15428 – apache new security issue CVE-2015-0228

Bug 15428 - apache new security issue CVE-2015-0228

Summary: apache new security issue CVE-2015-0228

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/635487/
Whiteboard:	has_procedure advisory mga4-32-ok mga...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-03-04 20:22 CET by David Walser
Modified:	2015-03-06 19:09 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	apache-2.4.7-5.5.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-03-04 20:22:10 CET

OpenSuSE has issued an advisory today (March 4):
http://lists.opensuse.org/opensuse-updates/2015-03/msg00006.html

Patch checked into Mageia 4 and Cauldron SVN.  Freeze push requested for Cauldron.

This is yet another mod_lua issue, like our last update (Bug 14916).

Reproducible: 

Steps to Reproduce:

David Walser 2015-03-04 20:22:21 CET

Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2015-03-05 22:14:16 CET

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated apache packages fix security vulnerability:

In the mod_lua module in the Apache HTTP Server through 2.4.10, a maliciously
crafted websockets PING after a script calls r:wsupgrade() can cause a child
process crash (CVE-2015-0228).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0228
http://lists.opensuse.org/opensuse-updates/2015-03/msg00006.html
========================

Updated packages in core/updates_testing:
========================
apache-2.4.7-5.6.mga4
apache-mod_dav-2.4.7-5.6.mga4
apache-mod_ldap-2.4.7-5.6.mga4
apache-mod_session-2.4.7-5.6.mga4
apache-mod_cache-2.4.7-5.6.mga4
apache-mod_proxy-2.4.7-5.6.mga4
apache-mod_proxy_html-2.4.7-5.6.mga4
apache-mod_suexec-2.4.7-5.6.mga4
apache-mod_userdir-2.4.7-5.6.mga4
apache-mod_ssl-2.4.7-5.6.mga4
apache-mod_dbd-2.4.7-5.6.mga4
apache-htcacheclean-2.4.7-5.6.mga4
apache-devel-2.4.7-5.6.mga4
apache-doc-2.4.7-5.6.mga4

from apache-2.4.7-5.6.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO => (none)

Comment 2 claire robinson 2015-03-06 15:43:28 CET

No PoC so just checking with various webapps.

Whiteboard: (none) => has_procedure

Comment 3 William Kenney 2015-03-06 16:11:06 CET

In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.5.mga4.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.7-5.5.mga4.i586 is already installed

http://localhost/~wilcal/  ( works )
192.168.1.88/~wilcal/  ( local LAN IP works )
awstats tracks httpd traffic

install apache apache-mod_userdir from updates_testing

stop and restart httpd

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.6.mga4.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.7-5.6.mga4.i586 is already installed

http://localhost/~wilcal/  ( works )
192.168.1.88/~wilcal/  ( local LAN IP works )
awstats tracks httpd traffic

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

William Kenney 2015-03-06 16:11:26 CET

Whiteboard: has_procedure => has_procedure MGA4-32-OK

William Kenney 2015-03-06 16:12:27 CET

Whiteboard: has_procedure MGA4-32-OK => has_procedure

Comment 4 William Kenney 2015-03-06 16:26:07 CET

In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.5.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.7-5.5.mga4.x86_64 is already installed

http://localhost/~wilcal/  ( works )
192.168.1.130/~wilcal/  ( local LAN IP works )
awstats tracks httpd traffic

install apache apache-mod_userdir from updates_testing

stop and restart httpd

[root@localhost wilcal]# urpmi apache
Package apache-2.4.7-5.6.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.7-5.6.mga4.x86_64 is already installed

http://localhost/~wilcal/  ( works )
192.168.1.130/~wilcal/  ( local LAN IP works )
awstats tracks httpd traffic

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Comment 5 William Kenney 2015-03-06 16:26:23 CET

This looks good to me.

Comment 6 claire robinson 2015-03-06 17:19:46 CET

Adding the OK's, tested this also with phpmyadmin, wordpress etc

Whiteboard: has_procedure => has_procedure mga4-32-ok mga4-64-ok

Comment 7 claire robinson 2015-03-06 17:49:10 CET

Validating. Advisory uploaded,

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-03-06 19:09:43 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0099.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.