RedHat has issued an advisory on December 9: https://rhn.redhat.com/errata/RHSA-2014-1972.html They added patches in this commit: https://git.centos.org/commit/rpms!httpd24-httpd.git/62b79381389dd11cbaefc91635e37114f0e75fdb The issues will be fixed in httpd 2.4.11, which has not yet been released. Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated apache packages fix security vulnerabilities: A NULL pointer dereference flaw was found in the way the mod_cache httpd module handled Content-Type headers. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP server was configured to proxy to a server with caching enabled (CVE-2014-3581). A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers (CVE-2013-5704). Note: With this update, httpd has been modified to not merge HTTP Trailer headers with other HTTP request headers. A newly introduced configuration directive MergeTrailers can be used to re-enable the old method of processing Trailer headers, which also re-introduces the aforementioned flaw. This update also fixes the following bug: Prior to this update, the mod_proxy_wstunnel module failed to set up an SSL connection when configured to use a back end server using the "wss:" URL scheme, causing proxied connections to fail. In these updated packages, SSL is used when proxying to "wss:" back end servers (rhbz#1141950). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5704 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3581 https://bugzilla.redhat.com/show_bug.cgi?id=1141950 https://rhn.redhat.com/errata/RHSA-2014-1972.html ======================== Updated packages in core/updates_testing: ======================== apache-2.4.7-5.4.mga4 apache-mod_dav-2.4.7-5.4.mga4 apache-mod_ldap-2.4.7-5.4.mga4 apache-mod_session-2.4.7-5.4.mga4 apache-mod_cache-2.4.7-5.4.mga4 apache-mod_proxy-2.4.7-5.4.mga4 apache-mod_proxy_html-2.4.7-5.4.mga4 apache-mod_suexec-2.4.7-5.4.mga4 apache-mod_userdir-2.4.7-5.4.mga4 apache-mod_ssl-2.4.7-5.4.mga4 apache-mod_dbd-2.4.7-5.4.mga4 apache-htcacheclean-2.4.7-5.4.mga4 apache-devel-2.4.7-5.4.mga4 apache-doc-2.4.7-5.4.mga4 from apache-2.4.7-5.4.mga4.src.rpm Reproducible: Steps to Reproduce:
LWN reference for CVE-2014-3581: http://lwn.net/Vulnerabilities/625491/
MGA4-64 on HP Probook 6555b Installed packages, no problem. Basically, http runs, can be stopped and started and responds to http://localhost:80
CC: (none) => herman.viaene
In VirtualBox, M4, KDE, 32-bit Package(s) under test: apache apache-mod_userdir default install of apache & apache-mod_userdir [root@localhost wilcal]# urpmi apache Package apache-2.4.7-5.3.mga4.i586 is already installed [root@shermanm4 wilcal]# urpmi apache-mod_userdir Package apache-mod_userdir-2.4.7-5.3.mga4.i586 is already installed Apache works on localhost and is accessable from another system on the LAN install apache & apache-mod_userdir from updates_testing stop and restart apache [root@localhost wilcal]# urpmi apache Package apache-2.4.7-5.4.mga4.i586 is already installed [root@localhost wilcal]# urpmi apache-mod_userdir Package apache-mod_userdir-2.4.7-5.4.mga4.i586 is already installed Apache works on localhost and is accessable from another system on the LAN apache-mod_session apache-mod_ssl apache-mod_dbd apache-doc and their associated packages install without a problem. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
In VirtualBox, M4, KDE, 64-bit Package(s) under test: apache apache-mod_userdir default install of apache & apache-mod_userdir [root@localhost wilcal]# urpmi apache Package apache-2.4.7-5.3.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_userdir Package apache-mod_userdir-2.4.7-5.3.mga4.x86_64 is already installed Apache works on localhost and is accessable from another system on the LAN install apache & apache-mod_userdir from updates_testing stop and restart apache [root@localhost wilcal]# urpmi apache Package apache-2.4.7-5.4.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_userdir Package apache-mod_userdir-2.4.7-5.4.mga4.x86_64 is already installed Apache works on localhost and is accessable from another system on the LAN apache-mod_session apache-mod_ssl apache-mod_dbd apache-doc and their associated packages install without a problem. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
This update works fine. Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: (none) => MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0527.html
Status: NEW => RESOLVEDResolution: (none) => FIXED