13215 – apache-mod_security new security issue CVE-2013-5705

Bug 13215 - apache-mod_security new security issue CVE-2013-5705

Summary: apache-mod_security new security issue CVE-2013-5705

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/594893/
Whiteboard:	MGA3TOO has_procedure advisory mga3-3...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2014-04-15 19:39 CEST by David Walser
Modified:	2014-04-17 22:36 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	apache-mod_security-2.7.5-2.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-04-15 19:39:12 CEST

Fedora has issued an advisory on April 2:
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131375.html

The issue was fixed upstream in 2.7.6.

Updated (to 2.7.7) package uploaded for Cauldron.

Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated apache-mod_security packages fix security vulnerability:

Martin Holst Swende discovered a flaw in the way mod_security handled chunked
requests. A remote attacker could use this flaw to bypass intended
mod_security restrictions, allowing them to send requests containing content
that should have been removed by mod_security (CVE-2013-5705).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5705
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131375.html
========================

Updated packages in core/updates_testing:
========================
apache-mod_security-2.7.4-1.1.mga3
mlogc-2.7.4-1.1.mga3
apache-mod_security-2.7.5-2.1.mga4
mlogc-2.7.5-2.1.mga4

from SRPMS:
apache-mod_security-2.7.4-1.1.mga3.src.rpm
apache-mod_security-2.7.5-2.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:

David Walser 2014-04-15 19:39:17 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 claire robinson 2014-04-16 14:49:22 CEST

As previous updates for this, just checking it loads ok.
eg.

# httpd -M 2>/dev/null |grep security

security_module (shared)

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 2 claire robinson 2014-04-16 14:56:14 CEST

Testing complete mga3 64 and mga4 32 & 64

# httpd -M 2>/dev/null | grep security
 security2_module (shared)

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-64-ok mga4-32-ok mga4-64-ok

Comment 3 claire robinson 2014-04-16 15:02:32 CEST

Testing complete mga3 32

Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 4 claire robinson 2014-04-16 15:05:59 CEST

Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 5 Thomas Backlund 2014-04-17 22:36:38 CEST

Update pushed:
http://advisories.mageia.org/MGASA-2014-0180.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.