Bug 29087

Apache is maintained by different people, so assigning this globally.

Assignee: bugsquad => pkg-bugs

Update in progress by Nicholas Salguero.  Strange build errors on Mageia 7 and Cauldron.

CC: (none) => nicolas.salguero

Cauldron only need apr to be rebuilt for new gcc triplet (just submitted)

Mga7 looks like an openssl issue

Cauldron built

Version: Cauldron => 8
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO

looks like a quick fix for mga7 would be something like this:
https://github.com/apache/httpd/commit/f0852ebab7b28c1bc1c0c96ce2018a908a8a1ad5#diff-6f2659149b005597e500f4589ef55b409280fab91d9f69be57b96dbb1d2da0ef

Mga8 rpms:

SRPMS:
apache-2.4.48-1.mga8.src.rpm


i586:
apache-2.4.48-1.mga8.i586.rpm
apache-devel-2.4.48-1.mga8.i586.rpm
apache-doc-2.4.48-1.mga8.noarch.rpm
apache-htcacheclean-2.4.48-1.mga8.i586.rpm
apache-mod_brotli-2.4.48-1.mga8.i586.rpm
apache-mod_cache-2.4.48-1.mga8.i586.rpm
apache-mod_dav-2.4.48-1.mga8.i586.rpm
apache-mod_dbd-2.4.48-1.mga8.i586.rpm
apache-mod_http2-2.4.48-1.mga8.i586.rpm
apache-mod_ldap-2.4.48-1.mga8.i586.rpm
apache-mod_proxy-2.4.48-1.mga8.i586.rpm
apache-mod_proxy_html-2.4.48-1.mga8.i586.rpm
apache-mod_session-2.4.48-1.mga8.i586.rpm
apache-mod_ssl-2.4.48-1.mga8.i586.rpm
apache-mod_suexec-2.4.48-1.mga8.i586.rpm
apache-mod_userdir-2.4.48-1.mga8.i586.rpm


x86_64:
apache-2.4.48-1.mga8.x86_64.rpm
apache-devel-2.4.48-1.mga8.x86_64.rpm
apache-doc-2.4.48-1.mga8.noarch.rpm
apache-htcacheclean-2.4.48-1.mga8.x86_64.rpm
apache-mod_brotli-2.4.48-1.mga8.x86_64.rpm
apache-mod_cache-2.4.48-1.mga8.x86_64.rpm
apache-mod_dav-2.4.48-1.mga8.x86_64.rpm
apache-mod_dbd-2.4.48-1.mga8.x86_64.rpm
apache-mod_http2-2.4.48-1.mga8.x86_64.rpm
apache-mod_ldap-2.4.48-1.mga8.x86_64.rpm
apache-mod_proxy-2.4.48-1.mga8.x86_64.rpm
apache-mod_proxy_html-2.4.48-1.mga8.x86_64.rpm
apache-mod_session-2.4.48-1.mga8.x86_64.rpm
apache-mod_ssl-2.4.48-1.mga8.x86_64.rpm
apache-mod_suexec-2.4.48-1.mga8.x86_64.rpm
apache-mod_userdir-2.4.48-1.mga8.x86_64.rpm

Assignee: pkg-bugs => qa-bugs

Mga7 rpms:

SRPMS:
apache-2.4.48-1.mga7.src.rpm


i586:
apache-2.4.48-1.mga7.i586.rpm
apache-devel-2.4.48-1.mga7.i586.rpm
apache-doc-2.4.48-1.mga7.noarch.rpm
apache-htcacheclean-2.4.48-1.mga7.i586.rpm
apache-mod_brotli-2.4.48-1.mga7.i586.rpm
apache-mod_cache-2.4.48-1.mga7.i586.rpm
apache-mod_dav-2.4.48-1.mga7.i586.rpm
apache-mod_dbd-2.4.48-1.mga7.i586.rpm
apache-mod_http2-2.4.48-1.mga7.i586.rpm
apache-mod_ldap-2.4.48-1.mga7.i586.rpm
apache-mod_proxy-2.4.48-1.mga7.i586.rpm
apache-mod_proxy_html-2.4.48-1.mga7.i586.rpm
apache-mod_session-2.4.48-1.mga7.i586.rpm
apache-mod_ssl-2.4.48-1.mga7.i586.rpm
apache-mod_suexec-2.4.48-1.mga7.i586.rpm
apache-mod_userdir-2.4.48-1.mga7.i586.rpm


