http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/CHANGES http://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/CHANGES *) SECURITY: CVE-2014-0098 (cve.mitre.org) Clean up cookie logging with fewer redundant string parsing passes. Log only cookies with a value assignment. Prevents segfaults when logging truncated cookies. [William Rowe, Ruediger Pluem, Jim Jagielski] *) SECURITY: CVE-2013-6438 (cve.mitre.org) mod_dav: Keep track of length of cdata properly when removing leading spaces. Eliminates a potential denial of service from specifically crafted DAV WRITE requests [Amin Tora <Amin.Tora neustar.biz>] CVE-2014-0098: http://svn.apache.org/viewvc?view=revision&revision=1576716 CVE-2013-6438: http://svn.apache.org/viewvc?view=revision&revision=1576706 Reproducible: Steps to Reproduce:
Also fixed upstream in 2.2.27 and 2.4.8. Oden recently updated Cauldron to 2.4.9, so it's not affected. Mageia 3 and Mageia 4 have 2.4.4 and 2.4.7, respectively, so they are. Both of the SVN links Oden posted were for 2.2.x, so we'll need 2.4.x patches.
Summary: multiple vulnerabilities in apache 2.2/2.4 (CVE-2013-6438, CVE-2014-0098) => apache new security issues CVE-2013-6438 and CVE-2014-0098
Version: 3 => 4Source RPM: apache => apache-2.4.7-5.mga4.src.rpmWhiteboard: (none) => MGA3TOO
CVE-2013-6438: http://svn.apache.org/viewvc?view=revision&revision=1556816 CVE-2014-0098: http://svn.apache.org/viewvc?view=revision&revision=1575904
Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated apache packages fix security vulnerabilities: Apache HTTPD before 2.4.9 was vulnerable to a denial of service in mod_dav when handling DAV_WRITE requests (CVE-2013-6438). Apache HTTPD before 2.4.9 was vulnerable to a denial of service when logging cookies (CVE-2014-0098). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098 http://www.apache.org/dist/httpd/Announcement2.4.html ======================== Updated packages in core/updates_testing: ======================== apache-2.4.4-7.6.mga3 apache-mod_dav-2.4.4-7.6.mga3 apache-mod_ldap-2.4.4-7.6.mga3 apache-mod_cache-2.4.4-7.6.mga3 apache-mod_proxy-2.4.4-7.6.mga3 apache-mod_proxy_html-2.4.4-7.6.mga3 apache-mod_suexec-2.4.4-7.6.mga3 apache-mod_userdir-2.4.4-7.6.mga3 apache-mod_ssl-2.4.4-7.6.mga3 apache-mod_dbd-2.4.4-7.6.mga3 apache-htcacheclean-2.4.4-7.6.mga3 apache-devel-2.4.4-7.6.mga3 apache-doc-2.4.4-7.6.mga3 apache-2.4.7-5.1.mga4 apache-mod_dav-2.4.7-5.1.mga4 apache-mod_ldap-2.4.7-5.1.mga4 apache-mod_session-2.4.7-5.1.mga4 apache-mod_cache-2.4.7-5.1.mga4 apache-mod_proxy-2.4.7-5.1.mga4 apache-mod_proxy_html-2.4.7-5.1.mga4 apache-mod_suexec-2.4.7-5.1.mga4 apache-mod_userdir-2.4.7-5.1.mga4 apache-mod_ssl-2.4.7-5.1.mga4 apache-mod_dbd-2.4.7-5.1.mga4 apache-htcacheclean-2.4.7-5.1.mga4 apache-devel-2.4.7-5.1.mga4 apache-doc-2.4.7-5.1.mga4 from SRPMS: apache-2.4.4-7.6.mga3.src.rpm apache-2.4.7-5.1.mga4.src.rpm
Assignee: bugsquad => qa-bugs
In VirtualBox, M3, KDE, 32-bit Package(s) under test: apache default install of apache ( httpd ) [root@localhost wilcal]# urpmi apache Package apache-2.4.4-7.5.mga3.i586 is already installed Apache ( httpd ) webpage is accessable from localhost and other workstations on my LAN. install apache ( httpd ) from updates_testing stop then restart apache ( httpd ) [root@localhost wilcal]# urpmi apache Package apache-2.4.4-7.6.mga3.i586 is already installed Apache ( httpd ) webpage is accessable from localhost and other workstations on my LAN. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
CC: (none) => wilcal.intWhiteboard: MGA3TOO => MGA3TOO MGA3-32-OK
In VirtualBox, M3, KDE, 64-bit Package(s) under test: apache default install of apache ( httpd ) [root@localhost wilcal]# urpmi apache Package apache-2.4.4-7.5.mga3.x86_64 is already installed Apache ( httpd ) webpage is accessable from localhost and other workstations on my LAN. install apache ( httpd ) from updates_testing stop then restart apache ( httpd ) [root@localhost wilcal]# urpmi apache Package apache-2.4.4-7.6.mga3.x86_64 is already installed Apache ( httpd ) webpage is accessable from localhost and other workstations on my LAN. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
Whiteboard: MGA3TOO MGA3-32-OK => MGA3TOO MGA3-32-OK MGA3-64-OK
In VirtualBox, M4, KDE, 32-bit Package(s) under test: apache default install of apache ( httpd ) [root@localhost wilcal]# urpmi apache Package apache-2.4.7-5.mga4.i586 is already installed Apache ( httpd ) webpage is accessable from localhost and other workstations on my LAN. install apache ( httpd ) from updates_testing stop then restart apache ( httpd ) [root@localhost wilcal]# urpmi apache Package apache-2.4.7-5.1.mga4.i586 is already installed Apache ( httpd ) webpage is accessable from localhost and other workstations on my LAN. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK
In VirtualBox, M4, KDE, 64-bit Package(s) under test: apache default install of apache ( httpd ) [root@localhost wilcal]# urpmi apache Package apache-2.4.7-5.mga4.x86_64 is already installed Apache ( httpd ) webpage is accessable from localhost and other workstations on my LAN. install apache ( httpd ) from updates_testing stop then restart apache ( httpd ) [root@localhost wilcal]# urpmi apache Package apache-2.4.7-5.1.mga4.x86_64 is already installed Apache ( httpd ) webpage is accessable from localhost and other workstations on my LAN. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
For me this update works fine. Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
advisory added Update pushed: http://advisories.mageia.org/MGASA-2014-0135.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXEDWhiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory
URL: (none) => http://lwn.net/Vulnerabilities/591211/CC: (none) => luigiwalser