Bug 14916 - apache new security issue CVE-2014-8109
Summary: apache new security issue CVE-2014-8109
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal minor
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/628117/
Whiteboard: advisory MGA4-32-OK MGA4-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-12-30 17:56 CET by David Walser
Modified: 2015-01-07 17:32 CET (History)
2 users (show)

See Also:
Source RPM: apache-2.4.7-5.4.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-12-30 17:56:17 CET
OpenSuSE has issued an advisory on December 29:
http://lists.opensuse.org/opensuse-updates/2014-12/msg00108.html

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated apache packages fix security vulnerability:

mod_lua.c in the mod_lua module in the Apache HTTP Server through 2.4.10 does
not support an httpd configuration in which the same Lua authorization
provider is used with different arguments within different contexts, which
allows remote attackers to bypass intended access restrictions in
opportunistic circumstances by leveraging multiple Require directives, as
demonstrated by a configuration that specifies authorization for one group to
access a certain directory, and authorization for a second group to access a
second directory (CVE-2014-8109).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8109
http://www.cvedetails.com/cve/CVE-2014-8109/
http://lists.opensuse.org/opensuse-updates/2014-12/msg00108.html
========================

Updated packages in core/updates_testing:
========================
apache-2.4.7-5.5.mga4
apache-mod_dav-2.4.7-5.5.mga4
apache-mod_ldap-2.4.7-5.5.mga4
apache-mod_session-2.4.7-5.5.mga4
apache-mod_cache-2.4.7-5.5.mga4
apache-mod_proxy-2.4.7-5.5.mga4
apache-mod_proxy_html-2.4.7-5.5.mga4
apache-mod_suexec-2.4.7-5.5.mga4
apache-mod_userdir-2.4.7-5.5.mga4
apache-mod_ssl-2.4.7-5.5.mga4
apache-mod_dbd-2.4.7-5.5.mga4
apache-htcacheclean-2.4.7-5.5.mga4
apache-devel-2.4.7-5.5.mga4
apache-doc-2.4.7-5.5.mga4

from apache-2.4.7-5.5.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 William Kenney 2015-01-03 19:37:25 CET
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.4.mga4.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.7-5.4.mga4.i586 is already installed

http://localhost/~wilcal/ works
http://192.168.1.88/~wilcal/ is accessable
awstats tracks traffic.

install apache & apache-mod_userdir from updates_testing

stop then restart httpd, reboot ( apache )

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.5.mga4.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.7-5.5.mga4.i586 is already installed

http://localhost/~wilcal/ works
http://192.168.1.88/~wilcal/ is accessable
awstats tracks traffic.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 2 William Kenney 2015-01-03 20:00:45 CET
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.4.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.7-5.4.mga4.x86_64 is already installed

http://localhost/~wilcal/ works
http://192.168.1.130/~wilcal/ is accessable
awstats tracks traffic.

install apache & apache-mod_userdir from updates_testing

stop then restart httpd, reboot ( apache )

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.5.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.7-5.5.mga4.x86_64 is already installed

http://localhost/~wilcal/ works
http://192.168.1.130/~wilcal/ is accessable
awstats tracks traffic.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 3 William Kenney 2015-01-03 20:02:25 CET
Unless some other issues are found, or someone wants to
do some additional testing, I will be validating this bug
in 48-hours.
Comment 4 William Kenney 2015-01-05 15:06:23 CET
This update works fine.
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: (none) => MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 5 claire robinson 2015-01-07 16:35:33 CET
Advisory uploaded.

Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK

Comment 6 Mageia Robot 2015-01-07 17:32:47 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0011.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.