Bug 21500

Advisory:
========================

Updated apache packages fix security vulnerabilities:

In Apache httpd before 2.4.27, the value placeholder in [Proxy-]Authorization
headers of type 'Digest' was not initialized or reset before or between
successive key=value assignments by mod_auth_digest. Providing an initial key
with no '=' assignment could reflect the stale value of uninitialized pool
memory used by the prior request, leading to leakage of potentially
confidential information, and a segfault in other cases resulting in denial of
service (CVE-2017-9788).

When under stress, closing many connections, the HTTP/2 handling code in Apache
httpd 2.4.26 would sometimes access memory after it has been freed, resulting
in potentially erratic behavior (CVE-2017-9789).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9788
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9789
https://httpd.apache.org/security/vulnerabilities_24.html
http://www.apache.org/dist/httpd/Announcement2.4.html
========================

Updated packages in core/updates_testing:
========================
apache-2.4.27-1.mga6
apache-mod_dav-2.4.27-1.mga6
apache-mod_ldap-2.4.27-1.mga6
apache-mod_session-2.4.27-1.mga6
apache-mod_cache-2.4.27-1.mga6
apache-mod_proxy-2.4.27-1.mga6
apache-mod_proxy_html-2.4.27-1.mga6
apache-mod_suexec-2.4.27-1.mga6
apache-mod_userdir-2.4.27-1.mga6
apache-mod_ssl-2.4.27-1.mga6
apache-mod_dbd-2.4.27-1.mga6
apache-mod_http2-2.4.27-1.mga6
apache-htcacheclean-2.4.27-1.mga6
apache-devel-2.4.27-1.mga6
apache-doc-2.4.27-1.mga6

from apache-2.4.27-1.mga6.src.rpm

In VirtualBox, M6, Plasma, 64-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.26-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.26-1.mga6.x86_64 is already installed

http://localhost/~wilcal/  ( works )
192.168.1.149/~wilcal/  ( local LAN IP works )
awstats tracks httpd traffic

install apache & apache-mod_userdir from updates_testing

stop then restart httpd

[root@localhost wilcal]# urpmi apache
Package apache-2.4.27-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.27-1.mga6.x86_64 is already installed

http://localhost/~wilcal/  ( works )
192.168.1.149/~wilcal/  ( local LAN IP works )
awstats tracks httpd traffic

CC: (none) => wilcal.int

In VirtualBox, M6, Plasma, 32-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.26-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.26-1.mga6.i586 is already installed

http://localhost/~wilcal/  ( works )
192.168.1.144/~wilcal/  ( local LAN IP works )
awstats tracks httpd traffic

install apache & apache-mod_userdir from updates_testing

stop then restart httpd

[root@localhost wilcal]# urpmi apache
Package apache-2.4.27-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.27-1.mga6.i586 is already installed

http://localhost/~wilcal/  ( works )
192.168.1.144/~wilcal/  ( local LAN IP works )
awstats tracks httpd traffic

I'm gonna validate this in 24-hours unless someone finds something.

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0298.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED