A security issue fixed upstream in Apache HTTPD has been announced: http://openwall.com/lists/oss-security/2017/09/18/2 The message above contains a link to the commit/patch to fix the issue. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Ubuntu has issued an advisory for this today (September 19): https://usn.ubuntu.com/usn/usn-3425-1/
Patched packages uploaded by Shlomi. Advisory: ======================== Updated apache packages fix security vulnerability: Hanno Böck discovered that the Apache HTTP Server incorrectly handled Limit directives in .htaccess files. In certain configurations, a remote attacker could possibly use this issue to read arbitrary server memory, including sensitive information. This issue is known as Optionsbleed (CVE-2017-9798). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798 https://usn.ubuntu.com/usn/usn-3425-1/ ======================== Updated packages in core/updates_testing: ======================== apache-2.4.10-16.6.mga5 apache-mod_dav-2.4.10-16.6.mga5 apache-mod_ldap-2.4.10-16.6.mga5 apache-mod_session-2.4.10-16.6.mga5 apache-mod_cache-2.4.10-16.6.mga5 apache-mod_proxy-2.4.10-16.6.mga5 apache-mod_proxy_html-2.4.10-16.6.mga5 apache-mod_suexec-2.4.10-16.6.mga5 apache-mod_userdir-2.4.10-16.6.mga5 apache-mod_ssl-2.4.10-16.6.mga5 apache-mod_dbd-2.4.10-16.6.mga5 apache-htcacheclean-2.4.10-16.6.mga5 apache-devel-2.4.10-16.6.mga5 apache-doc-2.4.10-16.6.mga5 apache-2.4.27-1.1.mga6 apache-mod_dav-2.4.27-1.1.mga6 apache-mod_ldap-2.4.27-1.1.mga6 apache-mod_session-2.4.27-1.1.mga6 apache-mod_cache-2.4.27-1.1.mga6 apache-mod_proxy-2.4.27-1.1.mga6 apache-mod_proxy_html-2.4.27-1.1.mga6 apache-mod_suexec-2.4.27-1.1.mga6 apache-mod_userdir-2.4.27-1.1.mga6 apache-mod_ssl-2.4.27-1.1.mga6 apache-mod_dbd-2.4.27-1.1.mga6 apache-mod_http2-2.4.27-1.1.mga6 apache-htcacheclean-2.4.27-1.1.mga6 apache-devel-2.4.27-1.1.mga6 apache-doc-2.4.27-1.1.mga6 from SRPMS: apache-2.4.10-16.6.mga5.src.rpm apache-2.4.27-1.1.mga6.src.rpm
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOVersion: Cauldron => 6CC: (none) => shlomifAssignee: shlomif => qa-bugs
Installed and tested without issues. Tested on several sites and scripts, with and without ssl. System: Mageia 5, x86_64, Intel CPU. $ uname -a Linux marte 4.4.88-desktop-1.mga5 #1 SMP Thu Sep 14 00:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep apache | sort apache-2.4.10-16.6.mga5 apache-mod_php-5.6.31-1.mga5 apache-mod_ssl-2.4.10-16.6.mga5
CC: (none) => mageia
Testing on mga6 for x86_64 Installed updates: - apache-2.4.27-1.1.mga6.x86_64 - apache-devel-2.4.27-1.1.mga6.x86_64 - apache-doc-2.4.27-1.1.mga6.noarch - apache-htcacheclean-2.4.27-1.1.mga6.x86_64 - apache-mod_cache-2.4.27-1.1.mga6.x86_64 - apache-mod_dav-2.4.27-1.1.mga6.x86_64 - apache-mod_dbd-2.4.27-1.1.mga6.x86_64 - apache-mod_http2-2.4.27-1.1.mga6.x86_64 - apache-mod_ldap-2.4.27-1.1.mga6.x86_64 - apache-mod_perl-2.0.10-1.mga6.x86_64 - apache-mod_proxy-2.4.27-1.1.mga6.x86_64 - apache-mod_proxy_html-2.4.27-1.1.mga6.x86_64 - apache-mod_session-2.4.27-1.1.mga6.x86_64 - apache-mod_ssl-2.4.27-1.1.mga6.x86_64 - apache-mod_suexec-2.4.27-1.1.mga6.x86_64 - apache-mod_userdir-2.4.27-1.1.mga6.x86_64 $ rpm -qa | grep apache apache-mod_perl-2.0.10-1.mga6 apache-mod_proxy-2.4.27-1.1.mga6 apache-doc-2.4.27-1.1.mga6 apache-mod_ldap-2.4.27-1.1.mga6 apache-mod_php-5.6.31-1.mga6 apache-htcacheclean-2.4.27-1.1.mga6 apache-2.4.27-1.1.mga6 apache-mod_dbd-2.4.27-1.1.mga6 apache-commons-logging-1.2-7.mga6 apache-mod_cache-2.4.27-1.1.mga6 apache-mod_userdir-2.4.27-1.1.mga6 apache-mod_http2-2.4.27-1.1.mga6 apache-mod_ssl-2.4.27-1.1.mga6 apache-devel-2.4.27-1.1.mga6 apache-mod_proxy_html-2.4.27-1.1.mga6 apache-mod_session-2.4.27-1.1.mga6 apache-mod_suexec-2.4.27-1.1.mga6 apache-mod_dav-2.4.27-1.1.mga6 Cannot start httpd.service. ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2017-09-21 15:54:56 BST; 22s ago Process: 23910 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE) Main PID: 23910 (code=exited, status=1/FAILURE) Sep 21 15:54:56 vega systemd[1]: Starting The Apache HTTP Server... Sep 21 15:54:56 vega httpd[23910]: httpd: Syntax error on line 54 of /etc/httpd/conf/httpd.conf: Syntax error on line 5 of /etc/httpd/conf/modules.d/01_mod_dbd.conf: Cannot load modules/mod_session_dbd.so into server: /etc/httpd/modules/mod_session_dbd.so: undefi Sep 21 15:54:56 vega systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE Sep 21 15:54:56 vega systemd[1]: Failed to start The Apache HTTP Server. Sep 21 15:54:56 vega systemd[1]: httpd.service: Unit entered failed state. Sep 21 15:54:56 vega systemd[1]: httpd.service: Failed with result 'exit-code'. Following error trail --- /etc/httpd/conf/httpd.conf : line 54 Include conf/modules.d/*.conf /etc/httpd/conf/01_mod_dbd.conf : line 5 LoadModule session_dbd_module modules/mod_session_dbd.so mod_session_dbd.so : undefined symbol ap_hook_session_save Some kind of problem related to the stopping of apache before the update? Shall try this on another machine without stopping apache - just restarting it.
CC: (none) => tarazed25
Following on from comment 4 - Failed again. Definitely something to do with apache-mod_session. Installed from Updates Testing: - apache-2.4.27-1.1.mga6.x86_64 - apache-doc-2.4.27-1.1.mga6.noarch - apache-mod_perl-2.0.10-1.mga6.x86_64 - apache-mod_ssl-2.4.27-1.1.mga6.x86_64 $ rpm -qa | grep apache apache-mod_php-5.6.31-1.mga6 apache-mod_ssl-2.4.27-1.1.mga6 apache-doc-2.4.27-1.1.mga6 apache-2.4.27-1.1.mga6 apache-mod_perl-2.0.10-1.mga6 apache-commons-logging-1.2-7.mga6 $ sudo systemctl restart httpd.service $ systemctl status httpd.service ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset Active: active (running) since Thu 2017-09-21 16:15:18 BST; 1min 4s ago Continued by installing the other modules: apache-mod_dav apache-mod_ldap apache-mod_session 1/2: apr-util-openssl ############################################# 2/2: apache-mod_session ############################################# Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details. # systemctl restart httpd Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details. # systemctl status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset Active: failed (Result: exit-code) since Thu 2017-09-21 16:23:19 BST; 21s ago Process: 22800 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, s Main PID: 22800 (code=exited, status=1/FAILURE)
Installed the updates on mga5.1 for x86_64 but left out apache-mod_session. No problem restarting apache.
Whiteboard: MGA5TOO => MGA5TOO feedback
Got failure as well when trying this. /var/log/httpd/error.log seems to point to missing rpm. Quote: [Fri Sep 22 11:12:00.656744 2017] [ssl:warn] [pid 7173] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name [Fri Sep 22 11:12:00.656987 2017] [suexec:notice] [pid 7173] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Sep 22 11:12:00.657010 2017] [auth_form:crit] [pid 7173] AH02618: You must load mod_request to enable the mod_auth_form functions AH00016: Configuration Failed On https://httpd.apache.org/docs/trunk/mod/mod_request.html I find this should be a module, but I cann't find it at all in MCC.
CC: (none) => herman.viaene
urpmf is your friend: ]$ urpmf mod_request apache-devel:/usr/include/httpd/mod_request.h apache-doc:/usr/share/httpd/manual/mod/mod_request.html apache-doc:/usr/share/httpd/manual/mod/mod_request.html.en apache-doc:/usr/share/httpd/manual/mod/mod_request.html.fr apache-doc:/usr/share/httpd/manual/mod/mod_request.html.tr.utf8 apache:/usr/lib64/httpd/modules/mod_request.so so it's part of base apache package. and since it points out mod_request must be loaded, you need to change: /etc/httpd/conf/modules.d/00_base.conf There is a line with: #LoadModule request_module modules/mod_request.so remove the "#" at the beginning and restart apache
CC: (none) => tmb
Just checked that here and confirmed that it was commented out. I had not seen Herman's problem, possibly because the missing symbol in mod_session preempted it. Checked another machine where apache is running and found mod_request commented out in 00_base.conf. Removed the # and restarted httpd. Could not see it using lsmod but there is a module sr_mod loaded.
