Bug 27736

Summary: cherokee new security issue CVE-2020-12845
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, brtians1, nicolas.salguero, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-12845
Whiteboard: MGA7-64-OK
Source RPM: cherokee-1.2.103-17.mga7.src.rpm CVE: CVE-2020-12845
Status comment:

Description Zombie Ryushu 2020-12-04 10:52:16 CET 
Cherokee 0.4.27 to 1.2.104 is affected by a denial of service due to a NULL pointer dereferences. A remote unauthenticated attacker can crash the server by sending an HTTP request to protected resources using a malformed Authorization header that is mishandled during a cherokee_buffer_add call within cherokee_validator_parse_basic or cherokee_validator_parse_digest.
Comment 1 David Walser 2020-12-04 13:36:04 CET 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12845

Package dropped in Cauldron.

Summary: cherokee security vulnerability CVE-2020-12845 => cherokee new security issue CVE-2020-12845
Source RPM: cherokee => cherokee-1.2.103-17.mga7.src.rpm

Aurelien Oudelet 2020-12-07 10:38:02 CET

Assignee: bugsquad => shlomif

Comment 2 Aurelien Oudelet 2020-12-07 10:38:27 CET 
Hi, thanks for reporting this.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => ouaurelien

David Walser 2020-12-27 23:48:27 CET

Assignee: shlomif => pkg-bugs

Comment 3 David Walser 2020-12-28 19:12:32 CET 
Fixes here:
https://github.com/cherokee/webserver/pull/1243

Status comment: (none) => Patches available in pull request upstream

Comment 4 Nicolas Salguero 2020-12-29 12:41:16 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Cherokee 0.4.27 to 1.2.104 is affected by a denial of service due to a NULL pointer dereferences. A remote unauthenticated attacker can crash the server by sending an HTTP request to protected resources using a malformed Authorization header that is mishandled during a cherokee_buffer_add call within cherokee_validator_parse_basic or cherokee_validator_parse_digest. (CVE-2020-12845)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12845
========================

Updated packages in core/updates_testing:
========================
cherokee-1.2.103-17.1.mga7
cget-1.2.103-17.1.mga7
lib(64)cherokee-base0-1.2.103-17.1.mga7
lib(64)cherokee-client0-1.2.103-17.1.mga7
lib(64)cherokee-server0-1.2.103-17.1.mga7
cherokee-devel-1.2.103-17.1.mga7

from SRPM:
cherokee-1.2.103-17.1.mga7.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Status comment: Patches available in pull request upstream => (none)
CVE: (none) => CVE-2020-12845
Assignee: pkg-bugs => qa-bugs

Comment 5 Brian Rockwell 2021-01-08 20:15:10 CET 
$ uname -a
Linux linux.local 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux


The following 31 packages are going to be installed:

- cget-1.2.103-17.1.mga7.x86_64
- cherokee-1.2.103-17.1.mga7.x86_64
- cherokee-devel-1.2.103-17.1.mga7.x86_64
- lib64cherokee-base0-1.2.103-17.1.mga7.x86_64
- lib64cherokee-client0-1.2.103-17.1.mga7.x86_64
- lib64cherokee-server0-1.2.103-17.1.mga7.x86_64
- lib64dbi1-0.9.0-7.mga7.x86_64
- lib64pcre-devel-8.44-1.mga7.x86_64
- lib64pcre16_0-8.44-1.mga7.x86_64
- lib64pcre32_0-8.44-1.mga7.x86_64
- lib64php_common7-7.4.12-1.mga7.x86_64
- lib64rrdtool8-1.7.1-1.mga7.x86_64
- php-cgi-7.4.12-1.mga7.x86_64
- php-ctype-7.4.12-1.mga7.x86_64
- php-dom-7.4.12-1.mga7.x86_64
- php-filter-7.4.12-1.mga7.x86_64
- php-ftp-7.4.12-1.mga7.x86_64
- php-gettext-7.4.12-1.mga7.x86_64
- php-ini-7.4.12-1.mga7.x86_64
- php-json-7.4.12-1.mga7.x86_64
- php-openssl-7.4.12-1.mga7.x86_64
- php-posix-7.4.12-1.mga7.x86_64
- php-session-7.4.12-1.mga7.x86_64
- php-sysvsem-7.4.12-1.mga7.x86_64
- php-sysvshm-7.4.12-1.mga7.x86_64
- php-tokenizer-7.4.12-1.mga7.x86_64
- php-xmlreader-7.4.12-1.mga7.x86_64
- php-xmlwriter-7.4.12-1.mga7.x86_64
- php-zlib-7.4.12-1.mga7.x86_64
- rrdtool-1.7.1-1.mga7.x86_64
- webserver-base-2.0-12.mga7.noarch

--

started services 


--

go 127.0.0.1 and see the following

This page is used to test the proper operation of the Cherokee Web Server after it has been installed. If you can read this page, it means that the Cherokee Web Server installed at this site is working properly.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => brtians1

Comment 6 Thomas Andrews 2021-01-08 23:15:09 CET 
Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Aurelien Oudelet 2021-01-10 18:38:01 CET 
Advisory pushed to SVN.

Keywords: (none) => advisory

Comment 8 Mageia Robot 2021-01-10 20:47:47 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0019.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED