Bug 10756 - apache - remote DoS in mod_dav (CVE-2013-1896) and flaw in mod_session_dbd (CVE-2013-2249)
Summary: apache - remote DoS in mod_dav (CVE-2013-1896) and flaw in mod_session_dbd (C...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/558922/
Whiteboard: MGA2TOO mga2-32-ok mga2-64-ok mga3-32...
Keywords: validated_update
Depends on:
Blocks: 10178
  Show dependency treegraph
 
Reported: 2013-07-11 08:52 CEST by Oden Eriksson
Modified: 2013-08-07 01:59 CEST (History)
5 users (show)

See Also:
Source RPM: apache
CVE:
Status comment:


Attachments
urpmi error message (1.82 KB, text/plain)
2013-07-24 04:22 CEST, William Kenney
Details

Description Oden Eriksson 2013-07-11 08:52:39 CEST
======================================================
Name: CVE-2013-1896
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130219
Category: 
Reference: CONFIRM:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/mod_dav.c?r1=1482522&r2=1485668&diff_format=h
Reference: CONFIRM:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/mod_dav.c?view=log
Reference: CONFIRM:http://www.apache.org/dist/httpd/Announcement2.2.html

mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly
determine whether DAV is enabled for a URI, which allows remote
attackers to cause a denial of service (segmentation fault) via a
MERGE request in which the URI is configured for handling by the
mod_dav_svn module, but a certain href attribute in XML data refers to
a non-DAV URI.


Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-07-11 08:54:00 CEST
Packages has been built for mga2 updates_testing.
Comment 2 Oden Eriksson 2013-07-11 09:06:14 CEST
The fix for 2.4 is here:

http://svn.apache.org/viewvc?view=revision&revision=1486461

However 2.4.5 is not released yet.
Comment 3 David Walser 2013-07-11 17:09:36 CEST
Mandriva has issued an advisory for this today (July 11):
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:193/

CC: (none) => luigiwalser
Version: 2 => Cauldron
Summary: CVE-2013-1896: apache - remote DoS in mod_dav => apache - remote DoS in mod_dav (CVE-2013-1896)
Whiteboard: (none) => MGA3TOO, MGA2TOO

David Walser 2013-07-15 23:04:08 CEST

URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896 => http://lwn.net/Vulnerabilities/558922/

Comment 4 David Walser 2013-07-19 14:54:22 CEST
Apache 2.4.6 has been released upstream, fixing this flaw:
http://www.apache.org/dist/httpd/CHANGES_2.4

It also fixes CVE-2013-2249, a flaw in mod_session_dbd:
http://svn.apache.org/viewvc?view=revision&revision=r1500428

This module seems to not be present in Apache 2.2.x.

Summary: apache - remote DoS in mod_dav (CVE-2013-1896) => apache - remote DoS in mod_dav (CVE-2013-1896) and flaw in mod_session_dbd (CVE-2013-2249)

Comment 5 David Walser 2013-07-22 21:46:09 CEST
Fixed in Cauldron in apache-2.4.6-1.mga4.

Version: Cauldron => 3
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 6 Oden Eriksson 2013-07-23 09:41:43 CEST
apache-2.4.4-7.2.mga3 was just submitted fixing this.
Comment 7 David Walser 2013-07-23 15:02:05 CEST
Thanks Oden!

There's a couple of other little issues in the Mageia 3 package we should fix before pushing this.  One I mentioned on the last owncloud update (Bug 10763).  All we need to do is add webapps.d to the list of directories caught by the filetrigger.  Here's the exact change needed:
--- apache.spec~        2013-07-23 09:01:00.964809593 -0400
+++ apache.spec 2013-07-23 09:01:16.723812481 -0400
@@ -658,7 +658,7 @@
 # rpm filetriggers
 install -d -m 755 %{buildroot}%{_localstatedir}/lib/rpm/filetriggers
 cat > %{buildroot}%{_localstatedir}/lib/rpm/filetriggers/httpd.filter << EOF
-^./etc/httpd/conf/(modules|sites|conf).d/.*\.conf$
+^./etc/httpd/conf/(modules|sites|conf|webapps).d/.*\.conf$
 EOF
 install -m 755 %{SOURCE210} \
     %{buildroot}%{_localstatedir}/lib/rpm/filetriggers/httpd.script

The other is Bug 10178, which I guess happens if you upgrade from Mageia 2 and a webapp gets installed before the apache package does, creating sites.d too early.  Pablo's suggested fix looks good.

Once these are fixed, these will be the advisories:

Advisory (Mageia 2):
========================

Updated apache packages fix security vulnerability:

mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly
determine whether DAV is enabled for a URI, which allows remote
attackers to cause a denial of service (segmentation fault) via a
MERGE request in which the URI is configured for handling by the
mod_dav_svn module, but a certain href attribute in XML data refers
to a non-DAV URI (CVE-2013-1896).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896
http://httpd.apache.org/security/vulnerabilities_22.html
http://www.apache.org/dist/httpd/CHANGES_2.2.25
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:193/
========================

Updated packages in core/updates_testing:
========================
apache-2.2.25-1.mga2
apache-devel-2.2.25-1.mga2
apache-doc-2.2.25-1.mga2
apache-htcacheclean-2.2.25-1.mga2
apache-mod_authn_dbd-2.2.25-1.mga2
apache-mod_cache-2.2.25-1.mga2
apache-mod_dav-2.2.25-1.mga2
apache-mod_dbd-2.2.25-1.mga2
apache-mod_deflate-2.2.25-1.mga2
apache-mod_disk_cache-2.2.25-1.mga2
apache-mod_file_cache-2.2.25-1.mga2
apache-mod_ldap-2.2.25-1.mga2
apache-mod_mem_cache-2.2.25-1.mga2
apache-mod_proxy-2.2.25-1.mga2
apache-mod_proxy_ajp-2.2.25-1.mga2
apache-mod_proxy_scgi-2.2.25-1.mga2
apache-mod_reqtimeout-2.2.25-1.mga2
apache-mod_ssl-2.2.25-1.mga2
apache-mod_suexec-2.2.25-1.mga2
apache-mod_userdir-2.2.25-1.mga2
apache-mpm-event-2.2.25-1.mga2
apache-mpm-itk-2.2.25-1.mga2
apache-mpm-peruser-2.2.25-1.mga2
apache-mpm-prefork-2.2.25-1.mga2
apache-mpm-worker-2.2.25-1.mga2
apache-source-2.2.25-1.mga2

from apache-2.2.25-1.mga2.src.rpm

Advisory (Mageia 3):
========================

Updated apache packages fix security vulnerabilities:

mod_dav.c in the Apache HTTP Server before 2.4.6 does not properly
determine whether DAV is enabled for a URI, which allows remote
attackers to cause a denial of service (segmentation fault) via a
MERGE request in which the URI is configured for handling by the
mod_dav_svn module, but a certain href attribute in XML data refers
to a non-DAV URI (CVE-2013-1896).

An unspecified error in Apache HTTP Server within the mod_session_dbd
module related to the handling of the dirty flag during saving of the
sessions has an unknown impact and remote attack vector (CVE-2013-2249).

Also, a minor issue causing httpd to not be restarted when installing
or upgrading certain web applications, as well as an issue with the
web application configuration files when upgrading from Mageia 2, both
due to the moving of web applications configuration files to the
/etc/httpd/conf/sites.d directory in Mageia 3, have been corrected.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2249
http://www.apache.org/dist/httpd/CHANGES_2.4
http://xforce.iss.net/xforce/xfdb/85871
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:193/
https://bugs.mageia.org/show_bug.cgi?id=10178
https://bugs.mageia.org/show_bug.cgi?id=10275
========================

Updated packages in core/updates_testing:
========================
apache-2.4.4-7.3.mga3
apache-mod_dav-2.4.4-7.3.mga3
apache-mod_ldap-2.4.4-7.3.mga3
apache-mod_cache-2.4.4-7.3.mga3
apache-mod_proxy-2.4.4-7.3.mga3
apache-mod_proxy_html-2.4.4-7.3.mga3
apache-mod_suexec-2.4.4-7.3.mga3
apache-mod_userdir-2.4.4-7.3.mga3
apache-mod_ssl-2.4.4-7.3.mga3
apache-mod_dbd-2.4.4-7.3.mga3
apache-htcacheclean-2.4.4-7.3.mga3
apache-devel-2.4.4-7.3.mga3
apache-doc-2.4.4-7.3.mga3

from apache-2.4.4-7.3.mga3.src.rpm

Blocks: (none) => 10178

Comment 8 David Walser 2013-07-23 18:45:10 CEST
Apache packages fixing Bug 10178 and Bug 10275 uploaded for Mageia 3 and Cauldron.

Assigning to QA.  Advisories in Comment 7.

Assignee: bugsquad => qa-bugs

Comment 9 David Walser 2013-07-23 23:57:46 CEST
Colin found a minor problem with the pretrans scriptlet fix from Bug 10178 and fixed it.  Re-posting the advisories.

Advisory (Mageia 2):
========================

Updated apache packages fix security vulnerability:

mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly
determine whether DAV is enabled for a URI, which allows remote
attackers to cause a denial of service (segmentation fault) via a
MERGE request in which the URI is configured for handling by the
mod_dav_svn module, but a certain href attribute in XML data refers
to a non-DAV URI (CVE-2013-1896).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896
http://httpd.apache.org/security/vulnerabilities_22.html
http://www.apache.org/dist/httpd/CHANGES_2.2.25
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:193/
========================

Updated packages in core/updates_testing:
========================
apache-2.2.25-1.mga2
apache-devel-2.2.25-1.mga2
apache-doc-2.2.25-1.mga2
apache-htcacheclean-2.2.25-1.mga2
apache-mod_authn_dbd-2.2.25-1.mga2
apache-mod_cache-2.2.25-1.mga2
apache-mod_dav-2.2.25-1.mga2
apache-mod_dbd-2.2.25-1.mga2
apache-mod_deflate-2.2.25-1.mga2
apache-mod_disk_cache-2.2.25-1.mga2
apache-mod_file_cache-2.2.25-1.mga2
apache-mod_ldap-2.2.25-1.mga2
apache-mod_mem_cache-2.2.25-1.mga2
apache-mod_proxy-2.2.25-1.mga2
apache-mod_proxy_ajp-2.2.25-1.mga2
apache-mod_proxy_scgi-2.2.25-1.mga2
apache-mod_reqtimeout-2.2.25-1.mga2
apache-mod_ssl-2.2.25-1.mga2
apache-mod_suexec-2.2.25-1.mga2
apache-mod_userdir-2.2.25-1.mga2
apache-mpm-event-2.2.25-1.mga2
apache-mpm-itk-2.2.25-1.mga2
apache-mpm-peruser-2.2.25-1.mga2
apache-mpm-prefork-2.2.25-1.mga2
apache-mpm-worker-2.2.25-1.mga2
apache-source-2.2.25-1.mga2

from apache-2.2.25-1.mga2.src.rpm

Advisory (Mageia 3):
========================

Updated apache packages fix security vulnerabilities:

mod_dav.c in the Apache HTTP Server before 2.4.6 does not properly
determine whether DAV is enabled for a URI, which allows remote
attackers to cause a denial of service (segmentation fault) via a
MERGE request in which the URI is configured for handling by the
mod_dav_svn module, but a certain href attribute in XML data refers
to a non-DAV URI (CVE-2013-1896).

An unspecified error in Apache HTTP Server within the mod_session_dbd
module related to the handling of the dirty flag during saving of the
sessions has an unknown impact and remote attack vector (CVE-2013-2249).

Also, a minor issue causing httpd to not be restarted when installing
or upgrading certain web applications, as well as an issue with the
web application configuration files when upgrading from Mageia 2, both
due to the moving of web applications configuration files to the
/etc/httpd/conf/sites.d directory in Mageia 3, have been corrected.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2249
http://www.apache.org/dist/httpd/CHANGES_2.4
http://xforce.iss.net/xforce/xfdb/85871
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:193/
https://bugs.mageia.org/show_bug.cgi?id=10178
https://bugs.mageia.org/show_bug.cgi?id=10275
========================

Updated packages in core/updates_testing:
========================
apache-2.4.4-7.4.mga3
apache-mod_dav-2.4.4-7.4.mga3
apache-mod_ldap-2.4.4-7.4.mga3
apache-mod_cache-2.4.4-7.4.mga3
apache-mod_proxy-2.4.4-7.4.mga3
apache-mod_proxy_html-2.4.4-7.4.mga3
apache-mod_suexec-2.4.4-7.4.mga3
apache-mod_userdir-2.4.4-7.4.mga3
apache-mod_ssl-2.4.4-7.4.mga3
apache-mod_dbd-2.4.4-7.4.mga3
apache-htcacheclean-2.4.4-7.4.mga3
apache-devel-2.4.4-7.4.mga3
apache-doc-2.4.4-7.4.mga3

from apache-2.4.4-7.4.mga3.src.rpm
Comment 10 William Kenney 2013-07-24 04:22:44 CEST
Created attachment 4221 [details]
urpmi error message

CC: (none) => wilcal.int

Comment 11 William Kenney 2013-07-24 04:24:10 CEST
I tried an M3 i586 update_testing and got a urpmi error message.
See attachment above.
Comment 12 David Walser 2013-07-24 04:45:33 CEST
You tried 7.3.mga3.  This should be fixed in 7.4.mga3.
Comment 13 William Kenney 2013-07-24 05:09:05 CEST
Will give it a go late tomorrow, California time.
Comment 14 Oden Eriksson 2013-07-24 08:04:28 CEST
======================================================
Name: CVE-2013-2249
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2249
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130219
Category: 
Reference: CONFIRM:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/session/mod_session_dbd.c?r1=1409170&r2=1488158&diff_format=h
Reference: CONFIRM:http://www.apache.org/dist/httpd/CHANGES_2.4.6

mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP
Server before 2.4.5 proceeds with save operations for a session
without considering the dirty flag and the requirement for a new
session ID, which has unspecified impact and remote attack vectors.
Comment 15 William Kenney 2013-07-24 18:34:42 CEST
MGA3-32-OK for me

Start with package apache-2.4.4-7.1.mga3.i586 installed
[root@localhost wilcal]# urpmi apache
Package apache-2.4.4-7.1.mga3.i586 is already installed

create /home/wilcal/public_html/index.html
Accessible from localhost/~wilcal/ and other systems on the LAN

Package apache-2.4.4-7.4.mga3.i586 installed from core updates_testing

It's possible to stop and restart apache but I reboot the system.

/home/wilcal/public_html/index.html
Accessible from localhost/~wilcal/ and other systems on the LAN
[root@localhost wilcal]# urpmi apache
Package apache-2.4.4-7.4.mga3.i586 is already installed

Test platform:
 Intel, P4 530J 3.0 GHz, 800MHz FSB, 1MB L2, LGA 775
 GigaByte GA-81915G i915G LGA775 MoBo
  Marvel Yukon 88E8001 Gigabit LAN
  Intel High Def Audio (snd-hda-intel)
  Intel Graphics Media Accelerator 900 (Intel 82915G)
 4GB (2 x 2GB) DDR400 PC-3200
 VirtualBox 4.2.16
Comment 16 William Kenney 2013-07-24 18:35:02 CEST
MGA3-64-OK for me

Start with apache-2.4.4-7.1.mga3.x86_64 installed
[root@localhost wilcal]# urpmi apache
Package apache-2.4.4-7.1.mga3.x86_64 is already installed

create /home/wilcal/public_html/index.html
Accessible from localhost/~wilcal/ and other systems on the LAN

Package apache-2.4.4-7.4.mga3.x86_64 installed from core updates_testing

It's possible to stop and restart apache but I reboot the system.

/home/wilcal/public_html/index.html
Accessible from localhost/~wilcal/ and other systems on the LAN
[root@localhost wilcal]# urpmi apache
Package apache-2.4.4-7.4.mga3.x86_64 is already installed

Test platform:
 Intel, P4 530J 3.0 GHz, 800MHz FSB, 1MB L2, LGA 775
 GigaByte GA-81915G i915G LGA775 MoBo
  Marvel Yukon 88E8001 Gigabit LAN
  Intel High Def Audio (snd-hda-intel)
  Intel Graphics Media Accelerator 900 (Intel 82915G)
 4GB (2 x 2GB) DDR400 PC-3200
 VirtualBox 4.2.16
 
 While I've been successful with this others may have issues so I'm
 gonna leave the final certification of this update to others.
Comment 17 William Kenney 2013-07-25 05:07:05 CEST
MGA2-32-OK for me

Start with package apache-2.2.24-1.1.mga2.i586 installed

create /home/wilcal/public_html/index.html
Accessible from localhost/~wilcal/ and other systems on the LAN

Package apache-2.2.25-1.mga2.i586 installed from core updates_testing

It's possible to stop and restart apache but I reboot the system.

/home/wilcal/public_html/index.html
Accessible from localhost/~wilcal/ and other systems on the LAN
[root@localhost wilcal]# urpmi apache
Package apache-2.2.25-1.mga2.i586 is already installed

Test platform:
 Intel, P4 530J 3.0 GHz, 800MHz FSB, 1MB L2, LGA 775
 GigaByte GA-81915G i915G LGA775 MoBo
  Marvel Yukon 88E8001 Gigabit LAN
  Intel High Def Audio (snd-hda-intel)
  Intel Graphics Media Accelerator 900 (Intel 82915G)
 4GB (2 x 2GB) DDR400 PC-3200
 VirtualBox 4.2.16
Comment 18 William Kenney 2013-07-25 05:07:32 CEST
MGA2-64-OK for me

Start with package apache-2.2.24-1.1.mga2.x86_64 installed

create /home/wilcal/public_html/index.html
Accessible from localhost/~wilcal/ and other systems on the LAN

Package apache-2.2.25-1.mga2.x86_64 installed from core updates_testing

It's possible to stop and restart apache but I reboot the system.

