====================================================== Name: CVE-2013-1896 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130219 Category: Reference: CONFIRM:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/mod_dav.c?r1=1482522&r2=1485668&diff_format=h Reference: CONFIRM:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/mod_dav.c?view=log Reference: CONFIRM:http://www.apache.org/dist/httpd/Announcement2.2.html mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI. Reproducible: Steps to Reproduce:
Packages has been built for mga2 updates_testing.
The fix for 2.4 is here: http://svn.apache.org/viewvc?view=revision&revision=1486461 However 2.4.5 is not released yet.
Mandriva has issued an advisory for this today (July 11): http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:193/
CC: (none) => luigiwalserVersion: 2 => CauldronSummary: CVE-2013-1896: apache - remote DoS in mod_dav => apache - remote DoS in mod_dav (CVE-2013-1896)Whiteboard: (none) => MGA3TOO, MGA2TOO
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896 => http://lwn.net/Vulnerabilities/558922/
Apache 2.4.6 has been released upstream, fixing this flaw: http://www.apache.org/dist/httpd/CHANGES_2.4 It also fixes CVE-2013-2249, a flaw in mod_session_dbd: http://svn.apache.org/viewvc?view=revision&revision=r1500428 This module seems to not be present in Apache 2.2.x.
Summary: apache - remote DoS in mod_dav (CVE-2013-1896) => apache - remote DoS in mod_dav (CVE-2013-1896) and flaw in mod_session_dbd (CVE-2013-2249)
Fixed in Cauldron in apache-2.4.6-1.mga4.
Version: Cauldron => 3Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO
apache-2.4.4-7.2.mga3 was just submitted fixing this.
Thanks Oden! There's a couple of other little issues in the Mageia 3 package we should fix before pushing this. One I mentioned on the last owncloud update (Bug 10763). All we need to do is add webapps.d to the list of directories caught by the filetrigger. Here's the exact change needed: --- apache.spec~ 2013-07-23 09:01:00.964809593 -0400 +++ apache.spec 2013-07-23 09:01:16.723812481 -0400 @@ -658,7 +658,7 @@ # rpm filetriggers install -d -m 755 %{buildroot}%{_localstatedir}/lib/rpm/filetriggers cat > %{buildroot}%{_localstatedir}/lib/rpm/filetriggers/httpd.filter << EOF -^./etc/httpd/conf/(modules|sites|conf).d/.*\.conf$ +^./etc/httpd/conf/(modules|sites|conf|webapps).d/.*\.conf$ EOF install -m 755 %{SOURCE210} \ %{buildroot}%{_localstatedir}/lib/rpm/filetriggers/httpd.script The other is Bug 10178, which I guess happens if you upgrade from Mageia 2 and a webapp gets installed before the apache package does, creating sites.d too early. Pablo's suggested fix looks good. Once these are fixed, these will be the advisories: Advisory (Mageia 2): ======================== Updated apache packages fix security vulnerability: mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI (CVE-2013-1896). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896 http://httpd.apache.org/security/vulnerabilities_22.html http://www.apache.org/dist/httpd/CHANGES_2.2.25 http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:193/ ======================== Updated packages in core/updates_testing: ======================== apache-2.2.25-1.mga2 apache-devel-2.2.25-1.mga2 apache-doc-2.2.25-1.mga2 apache-htcacheclean-2.2.25-1.mga2 apache-mod_authn_dbd-2.2.25-1.mga2 apache-mod_cache-2.2.25-1.mga2 apache-mod_dav-2.2.25-1.mga2 apache-mod_dbd-2.2.25-1.mga2 apache-mod_deflate-2.2.25-1.mga2 apache-mod_disk_cache-2.2.25-1.mga2 apache-mod_file_cache-2.2.25-1.mga2 apache-mod_ldap-2.2.25-1.mga2 apache-mod_mem_cache-2.2.25-1.mga2 apache-mod_proxy-2.2.25-1.mga2 apache-mod_proxy_ajp-2.2.25-1.mga2 apache-mod_proxy_scgi-2.2.25-1.mga2 apache-mod_reqtimeout-2.2.25-1.mga2 apache-mod_ssl-2.2.25-1.mga2 apache-mod_suexec-2.2.25-1.mga2 apache-mod_userdir-2.2.25-1.mga2 apache-mpm-event-2.2.25-1.mga2 apache-mpm-itk-2.2.25-1.mga2 apache-mpm-peruser-2.2.25-1.mga2 apache-mpm-prefork-2.2.25-1.mga2 apache-mpm-worker-2.2.25-1.mga2 apache-source-2.2.25-1.mga2 from apache-2.2.25-1.mga2.src.rpm Advisory (Mageia 3): ======================== Updated apache packages fix security vulnerabilities: mod_dav.c in the Apache HTTP Server before 2.4.6 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI (CVE-2013-1896). An unspecified error in Apache HTTP Server within the mod_session_dbd module related to the handling of the dirty flag during saving of the sessions has an unknown impact and remote attack vector (CVE-2013-2249). Also, a minor issue causing httpd to not be restarted when installing or upgrading certain web applications, as well as an issue with the web application configuration files when upgrading from Mageia 2, both due to the moving of web applications configuration files to the /etc/httpd/conf/sites.d directory in Mageia 3, have been corrected. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2249 http://www.apache.org/dist/httpd/CHANGES_2.4 http://xforce.iss.net/xforce/xfdb/85871 http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:193/ https://bugs.mageia.org/show_bug.cgi?id=10178 https://bugs.mageia.org/show_bug.cgi?id=10275 ======================== Updated packages in core/updates_testing: ======================== apache-2.4.4-7.3.mga3 apache-mod_dav-2.4.4-7.3.mga3 apache-mod_ldap-2.4.4-7.3.mga3 apache-mod_cache-2.4.4-7.3.mga3 apache-mod_proxy-2.4.4-7.3.mga3 apache-mod_proxy_html-2.4.4-7.3.mga3 apache-mod_suexec-2.4.4-7.3.mga3 apache-mod_userdir-2.4.4-7.3.mga3 apache-mod_ssl-2.4.4-7.3.mga3 apache-mod_dbd-2.4.4-7.3.mga3 apache-htcacheclean-2.4.4-7.3.mga3 apache-devel-2.4.4-7.3.mga3 apache-doc-2.4.4-7.3.mga3 from apache-2.4.4-7.3.mga3.src.rpm
Blocks: (none) => 10178
Apache packages fixing Bug 10178 and Bug 10275 uploaded for Mageia 3 and Cauldron. Assigning to QA. Advisories in Comment 7.
Assignee: bugsquad => qa-bugs
Colin found a minor problem with the pretrans scriptlet fix from Bug 10178 and fixed it. Re-posting the advisories. Advisory (Mageia 2): ======================== Updated apache packages fix security vulnerability: mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI (CVE-2013-1896). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896 http://httpd.apache.org/security/vulnerabilities_22.html http://www.apache.org/dist/httpd/CHANGES_2.2.25 http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:193/ ======================== Updated packages in core/updates_testing: ======================== apache-2.2.25-1.mga2 apache-devel-2.2.25-1.mga2 apache-doc-2.2.25-1.mga2 apache-htcacheclean-2.2.25-1.mga2 apache-mod_authn_dbd-2.2.25-1.mga2 apache-mod_cache-2.2.25-1.mga2 apache-mod_dav-2.2.25-1.mga2 apache-mod_dbd-2.2.25-1.mga2 apache-mod_deflate-2.2.25-1.mga2 apache-mod_disk_cache-2.2.25-1.mga2 apache-mod_file_cache-2.2.25-1.mga2 apache-mod_ldap-2.2.25-1.mga2 apache-mod_mem_cache-2.2.25-1.mga2 apache-mod_proxy-2.2.25-1.mga2 apache-mod_proxy_ajp-2.2.25-1.mga2 apache-mod_proxy_scgi-2.2.25-1.mga2 apache-mod_reqtimeout-2.2.25-1.mga2 apache-mod_ssl-2.2.25-1.mga2 apache-mod_suexec-2.2.25-1.mga2 apache-mod_userdir-2.2.25-1.mga2 apache-mpm-event-2.2.25-1.mga2 apache-mpm-itk-2.2.25-1.mga2 apache-mpm-peruser-2.2.25-1.mga2 apache-mpm-prefork-2.2.25-1.mga2 apache-mpm-worker-2.2.25-1.mga2 apache-source-2.2.25-1.mga2 from apache-2.2.25-1.mga2.src.rpm Advisory (Mageia 3): ======================== Updated apache packages fix security vulnerabilities: mod_dav.c in the Apache HTTP Server before 2.4.6 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI (CVE-2013-1896). An unspecified error in Apache HTTP Server within the mod_session_dbd module related to the handling of the dirty flag during saving of the sessions has an unknown impact and remote attack vector (CVE-2013-2249). Also, a minor issue causing httpd to not be restarted when installing or upgrading certain web applications, as well as an issue with the web application configuration files when upgrading from Mageia 2, both due to the moving of web applications configuration files to the /etc/httpd/conf/sites.d directory in Mageia 3, have been corrected. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2249 http://www.apache.org/dist/httpd/CHANGES_2.4 http://xforce.iss.net/xforce/xfdb/85871 http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:193/ https://bugs.mageia.org/show_bug.cgi?id=10178 https://bugs.mageia.org/show_bug.cgi?id=10275 ======================== Updated packages in core/updates_testing: ======================== apache-2.4.4-7.4.mga3 apache-mod_dav-2.4.4-7.4.mga3 apache-mod_ldap-2.4.4-7.4.mga3 apache-mod_cache-2.4.4-7.4.mga3 apache-mod_proxy-2.4.4-7.4.mga3 apache-mod_proxy_html-2.4.4-7.4.mga3 apache-mod_suexec-2.4.4-7.4.mga3 apache-mod_userdir-2.4.4-7.4.mga3 apache-mod_ssl-2.4.4-7.4.mga3 apache-mod_dbd-2.4.4-7.4.mga3 apache-htcacheclean-2.4.4-7.4.mga3 apache-devel-2.4.4-7.4.mga3 apache-doc-2.4.4-7.4.mga3 from apache-2.4.4-7.4.mga3.src.rpm
Created attachment 4221 [details] urpmi error message
CC: (none) => wilcal.int
I tried an M3 i586 update_testing and got a urpmi error message. See attachment above.
You tried 7.3.mga3. This should be fixed in 7.4.mga3.
Will give it a go late tomorrow, California time.
====================================================== Name: CVE-2013-2249 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2249 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130219 Category: Reference: CONFIRM:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/session/mod_session_dbd.c?r1=1409170&r2=1488158&diff_format=h Reference: CONFIRM:http://www.apache.org/dist/httpd/CHANGES_2.4.6 mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors.
MGA3-32-OK for me Start with package apache-2.4.4-7.1.mga3.i586 installed [root@localhost wilcal]# urpmi apache Package apache-2.4.4-7.1.mga3.i586 is already installed create /home/wilcal/public_html/index.html Accessible from localhost/~wilcal/ and other systems on the LAN Package apache-2.4.4-7.4.mga3.i586 installed from core updates_testing It's possible to stop and restart apache but I reboot the system. /home/wilcal/public_html/index.html Accessible from localhost/~wilcal/ and other systems on the LAN [root@localhost wilcal]# urpmi apache Package apache-2.4.4-7.4.mga3.i586 is already installed Test platform: Intel, P4 530J 3.0 GHz, 800MHz FSB, 1MB L2, LGA 775 GigaByte GA-81915G i915G LGA775 MoBo Marvel Yukon 88E8001 Gigabit LAN Intel High Def Audio (snd-hda-intel) Intel Graphics Media Accelerator 900 (Intel 82915G) 4GB (2 x 2GB) DDR400 PC-3200 VirtualBox 4.2.16
MGA3-64-OK for me Start with apache-2.4.4-7.1.mga3.x86_64 installed [root@localhost wilcal]# urpmi apache Package apache-2.4.4-7.1.mga3.x86_64 is already installed create /home/wilcal/public_html/index.html Accessible from localhost/~wilcal/ and other systems on the LAN Package apache-2.4.4-7.4.mga3.x86_64 installed from core updates_testing It's possible to stop and restart apache but I reboot the system. /home/wilcal/public_html/index.html Accessible from localhost/~wilcal/ and other systems on the LAN [root@localhost wilcal]# urpmi apache Package apache-2.4.4-7.4.mga3.x86_64 is already installed Test platform: Intel, P4 530J 3.0 GHz, 800MHz FSB, 1MB L2, LGA 775 GigaByte GA-81915G i915G LGA775 MoBo Marvel Yukon 88E8001 Gigabit LAN Intel High Def Audio (snd-hda-intel) Intel Graphics Media Accelerator 900 (Intel 82915G) 4GB (2 x 2GB) DDR400 PC-3200 VirtualBox 4.2.16 While I've been successful with this others may have issues so I'm gonna leave the final certification of this update to others.
