| Summary: | apache new security issues CVE-2020-1927 and CVE-2020-1934 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, mageia, shlomif, sysadmin-bugs, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | apache-2.4.41-4.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2020-04-02 03:10:48 CEST
David Walser
2020-04-02 03:11:08 CEST
Whiteboard:
(none) =>
MGA7TOO The fixes are actually in 2.4.43: https://downloads.apache.org/httpd/CHANGES_2.4.43 Status comment:
Fixed upstream in 2.4.42 =>
Fixed upstream in 2.4.43 Assigning to Shlomi as registered maintainer, CC Thomas as recent committer. CC:
(none) =>
tmb apache-2.4.43-1.mga8 uploaded for Cauldron by Shlomi. Whiteboard:
MGA7TOO =>
(none) (In reply to David Walser from comment #3) > apache-2.4.43-1.mga8 uploaded for Cauldron by Shlomi. I've now submitted apache-2.4.43 for mga7/updates-testing too, let's see how it goes: http://pkgsubmit.mageia.org/ . Advisory: ======================== Updated apache packages fix security vulnerabilities: In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL (CVE-2020-1927). In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server (CVE-2020-1934). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1934 http://www.apache.org/dist/httpd/CHANGES_2.4.43 https://httpd.apache.org/security/vulnerabilities_24.html ======================== Updated packages in core/updates_testing: ======================== apache-2.4.43-1.mga7 apache-mod_dav-2.4.43-1.mga7 apache-mod_ldap-2.4.43-1.mga7 apache-mod_session-2.4.43-1.mga7 apache-mod_cache-2.4.43-1.mga7 apache-mod_proxy-2.4.43-1.mga7 apache-mod_proxy_html-2.4.43-1.mga7 apache-mod_suexec-2.4.43-1.mga7 apache-mod_userdir-2.4.43-1.mga7 apache-mod_ssl-2.4.43-1.mga7 apache-mod_dbd-2.4.43-1.mga7 apache-mod_http2-2.4.43-1.mga7 apache-mod_brotli-2.4.43-1.mga7 apache-htcacheclean-2.4.43-1.mga7 apache-devel-2.4.43-1.mga7 apache-doc-2.4.43-1.mga7 from apache-2.4.43-1.mga7.src.rpm CC:
(none) =>
shlomif Installed and tested without issues.
Tests revealed no regressions.
System: Mageia 7, x86_64, Intel CPU.
$ uname -a
Linux marte 5.5.15-desktop-3.mga7 #1 SMP Sat Apr 4 19:06:09 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep apache | sort
apache-2.4.43-1.mga7
apache-commons-io-2.6-3.mga7
apache-commons-logging-1.2-9.mga7
apache-mod_http2-2.4.43-1.mga7
apache-mod_php-7.3.16-1.mga7
apache-mod_ssl-2.4.43-1.mga7
$ systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2020-04-07 12:12:52 WEST; 39s ago
Main PID: 9552 (httpd)
Status: "Total requests: 2; Idle/Busy workers 100/0;Requests/sec: 0.0513; Bytes served/sec: 2.4KB/sec"
Memory: 33.3M
CGroup: /system.slice/httpd.service
├─9552 /usr/sbin/httpd -DFOREGROUND
├─9553 /usr/sbin/httpd -DFOREGROUND
├─9554 /usr/sbin/httpd -DFOREGROUND
├─9555 /usr/sbin/httpd -DFOREGROUND
├─9556 /usr/sbin/httpd -DFOREGROUND
├─9557 /usr/sbin/httpd -DFOREGROUND
└─9562 /usr/sbin/httpd -DFOREGROUND
abr 07 12:12:52 marte systemd[1]: Starting The Apache HTTP Server...
abr 07 12:12:52 marte systemd[1]: Started The Apache HTTP Server.CC:
(none) =>
mageia MGA7-64 Plasma on lenovo B50
No installation issues
At CLI:
# systemctl start httpd
# systemctl status -l httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2020-04-07 14:34:29 CEST; 17s ago
Main PID: 21581 (httpd)
Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec: 0 B/sec"
Memory: 32.3M
CGroup: /system.slice/httpd.service
├─21581 /usr/sbin/httpd -DFOREGROUND
├─21583 /usr/sbin/httpd -DFOREGROUND
├─21584 /usr/sbin/httpd -DFOREGROUND
├─21589 /usr/sbin/httpd -DFOREGROUND
├─21594 /usr/sbin/httpd -DFOREGROUND
├─21599 /usr/sbin/httpd -DFOREGROUND
└─21604 /usr/sbin/httpd -DFOREGROUND
Apr 07 14:34:29 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server...
Apr 07 14:34:29 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server.
Pointed browser to localhost: It works!
[root@mach5 ~]# systemctl start mysqld
And then exercised apache by running phpmyadmin: all OK.CC:
(none) =>
herman.viaene Two OK tests for x86_64 and two weeks of usage without issues so I'm OKing this to push it forward. Feel free to unOK it if you think its appropriate. Whiteboard:
(none) =>
MGA7-64-OK Validating. Advisory in Comment 5. Keywords:
(none) =>
validated_update
Thomas Backlund
2020-04-15 10:58:04 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0166.html Resolution:
(none) =>
FIXED This update also fixed CVE-2020-1938: http://lists.suse.com/pipermail/sle-security-updates/2020-April/006719.html |