/home/wilcal/public_html/index.html
Accessible from localhost/~wilcal/ and other systems on the LAN
[root@localhost wilcal]# urpmi apache
Package apache-2.2.25-1.mga2.x86_64 is already installed

Test platform:
 Intel, P4 530J 3.0 GHz, 800MHz FSB, 1MB L2, LGA 775
 GigaByte GA-81915G i915G LGA775 MoBo
  Marvel Yukon 88E8001 Gigabit LAN
  Intel High Def Audio (snd-hda-intel)
  Intel Graphics Media Accelerator 900 (Intel 82915G)
 4GB (2 x 2GB) DDR400 PC-3200
 VirtualBox 4.2.16
 
 While I've been successful with this others may have issues so I'm
 gonna leave the final certification of this update to others.
Comment 19 claire robinson 2013-07-25 09:18:46 CEST
Thanks William. It's worth checking the dav module loads ok too as it's what was updated. Done here, so it's ok.

# httpd -D DUMP_MODULES | grep dav
 dav_module (shared)
 dav_fs_module (shared)
 dav_lock_module (shared)


Adding whiteboard tags.

Whiteboard: MGA2TOO => MGA2TOO mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok

Comment 20 claire robinson 2013-07-25 11:30:33 CEST
Validating. 2 separate advisories from comment 9 uploaded.

Could sysadmin please push from 2 & 3 core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 21 Thomas Backlund 2013-07-26 13:37:29 CEST
mga2 update pushed:
http://advisories.mageia.org/MGASA-2013-0230.html

mga3 update pushed:
http://advisories.mageia.org/MGASA-2013-0231.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 22 David Walser 2013-08-06 20:19:10 CEST
LWN CVE page for CVE-2013-2249:
http://lwn.net/Vulnerabilities/562282/

Seems they missed this update announcement from us.
Comment 23 Dave Hodgins 2013-08-07 01:31:11 CEST
(In reply to David Walser from comment #22)
> LWN CVE page for CVE-2013-2249:
> http://lwn.net/Vulnerabilities/562282/
> 
> Seems they missed this update announcement from us.

There were separate advisory for mga2 and 3.
10756.mga2.adv  10756.mga3.adv

Would having the version in the advisory name interfere
with their parsing?

[dave@x3 advisories]$ ll|grep mga
-rw-r--r-- 1 dave dave  509 Jun 18 12:52 10145-mga2.adv
-rw-r--r-- 1 dave dave 1607 Jun 18 12:52 10145-mga3.adv
-rw-r--r-- 1 dave dave  834 Jun 26 15:38 10471-mga2.adv
-rw-r--r-- 1 dave dave 1729 Jun 26 15:38 10471-mga3.adv
-rw-r--r-- 1 dave dave  629 Jul 23 16:06 10516.mga2.adv
-rw-r--r-- 1 dave dave 1520 Jul 23 16:06 10516.mga3.adv
-rw-r--r-- 1 dave dave  853 Jul 26 19:32 10756.mga2.adv
-rw-r--r-- 1 dave dave 1534 Jul 26 19:32 10756.mga3.adv
-rw-r--r-- 1 dave dave  560 Jul  9 18:46 952.mga2.adv
-rw-r--r-- 1 dave dave  339 Jul  9 18:46 952.mga3.adv

5 bugs so far, that have had separate advisories.

CC: (none) => davidwhodgins

Comment 24 David Walser 2013-08-07 01:59:16 CEST
(In reply to Dave Hodgins from comment #23)
> (In reply to David Walser from comment #22)
> > LWN CVE page for CVE-2013-2249:
> > http://lwn.net/Vulnerabilities/562282/
> > 
> > Seems they missed this update announcement from us.
> 
> There were separate advisory for mga2 and 3.
> 10756.mga2.adv  10756.mga3.adv
> 
> Would having the version in the advisory name interfere
> with their parsing?

They are parsed by humans, and as this went out as two separate advisories, I would imagine it went out as two e-mails, so they should have been able to pick it up.  Maybe they were having e-mail problems that day?

Note You need to log in before you can comment on or make changes to this bug.