Upstream has released version 2.4.16, fixing multiple security issues: http://www.apache.org/dist/httpd/Announcement2.4.html http://www.apache.org/dist/httpd/CHANGES_2.4.16 Note that we already patched for CVE-2015-0228 earlier. Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
CVE-2015-0253 was introduced in 2.4.11, therefore doesn't affect us.
URL: (none) => http://lwn.net/Vulnerabilities/651762/Summary: apache new security issues CVE-2015-0253, CVE-2015-3183, and CVE-2015-3185 => apache new security issues CVE-2015-3183 and CVE-2015-3185
Debian located these two commits to fix these issues: http://svn.apache.org/viewvc?view=revision&revision=1684515 http://svn.apache.org/viewvc?view=revision&revision=1684525 apache-2.4.10-17.mga6 uploaded for Cauldron. Updates for Mageia 4 and Mageia 5 are checked into SVN and will be built shortly.
Version: Cauldron => 5Whiteboard: MGA5TOO, MGA4TOO => MGA4TOOSeverity: normal => major
Patched packages uploaded for Mageia 4 and Mageia 5. Advisory: ======================== Updated apache packages fix security vulnerabilities: The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c (CVE-2015-3183). The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior (CVE-2015-3185). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3183 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3185 http://www.apache.org/dist/httpd/Announcement2.4.html ======================== Updated packages in core/updates_testing: ======================== apache-2.4.7-5.7.mga4 apache-mod_dav-2.4.7-5.7.mga4 apache-mod_ldap-2.4.7-5.7.mga4 apache-mod_session-2.4.7-5.7.mga4 apache-mod_cache-2.4.7-5.7.mga4 apache-mod_proxy-2.4.7-5.7.mga4 apache-mod_proxy_html-2.4.7-5.7.mga4 apache-mod_suexec-2.4.7-5.7.mga4 apache-mod_userdir-2.4.7-5.7.mga4 apache-mod_ssl-2.4.7-5.7.mga4 apache-mod_dbd-2.4.7-5.7.mga4 apache-htcacheclean-2.4.7-5.7.mga4 apache-devel-2.4.7-5.7.mga4 apache-doc-2.4.7-5.7.mga4 apache-2.4.10-16.3.mga5 apache-mod_dav-2.4.10-16.3.mga5 apache-mod_ldap-2.4.10-16.3.mga5 apache-mod_session-2.4.10-16.3.mga5 apache-mod_cache-2.4.10-16.3.mga5 apache-mod_proxy-2.4.10-16.3.mga5 apache-mod_proxy_html-2.4.10-16.3.mga5 apache-mod_suexec-2.4.10-16.3.mga5 apache-mod_userdir-2.4.10-16.3.mga5 apache-mod_ssl-2.4.10-16.3.mga5 apache-mod_dbd-2.4.10-16.3.mga5 apache-htcacheclean-2.4.10-16.3.mga5 apache-devel-2.4.10-16.3.mga5 apache-doc-2.4.10-16.3.mga5 from SRPMS: apache-2.4.7-5.7.mga4.src.rpm apache-2.4.10-16.3.mga5.src.rpm
Assignee: bugsquad => qa-bugs
Updates well. Tested some webapps: phpmyadmin, awstats, ampache (I didn't go further than the installation page), zoneminder. Served a static web page: OK.
Whiteboard: MGA4TOO => MGA4TOO MGA4-64-OK has_procedure
It might be worth looking for PoC information, which I haven't done, but a static page and CGI work fine for me on Mageia 4 i586.
Whiteboard: MGA4TOO MGA4-64-OK has_procedure => MGA4TOO MGA4-32-OK MGA4-64-OK has_procedure
CC: (none) => davidwhodginsWhiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK has_procedure => MGA4TOO MGA4-32-OK MGA4-64-OK has_procedure advisory
In VirtualBox, M5, KDE, 32-bit Package(s) under test: apache apache-mod_userdir default install of apache & apache-mod_userdir [root@localhost wilcal]# urpmi apache Package apache-2.4.10-16.mga5.i586 is already installed [root@localhost wilcal]# urpmi apache-mod_userdir Package apache-mod_userdir-2.4.10-16.mga5.i586 is already installed http://localhost/~wilcal/ ( works ) 192.168.1.143/~wilcal/ ( local LAN IP works ) awstats tracks httpd traffic install apache apache-mod_userdir from updates_testing stop then restart httpd [root@localhost wilcal]# urpmi apache Package apache-2.4.10-16.3.mga5.i586 is already installed [root@localhost wilcal]# urpmi apache-mod_userdir Package apache-mod_userdir-2.4.10-16.3.mga5.i586 is already installed http://localhost/~wilcal/ ( works ) 192.168.1.143/~wilcal/ ( local LAN IP works ) awstats tracks httpd traffic Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
CC: (none) => wilcal.int
In VirtualBox, M5, KDE, 64-bit Package(s) under test: apache apache-mod_userdir default install of apache & apache-mod_userdir [root@localhost wilcal]# urpmi apache Package apache-2.4.10-16.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_userdir Package apache-mod_userdir-2.4.10-16.mga5.x86_64 is already installed http://localhost/~wilcal/ ( works ) 192.168.1.143/~wilcal/ ( local LAN IP works ) awstats tracks httpd traffic install apache apache-mod_userdir from updates_testing stop then restart httpd [root@localhost wilcal]# urpmi apache Package apache-2.4.10-16.3.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_userdir Package apache-mod_userdir-2.4.10-16.3.mga5.x86_64 is already installed http://localhost/~wilcal/ ( works ) 192.168.1.143/~wilcal/ ( local LAN IP works ) awstats tracks httpd traffic Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.28-1.mga4.x86_64 virtualbox-guest-additions-4.3.28-1.mga4.x86_64
For me this works fine. What say yee?
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK has_procedure advisory => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK has_procedure advisory
It'd be nice if someone could do a quick check to see if there is any PoC or reproducing information on the CVEs. If there isn't, go ahead and validate it.
I don't think we have resources for checking the POC right now unfortunately given all the updates awaiting testing, so I'm validating it.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0281.html
Status: NEW => RESOLVEDResolution: (none) => FIXED