Bug 31457

Summary: apache-mod_security new security issues CVE-2022-48279 and CVE-2023-24021
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, herman.viaene, mageia, marja11, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://bugs.mageia.org/show_bug.cgi?id=30977
Whiteboard: MGA8-64-OK
Source RPM: apache-mod_security-2.9.5-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2023-01-26 23:58:49 CET 
Debian-LTS has issued an advisory today (January 26):
https://www.debian.org/lts/security/2023/dla-3283

The issues are fixed upstream in 2.9.7.

Mageia 8 is also affected.
David Walser 2023-01-26 23:59:03 CET

Whiteboard: (none) => MGA8TOO
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=30977
Status comment: (none) => Fixed upstream in 2.9.7

Comment 1 Marja Van Waes 2023-02-04 23:10:46 CET 
Assigning to all packagers collectively, because there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2023-05-07 00:55:32 CEST 
Fedora has issued an advisory for this on April 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SYRTXTOQQI6SB2TLI5QXU76DURSLS4XI/

It also switches to pcre2, fixing other issues (see Bug 31791).
Comment 3 David GEIGER 2023-05-07 17:59:29 CEST 
Already done for cauldron.

$ mgarepo rpmlog apache-mod_security
* Sun Apr 16 2023 daviddavid <daviddavid> 1:2.9.7-1.mga9
+ Revision: 1953094
- new version: 2.9.7
- switch to pcre2 (mga#31791)

CC: (none) => geiger.david68210

Comment 4 David GEIGER 2023-05-07 18:10:23 CEST 
Done now for mga8.
Comment 5 David Walser 2023-05-07 19:41:37 CEST 
mlogc-2.9.7-1.mga8
apache-mod_security-2.9.7-1.mga8

from apache-mod_security-2.9.7-1.mga8.src.rpm

Source RPM: apache-mod_security-2.9.5-2.mga9.src.rpm => apache-mod_security-2.9.5-1.mga8.src.rpm
Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 2.9.7 => (none)

PC LX 2023-05-11 23:57:04 CEST

CC: (none) => mageia

Comment 6 Herman Viaene 2023-05-17 11:34:58 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Test as in bug 29787
# httpd -M 2>/dev/null |grep security
 security2_module (shared)
is OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 7 Thomas Andrews 2023-05-17 13:50:33 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-05-21 02:47:48 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2023-05-21 10:44:15 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0175.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED