OpenSuSE has issued an advisory on December 29: http://lists.opensuse.org/opensuse-updates/2014-12/msg00108.html Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated apache packages fix security vulnerability: mod_lua.c in the mod_lua module in the Apache HTTP Server through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory (CVE-2014-8109). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8109 http://www.cvedetails.com/cve/CVE-2014-8109/ http://lists.opensuse.org/opensuse-updates/2014-12/msg00108.html ======================== Updated packages in core/updates_testing: ======================== apache-2.4.7-5.5.mga4 apache-mod_dav-2.4.7-5.5.mga4 apache-mod_ldap-2.4.7-5.5.mga4 apache-mod_session-2.4.7-5.5.mga4 apache-mod_cache-2.4.7-5.5.mga4 apache-mod_proxy-2.4.7-5.5.mga4 apache-mod_proxy_html-2.4.7-5.5.mga4 apache-mod_suexec-2.4.7-5.5.mga4 apache-mod_userdir-2.4.7-5.5.mga4 apache-mod_ssl-2.4.7-5.5.mga4 apache-mod_dbd-2.4.7-5.5.mga4 apache-htcacheclean-2.4.7-5.5.mga4 apache-devel-2.4.7-5.5.mga4 apache-doc-2.4.7-5.5.mga4 from apache-2.4.7-5.5.mga4.src.rpm Reproducible: Steps to Reproduce:
In VirtualBox, M4, KDE, 32-bit Package(s) under test: apache apache-mod_userdir default install of apache & apache-mod_userdir [root@localhost wilcal]# urpmi apache Package apache-2.4.7-5.4.mga4.i586 is already installed [root@localhost wilcal]# urpmi apache-mod_userdir Package apache-mod_userdir-2.4.7-5.4.mga4.i586 is already installed http://localhost/~wilcal/ works http://192.168.1.88/~wilcal/ is accessable awstats tracks traffic. install apache & apache-mod_userdir from updates_testing stop then restart httpd, reboot ( apache ) [root@localhost wilcal]# urpmi apache Package apache-2.4.7-5.5.mga4.i586 is already installed [root@localhost wilcal]# urpmi apache-mod_userdir Package apache-mod_userdir-2.4.7-5.5.mga4.i586 is already installed http://localhost/~wilcal/ works http://192.168.1.88/~wilcal/ is accessable awstats tracks traffic. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
In VirtualBox, M4, KDE, 64-bit Package(s) under test: apache apache-mod_userdir default install of apache & apache-mod_userdir [root@localhost wilcal]# urpmi apache Package apache-2.4.7-5.4.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_userdir Package apache-mod_userdir-2.4.7-5.4.mga4.x86_64 is already installed http://localhost/~wilcal/ works http://192.168.1.130/~wilcal/ is accessable awstats tracks traffic. install apache & apache-mod_userdir from updates_testing stop then restart httpd, reboot ( apache ) [root@localhost wilcal]# urpmi apache Package apache-2.4.7-5.5.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_userdir Package apache-mod_userdir-2.4.7-5.5.mga4.x86_64 is already installed http://localhost/~wilcal/ works http://192.168.1.130/~wilcal/ is accessable awstats tracks traffic. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Unless some other issues are found, or someone wants to do some additional testing, I will be validating this bug in 48-hours.
This update works fine. Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: (none) => MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0011.html
Status: NEW => RESOLVEDResolution: (none) => FIXED