core/updates_testing: ======================== apache-2.4.10-16.7.mga5 apache-mod_dav-2.4.10-16.7.mga5 apache-mod_ldap-2.4.10-16.7.mga5 apache-mod_session-2.4.10-16.7.mga5 apache-mod_cache-2.4.10-16.7.mga5 apache-mod_proxy-2.4.10-16.7.mga5 apache-mod_proxy_html-2.4.10-16.7.mga5 apache-mod_suexec-2.4.10-16.7.mga5 apache-mod_userdir-2.4.10-16.7.mga5 apache-mod_ssl-2.4.10-16.7.mga5 apache-mod_dbd-2.4.10-16.7.mga5 apache-htcacheclean-2.4.10-16.7.mga5 apache-devel-2.4.10-16.7.mga5 apache-doc-2.4.10-16.7.mga5 from apache-2.4.10-16.7.mga5.src.rpm Assignee:
shlomif =>
qa-bugs To prioritise.
Dave Hodgins
2017-12-31 07:35:36 CET
CC:
(none) =>
davidwhodgins After installing all of the packages, found that the line #LoadModule request_module modules/mod_request.so in /etc/httpd/conf/modules.d/00_base.conf had to be uncommented to get httpd to start. Working ok after that. Checked, and this is not a regression. Validating the update. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0007.html Resolution:
(none) =>
FIXED |