x86_64:
apache-2.4.48-1.mga7.x86_64.rpm
apache-devel-2.4.48-1.mga7.x86_64.rpm
apache-doc-2.4.48-1.mga7.noarch.rpm
apache-htcacheclean-2.4.48-1.mga7.x86_64.rpm
apache-mod_brotli-2.4.48-1.mga7.x86_64.rpm
apache-mod_cache-2.4.48-1.mga7.x86_64.rpm
apache-mod_dav-2.4.48-1.mga7.x86_64.rpm
apache-mod_dbd-2.4.48-1.mga7.x86_64.rpm
apache-mod_http2-2.4.48-1.mga7.x86_64.rpm
apache-mod_ldap-2.4.48-1.mga7.x86_64.rpm
apache-mod_proxy-2.4.48-1.mga7.x86_64.rpm
apache-mod_proxy_html-2.4.48-1.mga7.x86_64.rpm
apache-mod_session-2.4.48-1.mga7.x86_64.rpm
apache-mod_ssl-2.4.48-1.mga7.x86_64.rpm
apache-mod_suexec-2.4.48-1.mga7.x86_64.rpm
apache-mod_userdir-2.4.48-1.mga7.x86_64.rpm

MGA7-i586 

The following 2 packages are going to be installed:

- apache-2.4.48-1.mga7.i586
- apache-doc-2.4.48-1.mga7.noarch


--restarted httpd services

Confirmed nextcloud web-pages are displaying and behaving.

Whiteboard: MGA7TOO => MGA7TOO MGA7-32-OK
CC: (none) => brtians1

Installed and tested without issues.

Tested:
- systemd socket activation;
- server status;
- custom logs;
- HTTP 1.1;
- HTTP 2;
- HTTP 1.1 upgrade to HTTP 2;
- HTTPS with SNI;
- SSL test using https://www.ssllabs.com/ssltest/;
- multiple sites resolution by IP and host name;
- PHP through FPM;
- multiple PHP scripts;
- mod_rewrite;
- mod_security.

All is working as expected. No regressions noticed.


System: Mageia 7, x86_64, Intel CPU.

$ PS1="$ "
$ uname -a
Linux marte 5.10.43-desktop-1.mga7 #1 SMP Fri Jun 11 07:28:47 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep apache | sort
apache-2.4.48-1.mga7
apache-commons-io-2.6-3.mga7
apache-commons-logging-1.2-9.mga7
apache-mod_http2-2.4.48-1.mga7
apache-mod_php-7.3.28-1.mga7
apache-mod_proxy-2.4.48-1.mga7
apache-mod_ssl-2.4.48-1.mga7
$ systemctl status httpd.socket httpd.service 
● httpd.socket - httpd server activation socket
   Loaded: loaded (/usr/local/lib/systemd/system/httpd.socket; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2021-06-13 10:55:37 WEST; 3h 50min ago
   Listen: [::]:80 (Stream)
           [::]:443 (Stream)
    Tasks: 0 (limit: 4668)
   Memory: 8.0K
   CGroup: /system.slice/httpd.socket

jun 13 10:55:37 marte systemd[1]: Listening on httpd server activation socket.

● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Sun 2021-06-13 11:47:12 WEST; 2h 58min ago
 Main PID: 3666 (httpd)
   Status: "Total requests: 923; Idle/Busy workers 100/0;Requests/sec: 0.0861; Bytes served/sec: 1.4KB/sec"
    Tasks: 66 (limit: 4668)
   Memory: 42.2M
   CGroup: /system.slice/httpd.service
           ├─3666 /usr/sbin/httpd -DFOREGROUND
           ├─3667 /usr/sbin/httpd -DFOREGROUND
           └─3668 /usr/sbin/httpd -DFOREGROUND

jun 13 11:47:11 marte systemd[1]: Starting The Apache HTTP Server...
jun 13 11:47:12 marte systemd[1]: Started The Apache HTTP Server.

CC: (none) => mageia
Whiteboard: MGA7TOO MGA7-32-OK => MGA7TOO MGA7-32-OK MGA7-64-OK

MGA8 64

apache-2.4.46-2.mga8 already installed serving a intern Wordpress CMS.

Upgrading existing installation using QA Repo and RPM list from Comment 7.

Restarting Apache. Wordpress still well serviced.


MGA8-64-OK

CC: (none) => ouaurelien
Status comment: Fixed upstream in 2.4.48 => (none)
CVE: (none) => CVE-2019-17567, CVE-2020-13950, CVE-2020-35452, CVE-2021-2669[01], CVE-2021-30641, CVE-2021-31618
Whiteboard: MGA7TOO MGA7-32-OK MGA7-64-OK => MGA7TOO MGA7-32-OK MGA7-64-OK MGA8-64-OK

Advisory:
========================

Updated apache packages fix security vulnerabilities:

mod_proxy_wstunnel tunneling of non Upgraded connections: Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured. (CVE-2019-17567).
    
mod_proxy_http NULL pointer dereference: Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service (CVE-2020-13950).

mod_auth_digest possible stack overflow by one nul byte: Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make it possible, with limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow (CVE-2020-35452).

mod_session NULL pointer dereference: Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service (CVE-2021-26690).

mod_session response handling heap overflow: Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted SessionHeader sent by an origin server could cause a heap overflow (CVE-2021-26691).

Unexpected URL matching with 'MergeSlashes OFF': Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'(CVE-2021-30641).

NULL pointer dereference on specially crafted HTTP/2 request: Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a a footer. This led to a NULL pointer dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server. This issue affected mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never released. (CVE-2021-31618).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29087
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17567    
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13950
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35452
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26690
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26691
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30641
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31618
 - https://httpd.apache.org/security/vulnerabilities_24.html
========================

Updated packages in 7/core/updates_testing:
========================
apache-2.4.48-1.mga7
apache-devel-2.4.48-1.mga7
apache-doc-2.4.48-1.mga7
apache-htcacheclean-2.4.48-1.mga7
apache-mod_brotli-2.4.48-1.mga7
apache-mod_cache-2.4.48-1.mga7
apache-mod_dav-2.4.48-1.mga7
apache-mod_dbd-2.4.48-1.mga7
apache-mod_http2-2.4.48-1.mga7
apache-mod_ldap-2.4.48-1.mga7
apache-mod_proxy-2.4.48-1.mga7
apache-mod_proxy_html-2.4.48-1.mga7
apache-mod_session-2.4.48-1.mga7
apache-mod_ssl-2.4.48-1.mga7
apache-mod_suexec-2.4.48-1.mga7
apache-mod_userdir-2.4.48-1.mga7

from SRPM:
apache-2.4.48-1.mga7.src.rpm

========================

Updated packages in 8/core/updates_testing:
========================
apache-2.4.48-1.mga8
apache-devel-2.4.48-1.mga8
apache-doc-2.4.48-1.mga8
apache-htcacheclean-2.4.48-1.mga8
apache-mod_brotli-2.4.48-1.mga8
apache-mod_cache-2.4.48-1.mga8
apache-mod_dav-2.4.48-1.mga8
apache-mod_dbd-2.4.48-1.mga8
apache-mod_http2-2.4.48-1.mga8
apache-mod_ldap-2.4.48-1.mga8
apache-mod_proxy-2.4.48-1.mga8
apache-mod_proxy_html-2.4.48-1.mga8
apache-mod_session-2.4.48-1.mga8
apache-mod_ssl-2.4.48-1.mga8
apache-mod_suexec-2.4.48-1.mga8
apache-mod_userdir-2.4.48-1.mga8

from SRPM:
apache-2.4.48-1.mga8.src.rpm
========================

Validating.

Source RPM: apache-2.4.46-3.mga9.src.rpm => apache-2.4.46-2.mga8.src.rpm
Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0265.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

This update also fixed CVE-2021-33193:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ML464OXXVITHCRNCGTP3DMIAYMJEHJEO/