Apache HTTPD 2.4.25 has been announced on December 20: http://www.apache.org/dist/httpd/Announcement2.4.html The full changelog is here: http://www.apache.org/dist/httpd/CHANGES_2.4.25 CVE-2016-8740 does not affect Mageia 5, the others likely all do.
Whiteboard: (none) => MGA5TOO
Assigning to the registered apache maintainer
Keywords: (none) => TriagedCC: (none) => marja11Assignee: bugsquad => shlomif
CVE-2016-8740 had already been fixed in Cauldron, and CVE-2016-5387 had already been fixed in Mageia 5. Shlomi has updated Cauldron to 2.4.25.
Version: Cauldron => 5Summary: apache new security issues CVE-2016-0736, CVE-2016-2161, CVE-2016-5387, CVE-2016-8740, CVE-2016-8743 => apache new security issues CVE-2016-0736, CVE-2016-2161, CVE-2016-8743Whiteboard: MGA5TOO => (none)
URL: (none) => https://lwn.net/Vulnerabilities/710214/
openSUSE has issued an advisory for this on March 31: https://lists.opensuse.org/opensuse-updates/2017-03/msg00117.html
Apache HTTPD 2.4.26 has been announced on June 19: http://www.apache.org/dist/httpd/Announcement2.4.html The full changelog is here: http://www.apache.org/dist/httpd/CHANGES_2.4.26 Details on security issues: http://httpd.apache.org/security/vulnerabilities_24.html This adds a few more issues affecting Mageia 5. CVE-2017-7659 and CVE-2017-7668 only affect Cauldron.
Whiteboard: (none) => MGA5TOOSummary: apache new security issues CVE-2016-0736, CVE-2016-2161, CVE-2016-8743 => apache new security issues CVE-2016-0736, CVE-2016-2161, CVE-2016-8743, CVE-2017-316[79], CVE-2017-7679Version: 5 => Cauldron
Individual advisories including some patch links: http://openwall.com/lists/oss-security/2017/06/19/5 http://openwall.com/lists/oss-security/2017/06/19/10 http://openwall.com/lists/oss-security/2017/06/19/11 http://openwall.com/lists/oss-security/2017/06/19/12 http://openwall.com/lists/oss-security/2017/06/19/13
apache-2.4.26-1.mga6 uploaded for Cauldron by Shlomi. Thanks!
Whiteboard: MGA5TOO => (none)Version: Cauldron => 5
Debian has issued an advisory for this on June 22: https://www.debian.org/security/2017/dsa-3896
Apache 2.4.27 has been announced on July 11: http://www.apache.org/dist/httpd/Announcement2.4.html It fixes two new security issues: https://httpd.apache.org/security/vulnerabilities_24.html CVE-2017-9789 only affects Mageia 6; CVE-2017-9788 also affects Mageia 5.
Whiteboard: (none) => MGA6TOO, MGA5TOOVersion: 5 => CauldronSummary: apache new security issues CVE-2016-0736, CVE-2016-2161, CVE-2016-8743, CVE-2017-316[79], CVE-2017-7679 => apache new security issues CVE-2016-0736, CVE-2016-2161, CVE-2016-8743, CVE-2017-316[79], CVE-2017-7679, CVE-2017-978[89]
Fedora has issued an advisory for the latest issues today (July 15): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/T5OCNPRR7PTGFKVGZGDQIFDT3R2ZLA2C/
apache-2.4.27-1.mga6 uploaded for Cauldron by Shlomi.
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOVersion: Cauldron => 6
Debian has issued an advisory for CVE-2017-9788 on July 18: https://www.debian.org/security/2017/dsa-3913
pushed in updates_testing of mageia6 src.rpm: apache-2.4.27-1.mga6
CC: (none) => mageia
Depends on: (none) => 21500
Mageia 6 moved to Bug 21500.
Version: 6 => 5Summary: apache new security issues CVE-2016-0736, CVE-2016-2161, CVE-2016-8743, CVE-2017-316[79], CVE-2017-7679, CVE-2017-978[89] => apache new security issues CVE-2016-0736, CVE-2016-2161, CVE-2016-8743, CVE-2017-316[79], CVE-2017-7679, CVE-2017-9788Whiteboard: MGA5TOO => (none)Source RPM: apache-2.4.23-5.mga6.src.rpm => apache-2.4.10-16.4.mga5.src.rpm
Despite the statement from upstream, Debian added a patch for CVE-2017-7668, so I've included that. Advisory: ======================== Updated apache packages fix security vulnerabilities: mod_sessioncrypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC (CVE-2016-0736). Malicious input to mod_auth_digest will cause the server to crash, and each instance continues to crash even for subsequently valid requests (CVE-2016-2161). Emmanuel Dreyfus reported that the use of ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed (CVE-2017-3167). Vasileios Panopoulos of AdNovum Informatik AG discovered that mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port leading to a denial of service (CVE-2017-3169). Javier Jimenez reported that the HTTP strict parsing contains a flaw leading to a buffer overread in ap_find_token(). A remote attacker can take advantage of this flaw by carefully crafting a sequence of request headers to cause a segmentation fault, or to force ap_find_token() to return an incorrect value (CVE-2017-7668). ChenQin and Hanno Boeck reported that mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header (CVE-2017-7679). Robert Swiecki reported that mod_auth_digest does not properly initialize or reset the value placeholder in [Proxy-]Authorization headers of type "Digest" between successive key=value assignments, leading to information disclosure or denial of service (CVE-2017-9788). Hanno Böck discovered that the Apache HTTP Server incorrectly handled Limit directives in .htaccess files. In certain configurations, a remote attacker could possibly use this issue to read arbitrary server memory, including sensitive information. This issue is known as Optionsbleed (CVE-2017-9798). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3167 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3169 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7668 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7679 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9788 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798 https://www.debian.org/security/2017/dsa-3896 https://www.debian.org/security/2017/dsa-3913 https://usn.ubuntu.com/usn/usn-3425-1/ https://httpd.apache.org/security/vulnerabilities_24.html ======================== Updated packages in core/updates_testing: ======================== apache-2.4.10-16.7.mga5 apache-mod_dav-2.4.10-16.7.mga5 apache-mod_ldap-2.4.10-16.7.mga5 apache-mod_session-2.4.10-16.7.mga5 apache-mod_cache-2.4.10-16.7.mga5 apache-mod_proxy-2.4.10-16.7.mga5 apache-mod_proxy_html-2.4.10-16.7.mga5 apache-mod_suexec-2.4.10-16.7.mga5 apache-mod_userdir-2.4.10-16.7.mga5 apache-mod_ssl-2.4.10-16.7.mga5 apache-mod_dbd-2.4.10-16.7.mga5 apache-htcacheclean-2.4.10-16.7.mga5 apache-devel-2.4.10-16.7.mga5 apache-doc-2.4.10-16.7.mga5 from apache-2.4.10-16.7.mga5.src.rpm
Assignee: shlomif => qa-bugs
To prioritise.
CC: (none) => davidwhodginsKeywords: (none) => advisory
After installing all of the packages, found that the line #LoadModule request_module modules/mod_request.so in /etc/httpd/conf/modules.d/00_base.conf had to be uncommented to get httpd to start. Working ok after that. Checked, and this is not a regression. Validating the update.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0007.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED