Fedora has issued an advisory on April 17: https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155776.html The upstream commit to fix it is linked in the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1114460 The patch Fedora used looks the same: http://pkgs.fedoraproject.org/cgit/cherokee.git/plain/cherokee-1.2.103_CVE-2014-4668.patch?id=0a919b50cf5387f559abcad605851fcbb36da91a Mageia 4 and Cauldron are affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
(In reply to David Walser from comment #0) > Fedora has issued an advisory on April 17: > https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155776. > html > > The upstream commit to fix it is linked in the RedHat bug: > https://bugzilla.redhat.com/show_bug.cgi?id=1114460 > > The patch Fedora used looks the same: > http://pkgs.fedoraproject.org/cgit/cherokee.git/plain/cherokee-1.2.103_CVE- > 2014-4668.patch?id=0a919b50cf5387f559abcad605851fcbb36da91a > > Mageia 4 and Cauldron are affected. > > Reproducible: > > Steps to Reproduce: Fixed in the Cauldron svn in: ------------------------------------------------------------------------ r820572 | shlomif | 2015-04-23 17:00:55 +0300 (Thu, 23 Apr 2015) | 2 lines Changed paths: A /cauldron/cherokee/current/SOURCES/cherokee-1.2.103_CVE-2014-4668.patch M /cauldron/cherokee/current/SPECS/cherokee.spec - Fix MGA#15755 / CVE-2014-4668 . I'll request a Freeze Push.
cherokee-1.2.103-7.mga5 uploaded for Cauldron.
Version: Cauldron => 4Whiteboard: MGA5TOO, MGA4TOO => (none)
(In reply to David Walser from comment #2) > cherokee-1.2.103-7.mga5 uploaded for Cauldron. Updated now in core/updates_testing of Mageia 4 too. Here is the advisory: ---------------------------------------- I have uploaded a patched/updated package for Mageia 4. You can test this by installing the cherokee packages and configuring it to serve HTTP content. Suggested advisory: ======================== Updated cherokee packages fix security vulnerabilities: Fedora issued an advisory regarding a new cherokee security issue (CVE-2014-4668): The cherokee_validator_ldap_check function in validator_ldap.c in Cherokee 1.2.103 and earlier, when LDAP is used, does not properly consider unauthenticated-bind semantics, which allows remote attackers to bypass authentication via an empty password. References: https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155776.html http://www.cvedetails.com/cve/CVE-2014-4668/ ======================== Updated packages in core/updates_testing: ======================== cherokee-1.2.103-2.1.mga5 cget-1.2.103-2.1.mga5 lib(64)cherokee-base0-1.2.103-2.1.mga5 lib(64)cherokee-client0-1.2.103-2.1.mga5 lib(64)cherokee-server0-1.2.103-2.1.mga5 cherokee-devel-1.2.103-2.1.mga5 cherokee-debuginfo-1.2.103-2.1.mga5 Source RPMs: cherokee-1.2.103-2.1.mga5.src.rpm
Thanks Shlomi! Advisory and package list in Comment 3.
CC: (none) => shlomifAssignee: shlomif => qa-bugs
URL: (none) => http://lwn.net/Vulnerabilities/642029/
MGA4-32 on AcerD620. No installation issues. Did following test: As root on the CLI: cherokee-admin Cherokee Web Server 1.2.103 (Oct 19 2013): Listening on port 127.0.0.1:9090, TLS disabled, IPv6 enabled, using epoll, 4096 fds system limit, max. 2041 connections, caching I/O, single thread Login: User: admin One-time Password: LWslKwJfwbJt50yD Web Interface: URL: http://127.0.0.1:9090/ Using Firefox, went to localhost:9090, logged in with above user and password. In Cherokee admin page: started server (make sure httpd is not running!) then, change Virtual server to have Document Root to point to /var/www/html (this one has an index.html file on the machine from apache installation). when saving, I choose the option to do a gracefull restart of the server. Now I could point Firefox in another PC on my network to <Acer D620>:80 and get the page "It works".
CC: (none) => herman.viaeneWhiteboard: (none) => MGA4-32-OK
MGA-4-64 on HP Probook 6555b KDE. No installation issues. Followed same procedure and results as per Comment 5.
Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK
Thanks, Herman! Adding "has_procedure" in comment https://bugs.mageia.org/show_bug.cgi?id=15755#c5 .
Whiteboard: MGA4-32-OK MGA4-64-OK => MGA4-32-OK MGA4-64-OK has_procedure
Well done Herman. Removing OK's for now though as it appears the patch has been added but has not been applied. Advisory is uploaded but will need to be updated when the package has been rebuilt so not adding the 'advisory' marker at this stage.
Whiteboard: MGA4-32-OK MGA4-64-OK has_procedure => has_procedure
I will add a 'feedback' marker though :)
Whiteboard: has_procedure => has_procedure feedback
Fixed the patch application in SVN and asked for a freeze push.
*Actually* patched packages uploaded for Mageia 4 and Cauldron. Shlomi: I noticed that this package owns /var/www/index.html, which I don't think it should. It should just require webserver-base, which normally owns this file. This can be fixed at a later time. Advisory: ======================== Updated cherokee packages fix security vulnerability: The cherokee_validator_ldap_check function in validator_ldap.c in Cherokee 1.2.103 and earlier, when LDAP is used, does not properly consider unauthenticated-bind semantics, which allows remote attackers to bypass authentication via an empty password (CVE-2014-4668). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4668 https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155776.html ======================== Updated packages in core/updates_testing: ======================== cherokee-1.2.103-2.2.mga4 cget-1.2.103-2.2.mga4 libcherokee-base0-1.2.103-2.2.mga4 libcherokee-client0-1.2.103-2.2.mga4 libcherokee-server0-1.2.103-2.2.mga4 cherokee-devel-1.2.103-2.2.mga4 from cherokee-1.2.103-2.2.mga4.src.rpm
Whiteboard: has_procedure feedback => has_procedure
Tests repeated as per Comment 5 and Comment 6. Same result, except I overlooked something then. First access from remote machine to the webserver gives the general page 'It works' (that the one from Apache), but refreshing the page then shows the Cherokee Test Page. httpd was not running (I stopped the service previous to installing cherokee) as cherokee refuses to start when apache is running. This happened exactly the same on the same remote machine when testing the x86-64 and the i586 machine in one straight after the other . Looks OK to me.
Whiteboard: has_procedure => has_procedure MGA4-64-OK MGA-32-OK
Whiteboard: has_procedure MGA4-64-OK MGA-32-OK => has_procedure MGA4-64-OK MGA4-32-OK
Advisory updated. Validating. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0181.html
Status: NEW => RESOLVEDResolution: (none) => FIXED