| Summary: | apache new security issue CVE-2024-27316 (HTTP/2 CONTINUATION Flood) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, mageia, smelror, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: | https://bugs.mageia.org/show_bug.cgi?id=33087 | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | apache-2.4.58-1.mga9.src.rpm | CVE: | CVE-2024-27316, CVE-2024-24795, CVE-2023-38709 |
| Status comment: | |||
|
Description
Nicolas Salguero
2024-04-04 10:35:53 CEST
Nicolas Salguero
2024-04-04 10:36:09 CEST
Whiteboard:
(none) =>
MGA9TOO Problem: no solution is offered or in sight. Necessarily assigning to 'all' packagers pending a fix. CC'ing Stig who currently updates Apache. Assignee:
bugsquad =>
pkg-bugs Advisory
========
Apache has been updated to version 2.4.59 to fix CVE-2024-27316, CVE-2024-24795 and CVE-2023-38709.
CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames (cve.mitre.org)
HTTP/2 incoming headers exceeding the limit are temporarily
buffered in nghttp2 in order to generate an informative HTTP 413
response. If a client does not stop sending headers, this leads
to memory exhaustion.
Credits: Bartek Nowotarski (https://nowotarski.info/)
CVE-2024-24795: Apache HTTP Server: HTTP Response Splitting in multiple modules (cve.mitre.org)
HTTP Response splitting in multiple modules in Apache HTTP
Server allows an attacker that can inject malicious response
headers into backend applications to cause an HTTP
desynchronization attack.
Users are recommended to upgrade to version 2.4.59, which fixes
this issue.
Credits: Keran Mu, Tsinghua University and Zhongguancun
Laboratory.
CVE-2023-38709: Apache HTTP Server: HTTP response splitting (cve.mitre.org)
Faulty input validation in the core of Apache allows malicious
or exploitable backend/content generators to split HTTP
responses.
This issue affects Apache HTTP Server: through 2.4.58.
Credits: Orange Tsai (@orange_8361) from DEVCORE
References
==========
https://www.openwall.com/lists/oss-security/2024/04/03/16
https://nowotarski.info/http2-continuation-flood/
https://downloads.apache.org/httpd/CHANGES_2.4.59
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27316
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24795
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38709
Files
=====
Uploaded to core/updates_testing
apache-mod_proxy-2.4.59-1.mga9
apache-mod_http2-2.4.59-1.mga9
apache-devel-2.4.59-1.mga9
apache-mod_ssl-2.4.59-1.mga9
apache-mod_cache-2.4.59-1.mga9
apache-mod_dav-2.4.59-1.mga9
apache-mod_ldap-2.4.59-1.mga9
apache-mod_session-2.4.59-1.mga9
apache-mod_proxy_html-2.4.59-1.mga9
apache-mod_dbd-2.4.59-1.mga9
apache-htcacheclean-2.4.59-1.mga9
apache-mod_suexec-2.4.59-1.mga9
apache-mod_brotli-2.4.59-1.mga9
apache-mod_userdir-2.4.59-1.mga9
apache-2.4.59-1.mga9
apache-doc-2.4.59-1.mga9
from apache-2.4.59-1.mga9.src.rpmWhiteboard:
MGA9TOO =>
(none)
PC LX
2024-04-05 15:18:39 CEST
CC:
(none) =>
mageia
katnatek
2024-04-05 19:47:01 CEST
Keywords:
(none) =>
advisory RH mageia 9 x86_64
LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/media_info/20240405-221940-synthesis.hdlist.cz
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/media_info/20240405-221940-info.xml.lzma
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/media_info/20240405-221940-files.xml.lzma
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/media_info/20240405-221940-changelog.xml.lzma
updated medium "Core Updates (distrib3)"
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/core/updates/media_info/20240405-221649-synthesis.hdlist.cz
https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/core/updates/media_info/20240405-221649-info.xml.lzma
https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/core/updates/media_info/20240405-221649-files.xml.lzma
https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/core/updates/media_info/20240405-221649-changelog.xml.lzma
updated medium "Core 32bit Updates (distrib32)"
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date
installing apache-mod_proxy-2.4.59-1.mga9.x86_64.rpm apache-mod_userdir-2.4.59-1.mga9.x86_64.rpm apache-mod_ssl-2.4.59-1.mga9.x86_64.rpm apache-2.4.59-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing... ##################################################################################################
1/4: apache ##################################################################################################
2/4: apache-mod_proxy ##################################################################################################
3/4: apache-mod_userdir ##################################################################################################
4/4: apache-mod_ssl ##################################################################################################
1/4: removing apache-mod_ssl-2.4.58-1.mga9.x86_64
##################################################################################################
2/4: removing apache-mod_userdir-2.4.58-1.mga9.x86_64
##################################################################################################
3/4: removing apache-mod_proxy-2.4.58-1.mga9.x86_64
##################################################################################################
4/4: removing apache-2.4.58-1.mga9.x86_64
##################################################################################################
service httpd restart
Redirecting to /bin/systemctl restart httpd.service
service httpd status
Redirecting to /bin/systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
Active: active (running) since Fri 2024-04-05 16:52:23 CST; 23s ago
Main PID: 147925 (httpd)
Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec: 0 B/sec"
Tasks: 6 (limit: 6904)
Memory: 6.0M
CPU: 82ms
CGroup: /system.slice/httpd.service
├─147925 /usr/sbin/httpd -DFOREGROUND
├─147927 /usr/sbin/httpd -DFOREGROUND
├─147928 /usr/sbin/httpd -DFOREGROUND
├─147929 /usr/sbin/httpd -DFOREGROUND
├─147930 /usr/sbin/httpd -DFOREGROUND
└─147931 /usr/sbin/httpd -DFOREGROUND
abr 05 16:52:23 phoenix systemd[1]: Starting httpd.service...
abr 05 16:52:23 phoenix httpd[147925]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using >
abr 05 16:52:23 phoenix systemd[1]: Started httpd.service.
Test my https site, it works as before the update
MGA9-64, Nextcloud test The following 4 packages are going to be installed: - apache-2.4.59-1.mga9.x86_64 - apache-htcacheclean-2.4.59-1.mga9.x86_64 - apache-mod_cache-2.4.59-1.mga9.x86_64 - apache-mod_ssl-2.4.59-1.mga9.x86_64 202KB of additional disk space will be use served pages - no issues running for the day with nextcloud - no issues CC:
(none) =>
brtians1 Installed and tested without issues. Tested for one day with several sites and scripts installed. Tested: - systemd socket activation; - server status; - server info; - custom logs; - IPv4 and IPv6; - HTTPS with SNI; - Lets Encrypt SSL signed certificates (managed using certbot); - self signed certificates; - SSL test using sslscan and https://www.ssllabs.com/ssltest/; - multiple sites resolution by IP and host name; - HTTP 1.1 and 2; - HTTP 1.1 upgrade to HTTP 2; - PHP through FPM; - PHP scripts; - APCu cache; - mod_rewrite; - mod_security; - mod_proxy; - mod_alias. System: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz. $ uname -a Linux marte 6.6.22-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sun Mar 17 18:04:51 UTC 2024 x86_64 GNU/Linux $ rpm -qa | grep apache.*2.4.59 | sort apache-2.4.59-1.mga9 apache-mod_http2-2.4.59-1.mga9 apache-mod_proxy-2.4.59-1.mga9 apache-mod_proxy_html-2.4.59-1.mga9 apache-mod_ssl-2.4.59-1.mga9 $ systemctl status httpd.service ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled) Active: active (running) since Fri 2024-04-05 14:25:26 WEST; 22h ago Process: 1048599 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS) Main PID: 576435 (httpd) Status: "Total requests: 24369; Idle/Busy workers 100/0;Requests/sec: 0.304; Bytes served/sec: 11KB/sec" Tasks: 54 (limit: 19042) Memory: 40.3M CPU: 1min 11.686s CGroup: /system.slice/httpd.service ├─ 576435 /usr/sbin/httpd -DFOREGROUND ├─1048628 /usr/sbin/httpd -DFOREGROUND └─1048630 /usr/sbin/httpd -DFOREGROUND
katnatek
2024-04-09 03:33:16 CEST
CC:
(none) =>
andrewsfarm
katnatek
2024-04-09 03:33:32 CEST
Whiteboard:
(none) =>
MGA9-64-OK Validating. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0118.html Resolution:
(none) =>
FIXED
Marc Krämer
2024-04-10 15:57:52 CEST
Blocks:
(none) =>
33087
Nicolas Salguero
2024-04-10 16:28:01 CEST
See Also:
(none) =>
https://bugs.mageia.org/show_bug.cgi?id=33087
Nicolas Salguero
2024-04-10 16:28:09 CEST
Blocks:
33087 =>
(none) |