MGA2-32-OK for me Start with package apache-2.2.24-1.1.mga2.i586 installed create /home/wilcal/public_html/index.html Accessible from localhost/~wilcal/ and other systems on the LAN Package apache-2.2.25-1.mga2.i586 installed from core updates_testing It's possible to stop and restart apache but I reboot the system. /home/wilcal/public_html/index.html Accessible from localhost/~wilcal/ and other systems on the LAN [root@localhost wilcal]# urpmi apache Package apache-2.2.25-1.mga2.i586 is already installed Test platform: Intel, P4 530J 3.0 GHz, 800MHz FSB, 1MB L2, LGA 775 GigaByte GA-81915G i915G LGA775 MoBo Marvel Yukon 88E8001 Gigabit LAN Intel High Def Audio (snd-hda-intel) Intel Graphics Media Accelerator 900 (Intel 82915G) 4GB (2 x 2GB) DDR400 PC-3200 VirtualBox 4.2.16
MGA2-64-OK for me Start with package apache-2.2.24-1.1.mga2.x86_64 installed create /home/wilcal/public_html/index.html Accessible from localhost/~wilcal/ and other systems on the LAN Package apache-2.2.25-1.mga2.x86_64 installed from core updates_testing It's possible to stop and restart apache but I reboot the system. /home/wilcal/public_html/index.html Accessible from localhost/~wilcal/ and other systems on the LAN [root@localhost wilcal]# urpmi apache Package apache-2.2.25-1.mga2.x86_64 is already installed Test platform: Intel, P4 530J 3.0 GHz, 800MHz FSB, 1MB L2, LGA 775 GigaByte GA-81915G i915G LGA775 MoBo Marvel Yukon 88E8001 Gigabit LAN Intel High Def Audio (snd-hda-intel) Intel Graphics Media Accelerator 900 (Intel 82915G) 4GB (2 x 2GB) DDR400 PC-3200 VirtualBox 4.2.16 While I've been successful with this others may have issues so I'm gonna leave the final certification of this update to others.
Thanks William. It's worth checking the dav module loads ok too as it's what was updated. Done here, so it's ok. # httpd -D DUMP_MODULES | grep dav dav_module (shared) dav_fs_module (shared) dav_lock_module (shared) Adding whiteboard tags.
Whiteboard: MGA2TOO => MGA2TOO mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
Validating. 2 separate advisories from comment 9 uploaded. Could sysadmin please push from 2 & 3 core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
mga2 update pushed: http://advisories.mageia.org/MGASA-2013-0230.html mga3 update pushed: http://advisories.mageia.org/MGASA-2013-0231.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
LWN CVE page for CVE-2013-2249: http://lwn.net/Vulnerabilities/562282/ Seems they missed this update announcement from us.
(In reply to David Walser from comment #22) > LWN CVE page for CVE-2013-2249: > http://lwn.net/Vulnerabilities/562282/ > > Seems they missed this update announcement from us. There were separate advisory for mga2 and 3. 10756.mga2.adv 10756.mga3.adv Would having the version in the advisory name interfere with their parsing? [dave@x3 advisories]$ ll|grep mga -rw-r--r-- 1 dave dave 509 Jun 18 12:52 10145-mga2.adv -rw-r--r-- 1 dave dave 1607 Jun 18 12:52 10145-mga3.adv -rw-r--r-- 1 dave dave 834 Jun 26 15:38 10471-mga2.adv -rw-r--r-- 1 dave dave 1729 Jun 26 15:38 10471-mga3.adv -rw-r--r-- 1 dave dave 629 Jul 23 16:06 10516.mga2.adv -rw-r--r-- 1 dave dave 1520 Jul 23 16:06 10516.mga3.adv -rw-r--r-- 1 dave dave 853 Jul 26 19:32 10756.mga2.adv -rw-r--r-- 1 dave dave 1534 Jul 26 19:32 10756.mga3.adv -rw-r--r-- 1 dave dave 560 Jul 9 18:46 952.mga2.adv -rw-r--r-- 1 dave dave 339 Jul 9 18:46 952.mga3.adv 5 bugs so far, that have had separate advisories.
CC: (none) => davidwhodgins
(In reply to Dave Hodgins from comment #23) > (In reply to David Walser from comment #22) > > LWN CVE page for CVE-2013-2249: > > http://lwn.net/Vulnerabilities/562282/ > > > > Seems they missed this update announcement from us. > > There were separate advisory for mga2 and 3. > 10756.mga2.adv 10756.mga3.adv > > Would having the version in the advisory name interfere > with their parsing? They are parsed by humans, and as this went out as two separate advisories, I would imagine it went out as two e-mails, so they should have been able to pick it up. Maybe they were having e-mail problems that day?