Bug 21500 - apache new security issues CVE-2017-978[89]
Summary: apache new security issues CVE-2017-978[89]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/710214/
Whiteboard: MGA6-32-OK MGA6-64-OK advisory
Keywords: Triaged, validated_update
Depends on:
Blocks: 20002
  Show dependency treegraph
 
Reported: 2017-08-11 14:17 CEST by David Walser
Modified: 2017-08-24 09:53 CEST (History)
4 users (show)

See Also:
Source RPM: apache-2.4.26-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-08-11 14:17:41 CEST
+++ This bug was initially created as a clone of Bug #20002 +++

Apache 2.4.27 has been announced on July 11:
http://www.apache.org/dist/httpd/Announcement2.4.html

It fixes two new security issues:
https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2017-9789 only affects Mageia 6; CVE-2017-9788 also affects Mageia 5.
Nicolas Lécureuil 2017-08-11 14:22:28 CEST

CC: (none) => mageia

Comment 1 David Walser 2017-08-11 14:22:43 CEST
Advisory:
========================

Updated apache packages fix security vulnerabilities:

In Apache httpd before 2.4.27, the value placeholder in [Proxy-]Authorization
headers of type 'Digest' was not initialized or reset before or between
successive key=value assignments by mod_auth_digest. Providing an initial key
with no '=' assignment could reflect the stale value of uninitialized pool
memory used by the prior request, leading to leakage of potentially
confidential information, and a segfault in other cases resulting in denial of
service (CVE-2017-9788).

When under stress, closing many connections, the HTTP/2 handling code in Apache
httpd 2.4.26 would sometimes access memory after it has been freed, resulting
in potentially erratic behavior (CVE-2017-9789).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9788
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9789
https://httpd.apache.org/security/vulnerabilities_24.html
http://www.apache.org/dist/httpd/Announcement2.4.html
========================

Updated packages in core/updates_testing:
========================
apache-2.4.27-1.mga6
apache-mod_dav-2.4.27-1.mga6
apache-mod_ldap-2.4.27-1.mga6
apache-mod_session-2.4.27-1.mga6
apache-mod_cache-2.4.27-1.mga6
apache-mod_proxy-2.4.27-1.mga6
apache-mod_proxy_html-2.4.27-1.mga6
apache-mod_suexec-2.4.27-1.mga6
apache-mod_userdir-2.4.27-1.mga6
apache-mod_ssl-2.4.27-1.mga6
apache-mod_dbd-2.4.27-1.mga6
apache-mod_http2-2.4.27-1.mga6
apache-htcacheclean-2.4.27-1.mga6
apache-devel-2.4.27-1.mga6
apache-doc-2.4.27-1.mga6

from apache-2.4.27-1.mga6.src.rpm
Comment 2 William Kenney 2017-08-11 23:18:42 CEST
In VirtualBox, M6, Plasma, 64-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.26-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.26-1.mga6.x86_64 is already installed

http://localhost/~wilcal/  ( works )
192.168.1.149/~wilcal/  ( local LAN IP works )
awstats tracks httpd traffic

install apache & apache-mod_userdir from updates_testing

stop then restart httpd

[root@localhost wilcal]# urpmi apache
Package apache-2.4.27-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.27-1.mga6.x86_64 is already installed

http://localhost/~wilcal/  ( works )
192.168.1.149/~wilcal/  ( local LAN IP works )
awstats tracks httpd traffic

CC: (none) => wilcal.int

Comment 3 William Kenney 2017-08-11 23:33:49 CEST
In VirtualBox, M6, Plasma, 32-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.26-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.26-1.mga6.i586 is already installed

http://localhost/~wilcal/  ( works )
192.168.1.144/~wilcal/  ( local LAN IP works )
awstats tracks httpd traffic

install apache & apache-mod_userdir from updates_testing

stop then restart httpd

[root@localhost wilcal]# urpmi apache
Package apache-2.4.27-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.27-1.mga6.i586 is already installed

http://localhost/~wilcal/  ( works )
192.168.1.144/~wilcal/  ( local LAN IP works )
awstats tracks httpd traffic
Comment 4 William Kenney 2017-08-23 20:52:39 CEST
I'm gonna validate this in 24-hours unless someone finds something.
William Kenney 2017-08-23 20:53:14 CEST

Whiteboard: (none) => MGA6-32-OK MGA6-64-OK

Lewis Smith 2017-08-24 09:10:39 CEST

Whiteboard: MGA6-32-OK MGA6-64-OK => MGA6-32-OK MGA6-64-OK advisory
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 5 Mageia Robot 2017-08-24 09:53:04 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0298.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.