Bug 21741 - apache new security issue CVE-2017-9798
Summary: apache new security issue CVE-2017-9798
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-09-19 14:51 CEST by David Walser
Modified: 2018-01-01 11:39 CET (History)
8 users (show)

See Also:
Source RPM: apache-2.4.27-2.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-09-19 14:51:21 CEST
A security issue fixed upstream in Apache HTTPD has been announced:
http://openwall.com/lists/oss-security/2017/09/18/2

The message above contains a link to the commit/patch to fix the issue.

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-09-19 14:51:32 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 David Walser 2017-09-19 22:16:23 CEST
Ubuntu has issued an advisory for this today (September 19):
https://usn.ubuntu.com/usn/usn-3425-1/
Comment 2 David Walser 2017-09-21 02:25:36 CEST
Patched packages uploaded by Shlomi.

Advisory:
========================

Updated apache packages fix security vulnerability:

Hanno Böck discovered that the Apache HTTP Server incorrectly handled Limit
directives in .htaccess files. In certain configurations, a remote attacker
could possibly use this issue to read arbitrary server memory, including
sensitive information. This issue is known as Optionsbleed (CVE-2017-9798).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798
https://usn.ubuntu.com/usn/usn-3425-1/
========================

Updated packages in core/updates_testing:
========================
apache-2.4.10-16.6.mga5
apache-mod_dav-2.4.10-16.6.mga5
apache-mod_ldap-2.4.10-16.6.mga5
apache-mod_session-2.4.10-16.6.mga5
apache-mod_cache-2.4.10-16.6.mga5
apache-mod_proxy-2.4.10-16.6.mga5
apache-mod_proxy_html-2.4.10-16.6.mga5
apache-mod_suexec-2.4.10-16.6.mga5
apache-mod_userdir-2.4.10-16.6.mga5
apache-mod_ssl-2.4.10-16.6.mga5
apache-mod_dbd-2.4.10-16.6.mga5
apache-htcacheclean-2.4.10-16.6.mga5
apache-devel-2.4.10-16.6.mga5
apache-doc-2.4.10-16.6.mga5
apache-2.4.27-1.1.mga6
apache-mod_dav-2.4.27-1.1.mga6
apache-mod_ldap-2.4.27-1.1.mga6
apache-mod_session-2.4.27-1.1.mga6
apache-mod_cache-2.4.27-1.1.mga6
apache-mod_proxy-2.4.27-1.1.mga6
apache-mod_proxy_html-2.4.27-1.1.mga6
apache-mod_suexec-2.4.27-1.1.mga6
apache-mod_userdir-2.4.27-1.1.mga6
apache-mod_ssl-2.4.27-1.1.mga6
apache-mod_dbd-2.4.27-1.1.mga6
apache-mod_http2-2.4.27-1.1.mga6
apache-htcacheclean-2.4.27-1.1.mga6
apache-devel-2.4.27-1.1.mga6
apache-doc-2.4.27-1.1.mga6

from SRPMS:
apache-2.4.10-16.6.mga5.src.rpm
apache-2.4.27-1.1.mga6.src.rpm

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Version: Cauldron => 6
CC: (none) => shlomif
Assignee: shlomif => qa-bugs

Comment 3 PC LX 2017-09-21 13:51:52 CEST
Installed and tested without issues.

Tested on several sites and scripts, with and without ssl.

System: Mageia 5, x86_64, Intel CPU.

$ uname -a
Linux marte 4.4.88-desktop-1.mga5 #1 SMP Thu Sep 14 00:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep apache | sort
apache-2.4.10-16.6.mga5
apache-mod_php-5.6.31-1.mga5
apache-mod_ssl-2.4.10-16.6.mga5

CC: (none) => mageia

Comment 4 Len Lawrence 2017-09-21 17:09:09 CEST
Testing on mga6 for x86_64

Installed updates:
- apache-2.4.27-1.1.mga6.x86_64
- apache-devel-2.4.27-1.1.mga6.x86_64
- apache-doc-2.4.27-1.1.mga6.noarch
- apache-htcacheclean-2.4.27-1.1.mga6.x86_64
- apache-mod_cache-2.4.27-1.1.mga6.x86_64
- apache-mod_dav-2.4.27-1.1.mga6.x86_64
- apache-mod_dbd-2.4.27-1.1.mga6.x86_64
- apache-mod_http2-2.4.27-1.1.mga6.x86_64
- apache-mod_ldap-2.4.27-1.1.mga6.x86_64
- apache-mod_perl-2.0.10-1.mga6.x86_64
- apache-mod_proxy-2.4.27-1.1.mga6.x86_64
- apache-mod_proxy_html-2.4.27-1.1.mga6.x86_64
- apache-mod_session-2.4.27-1.1.mga6.x86_64
- apache-mod_ssl-2.4.27-1.1.mga6.x86_64
- apache-mod_suexec-2.4.27-1.1.mga6.x86_64
- apache-mod_userdir-2.4.27-1.1.mga6.x86_64

$ rpm -qa | grep apache
apache-mod_perl-2.0.10-1.mga6
apache-mod_proxy-2.4.27-1.1.mga6
apache-doc-2.4.27-1.1.mga6
apache-mod_ldap-2.4.27-1.1.mga6
apache-mod_php-5.6.31-1.mga6
apache-htcacheclean-2.4.27-1.1.mga6
apache-2.4.27-1.1.mga6
apache-mod_dbd-2.4.27-1.1.mga6
apache-commons-logging-1.2-7.mga6
apache-mod_cache-2.4.27-1.1.mga6
apache-mod_userdir-2.4.27-1.1.mga6
apache-mod_http2-2.4.27-1.1.mga6
apache-mod_ssl-2.4.27-1.1.mga6
apache-devel-2.4.27-1.1.mga6
apache-mod_proxy_html-2.4.27-1.1.mga6
apache-mod_session-2.4.27-1.1.mga6
apache-mod_suexec-2.4.27-1.1.mga6
apache-mod_dav-2.4.27-1.1.mga6

Cannot start httpd.service.
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2017-09-21 15:54:56 BST; 22s ago
  Process: 23910 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
 Main PID: 23910 (code=exited, status=1/FAILURE)

Sep 21 15:54:56 vega systemd[1]: Starting The Apache HTTP Server...
Sep 21 15:54:56 vega httpd[23910]: httpd: Syntax error on line 54 of /etc/httpd/conf/httpd.conf: Syntax error on line 5 of /etc/httpd/conf/modules.d/01_mod_dbd.conf: Cannot load modules/mod_session_dbd.so into server: /etc/httpd/modules/mod_session_dbd.so: undefi
Sep 21 15:54:56 vega systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Sep 21 15:54:56 vega systemd[1]: Failed to start The Apache HTTP Server.
Sep 21 15:54:56 vega systemd[1]: httpd.service: Unit entered failed state.
Sep 21 15:54:56 vega systemd[1]: httpd.service: Failed with result 'exit-code'.

Following error trail ---
/etc/httpd/conf/httpd.conf : line 54
Include conf/modules.d/*.conf
/etc/httpd/conf/01_mod_dbd.conf : line 5
LoadModule session_dbd_module modules/mod_session_dbd.so
mod_session_dbd.so : undefined symbol ap_hook_session_save

Some kind of problem related to the stopping of apache before the update?
Shall try this on another machine without stopping apache - just restarting it.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2017-09-21 17:27:42 CEST
Following on from comment 4 -
Failed again.  Definitely something to do with apache-mod_session.
Installed from Updates Testing:

- apache-2.4.27-1.1.mga6.x86_64
- apache-doc-2.4.27-1.1.mga6.noarch
- apache-mod_perl-2.0.10-1.mga6.x86_64
- apache-mod_ssl-2.4.27-1.1.mga6.x86_64

$ rpm -qa | grep apache
apache-mod_php-5.6.31-1.mga6
apache-mod_ssl-2.4.27-1.1.mga6
apache-doc-2.4.27-1.1.mga6
apache-2.4.27-1.1.mga6
apache-mod_perl-2.0.10-1.mga6
apache-commons-logging-1.2-7.mga6

$ sudo systemctl restart httpd.service
$ systemctl status httpd.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset
   Active: active (running) since Thu 2017-09-21 16:15:18 BST; 1min 4s ago

Continued by installing the other modules:
apache-mod_dav
apache-mod_ldap
apache-mod_session
      1/2: apr-util-openssl      #############################################
      2/2: apache-mod_session    #############################################
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xe" for details.
# systemctl restart httpd
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xe" for details.
# systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset
   Active: failed (Result: exit-code) since Thu 2017-09-21 16:23:19 BST; 21s ago
  Process: 22800 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, s
 Main PID: 22800 (code=exited, status=1/FAILURE)
Comment 6 Len Lawrence 2017-09-21 17:47:29 CEST
Installed the updates on mga5.1 for x86_64 but left out apache-mod_session.
No problem restarting apache.
Len Lawrence 2017-09-21 17:48:54 CEST

Whiteboard: MGA5TOO => MGA5TOO feedback

Comment 7 Herman Viaene 2017-09-22 11:28:04 CEST
Got failure as well when trying this.
/var/log/httpd/error.log seems to point to missing rpm.
Quote:
[Fri Sep 22 11:12:00.656744 2017] [ssl:warn] [pid 7173] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Fri Sep 22 11:12:00.656987 2017] [suexec:notice] [pid 7173] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Sep 22 11:12:00.657010 2017] [auth_form:crit] [pid 7173] AH02618: You must load mod_request to enable the mod_auth_form functions
AH00016: Configuration Failed

On https://httpd.apache.org/docs/trunk/mod/mod_request.html I find this should be a module, but I cann't find it at all in MCC.

CC: (none) => herman.viaene

Comment 8 Thomas Backlund 2017-09-22 11:34:10 CEST
urpmf is your friend:

]$ urpmf mod_request
apache-devel:/usr/include/httpd/mod_request.h
apache-doc:/usr/share/httpd/manual/mod/mod_request.html
apache-doc:/usr/share/httpd/manual/mod/mod_request.html.en
apache-doc:/usr/share/httpd/manual/mod/mod_request.html.fr
apache-doc:/usr/share/httpd/manual/mod/mod_request.html.tr.utf8
apache:/usr/lib64/httpd/modules/mod_request.so


so it's part of base apache package.

and since it points out mod_request must be loaded, you need to change:

/etc/httpd/conf/modules.d/00_base.conf

There is a line with:
#LoadModule request_module modules/mod_request.so

remove the "#" at the beginning and restart apache

CC: (none) => tmb

Comment 9 Len Lawrence 2017-09-22 12:37:20 CEST
Just checked that here and confirmed that it was commented out.
I had not seen Herman's problem, possibly because the missing symbol in mod_session preempted it.

Checked another machine where apache is running and found mod_request commented out in 00_base.conf.  Removed the # and restarted httpd.  Could not see it using lsmod but there is a module sr_mod loaded.
Comment 10 Herman Viaene 2017-09-22 14:52:31 CEST
Asus A6000VM Xfce
No installation issues.
After updating /etc/httpd/conf/modules.d/00_base.conf as Thomas suggested:
at CLI:
# systemctl start httpd
no feedback
# systemctl -l status httpd
â httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
   Active: active (running) since vr 2017-09-22 14:46:36 CEST; 9s ago
 Main PID: 5909 (/usr/sbin/httpd)
   Status: "Processing requests..."
   CGroup: /system.slice/httpd.service
           ââ5909 /usr/sbin/httpd -DFOREGROUND
           ââ5947 /usr/sbin/httpd -DFOREGROUND
           ââ5948 /usr/sbin/httpd -DFOREGROUND
           ââ5949 /usr/sbin/httpd -DFOREGROUND
           ââ5950 /usr/sbin/httpd -DFOREGROUND
           ââ5951 /usr/sbin/httpd -DFOREGROUND

sep 22 14:45:52 mach6.hviaene.thuis httpd[5909]: [Fri Sep 22 14:45:52.780709 2017] [so:warn] [pid 5909] AH01574: module dbd_module is already loaded, skipping
sep 22 14:45:53 mach6.hviaene.thuis httpd[5909]: [Fri Sep 22 14:45:52.781724 2017] [so:warn] [pid 5909] AH01574: module dbd_module is already loaded, skipping
sep 22 14:45:53 mach6.hviaene.thuis httpd[5909]: [Fri Sep 22 14:45:52.781746 2017] [so:warn] [pid 5909] AH01574: module dbd_module is already loaded, skipping
sep 22 14:45:54 mach6.hviaene.thuis httpd[5909]: [Fri Sep 22 14:45:54.832614 2017] [core:warn] [pid 5909] AH00114: Useless use of AllowOverride in line 9 of /etc/httpd/conf/sites.d/rt.conf.

