Bug 13040 - apache new security issues CVE-2013-6438 and CVE-2014-0098
: apache new security issues CVE-2013-6438 and CVE-2014-0098
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/591211/
: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-03-18 10:31 CET by Oden Eriksson
Modified: 2014-03-20 21:18 CET (History)
4 users (show)

See Also:
Source RPM: apache-2.4.7-5.mga4.src.rpm
CVE:


Attachments

Description Oden Eriksson 2014-03-18 10:31:08 CET
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/CHANGES
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/CHANGES

  *) SECURITY: CVE-2014-0098 (cve.mitre.org)
     Clean up cookie logging with fewer redundant string parsing passes.
     Log only cookies with a value assignment. Prevents segfaults when
     logging truncated cookies.
     [William Rowe, Ruediger Pluem, Jim Jagielski]

  *) SECURITY: CVE-2013-6438 (cve.mitre.org)
     mod_dav: Keep track of length of cdata properly when removing
     leading spaces. Eliminates a potential denial of service from
     specifically crafted DAV WRITE requests
     [Amin Tora <Amin.Tora neustar.biz>]

CVE-2014-0098: http://svn.apache.org/viewvc?view=revision&revision=1576716
CVE-2013-6438: http://svn.apache.org/viewvc?view=revision&revision=1576706


Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-03-18 18:19:24 CET
Also fixed upstream in 2.2.27 and 2.4.8.

Oden recently updated Cauldron to 2.4.9, so it's not affected.

Mageia 3 and Mageia 4 have 2.4.4 and 2.4.7, respectively, so they are.

Both of the SVN links Oden posted were for 2.2.x, so we'll need 2.4.x patches.
Comment 3 David Walser 2014-03-18 18:44:45 CET
Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated apache packages fix security vulnerabilities:

Apache HTTPD before 2.4.9 was vulnerable to a denial of service in mod_dav
when handling DAV_WRITE requests (CVE-2013-6438).

Apache HTTPD before 2.4.9 was vulnerable to a denial of service when logging
cookies (CVE-2014-0098).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098
http://www.apache.org/dist/httpd/Announcement2.4.html
========================

Updated packages in core/updates_testing:
========================
apache-2.4.4-7.6.mga3
apache-mod_dav-2.4.4-7.6.mga3
apache-mod_ldap-2.4.4-7.6.mga3
apache-mod_cache-2.4.4-7.6.mga3
apache-mod_proxy-2.4.4-7.6.mga3
apache-mod_proxy_html-2.4.4-7.6.mga3
apache-mod_suexec-2.4.4-7.6.mga3
apache-mod_userdir-2.4.4-7.6.mga3
apache-mod_ssl-2.4.4-7.6.mga3
apache-mod_dbd-2.4.4-7.6.mga3
apache-htcacheclean-2.4.4-7.6.mga3
apache-devel-2.4.4-7.6.mga3
apache-doc-2.4.4-7.6.mga3
apache-2.4.7-5.1.mga4
apache-mod_dav-2.4.7-5.1.mga4
apache-mod_ldap-2.4.7-5.1.mga4
apache-mod_session-2.4.7-5.1.mga4
apache-mod_cache-2.4.7-5.1.mga4
apache-mod_proxy-2.4.7-5.1.mga4
apache-mod_proxy_html-2.4.7-5.1.mga4
apache-mod_suexec-2.4.7-5.1.mga4
apache-mod_userdir-2.4.7-5.1.mga4
apache-mod_ssl-2.4.7-5.1.mga4
apache-mod_dbd-2.4.7-5.1.mga4
apache-htcacheclean-2.4.7-5.1.mga4
apache-devel-2.4.7-5.1.mga4
apache-doc-2.4.7-5.1.mga4

from SRPMS:
apache-2.4.4-7.6.mga3.src.rpm
apache-2.4.7-5.1.mga4.src.rpm
Comment 4 William Kenney 2014-03-19 16:31:02 CET
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
apache

default install of apache ( httpd )

[root@localhost wilcal]# urpmi apache
Package apache-2.4.4-7.5.mga3.i586 is already installed

Apache ( httpd ) webpage is accessable from localhost
and other workstations on my LAN.

install apache ( httpd ) from updates_testing

stop then restart apache ( httpd )

[root@localhost wilcal]# urpmi apache
Package apache-2.4.4-7.6.mga3.i586 is already installed

Apache ( httpd ) webpage is accessable from localhost
and other workstations on my LAN.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 5 William Kenney 2014-03-19 16:53:30 CET
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
apache

default install of apache ( httpd )

[root@localhost wilcal]# urpmi apache
Package apache-2.4.4-7.5.mga3.x86_64 is already installed

Apache ( httpd ) webpage is accessable from localhost
and other workstations on my LAN.

install apache ( httpd ) from updates_testing

stop then restart apache ( httpd )

[root@localhost wilcal]# urpmi apache
Package apache-2.4.4-7.6.mga3.x86_64 is already installed

Apache ( httpd ) webpage is accessable from localhost
and other workstations on my LAN.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 6 William Kenney 2014-03-19 17:09:05 CET
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
apache

default install of apache ( httpd )

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.mga4.i586 is already installed

Apache ( httpd ) webpage is accessable from localhost
and other workstations on my LAN.

install apache ( httpd ) from updates_testing

stop then restart apache ( httpd )

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.1.mga4.i586 is already installed

Apache ( httpd ) webpage is accessable from localhost
and other workstations on my LAN.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 7 William Kenney 2014-03-19 17:25:38 CET
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
apache

default install of apache ( httpd )

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.mga4.x86_64 is already installed

Apache ( httpd ) webpage is accessable from localhost
and other workstations on my LAN.

install apache ( httpd ) from updates_testing

stop then restart apache ( httpd )

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.1.mga4.x86_64 is already installed

Apache ( httpd ) webpage is accessable from localhost
and other workstations on my LAN.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 8 William Kenney 2014-03-19 17:26:34 CET
For me this update works fine.
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks
Comment 9 Thomas Backlund 2014-03-19 18:45:55 CET
advisory added

Update pushed:
http://advisories.mageia.org/MGASA-2014-0135.html

Note You need to log in before you can comment on or make changes to this bug.