| Summary: | mod_proxy reverse proxy exposure (CVE-2011-3368) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Vigier <boklm> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | dmorganec, luigiwalser, qa-bugs, sysadmin-bugs, tmb |
| Version: | 1 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | apache | CVE: | |
| Status comment: | |||
|
Description
Nicolas Vigier
2011-10-06 00:59:25 CEST
Assign to dmorgan (as maintainer of apache) Assignee:
bugsquad =>
dmorganec Ping ? Ping ? Ping ? Mandriva's patch (might be the same one): http://svn.mandriva.com/svn/packages/cooker/apache/current/SOURCES/httpd-2.2.21-CVE-2011-3368.diff Advisory: http://lists.mandriva.com/security-announce/2011-10/msg00017.php It looks like this one is valid for current Cauldron too. CC:
(none) =>
luigiwalser Please test new rpm in updates_testing Assignee:
dmorganec =>
qa-bugs apache update works for me on i586. I tested it by accessing a CGI. I didn't test mod_proxy itself. D Morgan, I just found out we're missing a patch. The patch is here: http://lists.err.no/pipermail/mpm-itk/2011-March/000393.html It actually applies to another patch (patch100). The advisory from March 31 is here: http://lists.mandriva.com/security-announce/2011-03/msg00016.php CC:
(none) =>
dmorganec
Manuel Hiebel
2012-01-01 13:13:57 CET
CC:
(none) =>
qa-bugs The following 6 packages are going to be installed: - apache-base-2.2.17-5.6.mga1.x86_64 - apache-modules-2.2.17-5.6.mga1.x86_64 - apache-mod_dav-2.2.17-5.6.mga1.x86_64 - apache-mod_ssl-2.2.17-5.6.mga1.x86_64 - apache-mod_userdir-2.2.17-5.6.mga1.x86_64 - apache-mpm-prefork-2.2.17-5.6.mga1.x86_64 Testing complete x86_64 using phpmyadmin and zoneminder Requires re-testing i586. apache works fine for me on i586. I didn't test mod_proxy or mpm-itk. Validating the update Advisory ----------------- This is a security update for Apache tackling 2 vulnerabilities. CVE-2011-3368 The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character. CVE-2011-1176 The configuration merger in itk.c in the Steinar H. Gunderson mpm-itk Multi-Processing Module 2.2.11-01 and 2.2.11-02 for the Apache HTTP Server does not properly handle certain configuration sections that specify NiceValue but not AssignUserID, which might allow remote attackers to gain privileges by leveraging the root uid and root gid of an mpm-itk process. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1176 ----------------- SRPM: apache-2.2.17-5.6.mga1.src.rpm Could sysadmin please push from core/updates_testing to core/updates Thankyou! Keywords:
(none) =>
validated_update
David Walser
2012-01-08 00:03:23 CET
Assignee:
qa-bugs =>
sysadmin-bugs Reassigning QA so it doesn't get lost. David please see:- https://wiki.mageia.org/en/QA_process_for_validating_updates#Assign :) Assignee:
sysadmin-bugs =>
qa-bugs Update pushed. Status:
NEW =>
RESOLVED |