Now, I haven't done that many updates yet on apache, but I cannot remember ever one that breaks a perfectly OK running httpd.
Comment 11 Herman Viaene 2017-09-23 10:54:16 CEST
MGA6-32 on Asus A6000VM MATE
No installation issues.
Stopped running httpd before updating
After update at CLI:
# systemctl start httpd
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xe" for details.
# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since za 2017-09-23 10:36:46 CEST; 4min 49s ago
  Process: 7861 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
 Main PID: 7861 (code=exited, status=1/FAILURE)

sep 23 10:36:45 mach6.hviaene.thuis systemd[1]: Starting The Apache HTTP Server...
sep 23 10:36:46 mach6.hviaene.thuis httpd[7861]: httpd: Syntax error on line 54 of /etc/httpd/conf/httpd.conf: Syntax error on line 5 of
sep 23 10:36:46 mach6.hviaene.thuis systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
sep 23 10:36:46 mach6.hviaene.thuis systemd[1]: Failed to start The Apache HTTP Server.
sep 23 10:36:46 mach6.hviaene.thuis systemd[1]: httpd.service: Unit entered failed state.
sep 23 10:36:46 mach6.hviaene.thuis systemd[1]: httpd.service: Failed with result 'exit-code'.
Full line of syntax error:
httpd: Syntax error on line 54 of /etc/httpd/conf/httpd.conf: Syntax error on line 5 of /etc/httpd/conf/modules.d/01_mod_dbd.conf: Cannot load modules/mod_session_dbd.so into server: /etc/httpd/modules/mod_session_dbd.so: undefined symbol: ap_hook_session_save
Comment 13 Shlomi Fish 2017-09-23 16:00:35 CEST
(In reply to David Walser from comment #12)
> Shlomi, it sounds like we have a bad patch.  Maybe you could compare our
> patch to other distros?
> 
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/R4JEOCEFPTVRSQESLYQKPEEKR3XN7LBV/
> https://www.debian.org/security/2017/dsa-3980
> https://usn.ubuntu.com/usn/usn-3425-1/
> https://lists.opensuse.org/opensuse-updates/2017-09/msg00095.html
> http://openwall.com/lists/oss-security/2017/09/23/2

Hi!

Sorry - I cannot do it due to my condition.
David Walser 2017-09-23 16:03:50 CEST

CC: (none) => qa-bugs
Assignee: qa-bugs => pkg-bugs

Comment 14 Thomas Backlund 2017-10-07 23:17:41 CEST
The patch is ok, it does not touch any session related stuff...

For those hitting this issue, is apache-mod_session installed ?
Comment 15 David Walser 2017-10-10 15:48:11 CEST
There's a more complete fix in 2.4.28.  More info about this issue from upstream:
https://www.mail-archive.com/dev@httpd.apache.org/msg69489.html
Comment 16 David Walser 2017-10-24 11:53:51 CEST
Apache 2.4.29 has been released, fixing this issue:
https://httpd.apache.org/security/vulnerabilities_24.html
Comment 17 David Walser 2017-12-28 05:19:45 CET
Mageia 5 moved to Bug 20002.

People that said there was a problem with this update need to respond to Thomas's question in Comment 14.

Assignee: pkg-bugs => qa-bugs
CC: qa-bugs => (none)
Whiteboard: MGA5TOO feedback => (none)

Comment 18 William Kenney 2017-12-28 18:43:16 CET
In VirtualBox, M6, Mate, 32-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.27-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.27-1.mga6.i586 is already installed

http://localhost/~wilcal/  ( works )
192.168.1.73/~wilcal/  ( local LAN IP works )
awstats tracks httpd traffic

install apache apache-mod_userdir from updates_testing

stop then restart httpd

[root@localhost wilcal]# urpmi apache
Package apache-2.4.27-1.1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.27-1.1.mga6.i586 is already installed

http://localhost/~wilcal/  ( works )
192.168.1.73/~wilcal/  ( local LAN IP works )
awstats tracks httpd traffic

CC: (none) => wilcal.int

Comment 19 William Kenney 2017-12-31 17:31:23 CET
In VirtualBox, M6, Plasma, 64-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.27-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.27-1.mga6.x86_64 is already installed

http://localhost/~wilcal/  ( works )
192.168.1.89/~wilcal/  ( local LAN IP works )
awstats tracks httpd traffic

install apache apache-mod_userdir from updates_testing

stop then restart httpd

[root@localhost wilcal]# urpmi apache
Package apache-2.4.27-1.1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.27-1.1.mga6.x86_64 is already installed

http://localhost/~wilcal/  ( works )
192.168.1.89/~wilcal/  ( local LAN IP works )
awstats tracks httpd traffic
William Kenney 2017-12-31 17:32:35 CET

Whiteboard: (none) => MGA6-32-OK MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2018-01-01 08:26:40 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 20 Mageia Robot 2018-01-01 11:39:49 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0009.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.