Bug 13788 - apache new security issues CVE-2014-011[78], CVE-2014-0226, and CVE-2014-0231
Summary: apache new security issues CVE-2014-011[78], CVE-2014-0226, and CVE-2014-0231
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/606294/
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-07-22 19:40 CEST by David Walser
Modified: 2014-07-29 23:32 CEST (History)
4 users (show)

See Also:
Source RPM: apache-2.4.7-5.1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-07-22 19:40:00 CEST
Apache 2.4.10 has been released, fixing several security issues:
http://www.apache.org/dist/httpd/Announcement2.4.html
http://www.apache.org/dist/httpd/CHANGES_2.4.10
http://httpd.apache.org/security/vulnerabilities_24.html

apache-2.4.10-2.mga5 has been uploaded for Cauldron.

CVE-2014-0117 does not affect Mageia 3, but the others do.

We'll need to locate and backport patches for these.

Reproducible: 

Steps to Reproduce:
David Walser 2014-07-22 19:40:20 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-07-23 21:01:16 CEST
RedHat has issued an advisory for this today (July 23):
https://rhn.redhat.com/errata/RHSA-2014-0921.html

URL: (none) => http://lwn.net/Vulnerabilities/606294/

Comment 2 David Walser 2014-07-23 21:51:57 CEST
Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory (Mageia 3):
========================

Updated apache packages fix security vulnerabilities:

A race condition flaw, leading to heap-based buffer overflows, was found in
the mod_status httpd module. A remote attacker able to access a status page
served by mod_status on a server using a threaded Multi-Processing Module
(MPM) could send a specially crafted request that would cause the httpd
child process to crash or, possibly, allow the attacker to execute
arbitrary code with the privileges of the "apache" user (CVE-2014-0226).

A denial of service flaw was found in the way httpd's mod_deflate module
handled request body decompression (configured via the "DEFLATE" input
filter). A remote attacker able to send a request whose body would be
decompressed could use this flaw to consume an excessive amount of system
memory and CPU on the target system (CVE-2014-0118).

A denial of service flaw was found in the way httpd's mod_cgid module
executed CGI scripts that did not read data from the standard input.
A remote attacker could submit a specially crafted request that would cause
the httpd child process to hang indefinitely (CVE-2014-0231).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231
http://httpd.apache.org/security/vulnerabilities_24.html
https://rhn.redhat.com/errata/RHSA-2014-0921.html


Advisory (Mageia 4):
========================

Updated apache packages fix security vulnerabilities:

A race condition flaw, leading to heap-based buffer overflows, was found in
the mod_status httpd module. A remote attacker able to access a status page
served by mod_status on a server using a threaded Multi-Processing Module
(MPM) could send a specially crafted request that would cause the httpd
child process to crash or, possibly, allow the attacker to execute
arbitrary code with the privileges of the "apache" user (CVE-2014-0226).

A denial of service flaw was found in the mod_proxy httpd module. A remote
attacker could send a specially crafted request to a server configured as a
reverse proxy using a threaded Multi-Processing Modules (MPM) that would
cause the httpd child process to crash (CVE-2014-0117).

A denial of service flaw was found in the way httpd's mod_deflate module
handled request body decompression (configured via the "DEFLATE" input
filter). A remote attacker able to send a request whose body would be
decompressed could use this flaw to consume an excessive amount of system
memory and CPU on the target system (CVE-2014-0118).

A denial of service flaw was found in the way httpd's mod_cgid module
executed CGI scripts that did not read data from the standard input.
A remote attacker could submit a specially crafted request that would cause
the httpd child process to hang indefinitely (CVE-2014-0231).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0117
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231
http://httpd.apache.org/security/vulnerabilities_24.html
https://rhn.redhat.com/errata/RHSA-2014-0921.html
========================

Updated packages in core/updates_testing:
========================
apache-2.4.4-7.8.mga3
apache-mod_dav-2.4.4-7.8.mga3
apache-mod_ldap-2.4.4-7.8.mga3
apache-mod_cache-2.4.4-7.8.mga3
apache-mod_proxy-2.4.4-7.8.mga3
apache-mod_proxy_html-2.4.4-7.8.mga3
apache-mod_suexec-2.4.4-7.8.mga3
apache-mod_userdir-2.4.4-7.8.mga3
apache-mod_ssl-2.4.4-7.8.mga3
apache-mod_dbd-2.4.4-7.8.mga3
apache-htcacheclean-2.4.4-7.8.mga3
apache-devel-2.4.4-7.8.mga3
apache-doc-2.4.4-7.8.mga3
apache-2.4.7-5.3.mga4
apache-mod_dav-2.4.7-5.3.mga4
apache-mod_ldap-2.4.7-5.3.mga4
apache-mod_session-2.4.7-5.3.mga4
apache-mod_cache-2.4.7-5.3.mga4
apache-mod_proxy-2.4.7-5.3.mga4
apache-mod_proxy_html-2.4.7-5.3.mga4
apache-mod_suexec-2.4.7-5.3.mga4
apache-mod_userdir-2.4.7-5.3.mga4
apache-mod_ssl-2.4.7-5.3.mga4
apache-mod_dbd-2.4.7-5.3.mga4
apache-htcacheclean-2.4.7-5.3.mga4
apache-devel-2.4.7-5.3.mga4
apache-doc-2.4.7-5.3.mga4

from SRPMS:
apache-2.4.4-7.8.mga3.src.rpm
apache-2.4.7-5.3.mga4.src.rpm

Assignee: bugsquad => qa-bugs
Severity: normal => critical

Comment 3 William Kenney 2014-07-25 17:09:35 CEST
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.4-7.6.mga3.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.4-7.6.mga3.i586 is already installed
http://localhost/~wilcal/ works
192.168.1.92/~wilcal/ local LAN IP works

install apache & apache-mod_userdir from updates_testing
Stop and restart httpd

[root@localhost wilcal]# urpmi apache
Package apache-2.4.4-7.8.mga3.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.4-7.8.mga3.i586 is already installed

http://localhost/~wilcal/ works
192.168.1.92/~wilcal/ local LAN IP works

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 4 William Kenney 2014-07-25 17:33:04 CEST
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.4-7.6.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.4-7.6.mga3.x86_64 is already installed

http://localhost/~wilcal/ works
192.168.1.92/~wilcal/ local LAN IP works

install apache & apache-mod_userdir from updates_testing
Stop and restart httpd

[root@localhost wilcal]# urpmi apache
Package apache-2.4.4-7.8.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.4-7.8.mga3.x86_64 is already installed

http://localhost/~wilcal/ works
192.168.1.92/~wilcal/ local LAN IP works

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 5 William Kenney 2014-07-25 17:46:38 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.7-5.1.mga4.i586 is already installed

http://localhost/~wilcal/ works
192.168.1.92/~wilcal/ local LAN IP works

install apache & apache-mod_userdir from updates_testing
Stop and restart httpd

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.7-5.3.mga4.i586 is already installed

http://localhost/~wilcal/ works
192.168.1.92/~wilcal/ local LAN IP works

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 6 William Kenney 2014-07-25 18:00:24 CEST
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.7-5.1.mga4.x86_64 is already installed

http://localhost/~wilcal/ works
192.168.1.91/~wilcal/ local LAN IP works

install apache & apache-mod_userdir from updates_testing
Stop and restart httpd

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.3.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.7-5.3.mga4.x86_64 is already installed

http://localhost/~wilcal/ works
192.168.1.91/~wilcal/ local LAN IP works

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 7 William Kenney 2014-07-25 18:01:51 CEST
I'm gonna leave this alone for a couple days. These
are the only packages I am familiar with. Others may
want to test some of the other parts of this before
pushing it on. For me it works.
Comment 8 William Kenney 2014-07-28 15:44:57 CEST
No on else has tested this.
For me this update works fine.
Lets push it.
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 9 Rémi Verschelde 2014-07-28 19:57:12 CEST
Advisories uploaded (13788.mga3.adv and 13788.mga4.adv).

CC: (none) => remi
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory

Comment 10 Colin Guthrie 2014-07-29 23:32:13 CEST
Updates Pushed.

MGA3: http://advisories.mageia.org/MGASA-2014-0304.html
MGA4: http://advisories.mageia.org/MGASA-2014-0305.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.