+++ This bug was initially created as a clone of Bug #20002 +++ Apache 2.4.27 has been announced on July 11: http://www.apache.org/dist/httpd/Announcement2.4.html It fixes two new security issues: https://httpd.apache.org/security/vulnerabilities_24.html CVE-2017-9789 only affects Mageia 6; CVE-2017-9788 also affects Mageia 5.
CC: (none) => mageia
Advisory: ======================== Updated apache packages fix security vulnerabilities: In Apache httpd before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service (CVE-2017-9788). When under stress, closing many connections, the HTTP/2 handling code in Apache httpd 2.4.26 would sometimes access memory after it has been freed, resulting in potentially erratic behavior (CVE-2017-9789). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9788 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9789 https://httpd.apache.org/security/vulnerabilities_24.html http://www.apache.org/dist/httpd/Announcement2.4.html ======================== Updated packages in core/updates_testing: ======================== apache-2.4.27-1.mga6 apache-mod_dav-2.4.27-1.mga6 apache-mod_ldap-2.4.27-1.mga6 apache-mod_session-2.4.27-1.mga6 apache-mod_cache-2.4.27-1.mga6 apache-mod_proxy-2.4.27-1.mga6 apache-mod_proxy_html-2.4.27-1.mga6 apache-mod_suexec-2.4.27-1.mga6 apache-mod_userdir-2.4.27-1.mga6 apache-mod_ssl-2.4.27-1.mga6 apache-mod_dbd-2.4.27-1.mga6 apache-mod_http2-2.4.27-1.mga6 apache-htcacheclean-2.4.27-1.mga6 apache-devel-2.4.27-1.mga6 apache-doc-2.4.27-1.mga6 from apache-2.4.27-1.mga6.src.rpm
In VirtualBox, M6, Plasma, 64-bit Package(s) under test: apache apache-mod_userdir default install of apache & apache-mod_userdir [root@localhost wilcal]# urpmi apache Package apache-2.4.26-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_userdir Package apache-mod_userdir-2.4.26-1.mga6.x86_64 is already installed http://localhost/~wilcal/ ( works ) 192.168.1.149/~wilcal/ ( local LAN IP works ) awstats tracks httpd traffic install apache & apache-mod_userdir from updates_testing stop then restart httpd [root@localhost wilcal]# urpmi apache Package apache-2.4.27-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_userdir Package apache-mod_userdir-2.4.27-1.mga6.x86_64 is already installed http://localhost/~wilcal/ ( works ) 192.168.1.149/~wilcal/ ( local LAN IP works ) awstats tracks httpd traffic
CC: (none) => wilcal.int
In VirtualBox, M6, Plasma, 32-bit Package(s) under test: apache apache-mod_userdir default install of apache & apache-mod_userdir [root@localhost wilcal]# urpmi apache Package apache-2.4.26-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi apache-mod_userdir Package apache-mod_userdir-2.4.26-1.mga6.i586 is already installed http://localhost/~wilcal/ ( works ) 192.168.1.144/~wilcal/ ( local LAN IP works ) awstats tracks httpd traffic install apache & apache-mod_userdir from updates_testing stop then restart httpd [root@localhost wilcal]# urpmi apache Package apache-2.4.27-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi apache-mod_userdir Package apache-mod_userdir-2.4.27-1.mga6.i586 is already installed http://localhost/~wilcal/ ( works ) 192.168.1.144/~wilcal/ ( local LAN IP works ) awstats tracks httpd traffic
I'm gonna validate this in 24-hours unless someone finds something.
Whiteboard: (none) => MGA6-32-OK MGA6-64-OK
Whiteboard: MGA6-32-OK MGA6-64-OK => MGA6-32-OK MGA6-64-OK advisoryKeywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0298.html
Status: NEW => RESOLVEDResolution: (none) => FIXED