Asus A6000VM Xfce No installation issues. After updating /etc/httpd/conf/modules.d/00_base.conf as Thomas suggested: at CLI: # systemctl start httpd no feedback # systemctl -l status httpd â httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) Active: active (running) since vr 2017-09-22 14:46:36 CEST; 9s ago Main PID: 5909 (/usr/sbin/httpd) Status: "Processing requests..." CGroup: /system.slice/httpd.service ââ5909 /usr/sbin/httpd -DFOREGROUND ââ5947 /usr/sbin/httpd -DFOREGROUND ââ5948 /usr/sbin/httpd -DFOREGROUND ââ5949 /usr/sbin/httpd -DFOREGROUND ââ5950 /usr/sbin/httpd -DFOREGROUND ââ5951 /usr/sbin/httpd -DFOREGROUND sep 22 14:45:52 mach6.hviaene.thuis httpd[5909]: [Fri Sep 22 14:45:52.780709 2017] [so:warn] [pid 5909] AH01574: module dbd_module is already loaded, skipping sep 22 14:45:53 mach6.hviaene.thuis httpd[5909]: [Fri Sep 22 14:45:52.781724 2017] [so:warn] [pid 5909] AH01574: module dbd_module is already loaded, skipping sep 22 14:45:53 mach6.hviaene.thuis httpd[5909]: [Fri Sep 22 14:45:52.781746 2017] [so:warn] [pid 5909] AH01574: module dbd_module is already loaded, skipping sep 22 14:45:54 mach6.hviaene.thuis httpd[5909]: [Fri Sep 22 14:45:54.832614 2017] [core:warn] [pid 5909] AH00114: Useless use of AllowOverride in line 9 of /etc/httpd/conf/sites.d/rt.conf. Now, I haven't done that many updates yet on apache, but I cannot remember ever one that breaks a perfectly OK running httpd.
MGA6-32 on Asus A6000VM MATE No installation issues. Stopped running httpd before updating After update at CLI: # systemctl start httpd Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details. # systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since za 2017-09-23 10:36:46 CEST; 4min 49s ago Process: 7861 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE) Main PID: 7861 (code=exited, status=1/FAILURE) sep 23 10:36:45 mach6.hviaene.thuis systemd[1]: Starting The Apache HTTP Server... sep 23 10:36:46 mach6.hviaene.thuis httpd[7861]: httpd: Syntax error on line 54 of /etc/httpd/conf/httpd.conf: Syntax error on line 5 of sep 23 10:36:46 mach6.hviaene.thuis systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE sep 23 10:36:46 mach6.hviaene.thuis systemd[1]: Failed to start The Apache HTTP Server. sep 23 10:36:46 mach6.hviaene.thuis systemd[1]: httpd.service: Unit entered failed state. sep 23 10:36:46 mach6.hviaene.thuis systemd[1]: httpd.service: Failed with result 'exit-code'. Full line of syntax error: httpd: Syntax error on line 54 of /etc/httpd/conf/httpd.conf: Syntax error on line 5 of /etc/httpd/conf/modules.d/01_mod_dbd.conf: Cannot load modules/mod_session_dbd.so into server: /etc/httpd/modules/mod_session_dbd.so: undefined symbol: ap_hook_session_save
Shlomi, it sounds like we have a bad patch. Maybe you could compare our patch to other distros? https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/R4JEOCEFPTVRSQESLYQKPEEKR3XN7LBV/ https://www.debian.org/security/2017/dsa-3980 https://usn.ubuntu.com/usn/usn-3425-1/ https://lists.opensuse.org/opensuse-updates/2017-09/msg00095.html http://openwall.com/lists/oss-security/2017/09/23/2
(In reply to David Walser from comment #12) > Shlomi, it sounds like we have a bad patch. Maybe you could compare our > patch to other distros? > > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/R4JEOCEFPTVRSQESLYQKPEEKR3XN7LBV/ > https://www.debian.org/security/2017/dsa-3980 > https://usn.ubuntu.com/usn/usn-3425-1/ > https://lists.opensuse.org/opensuse-updates/2017-09/msg00095.html > http://openwall.com/lists/oss-security/2017/09/23/2 Hi! Sorry - I cannot do it due to my condition.
CC: (none) => qa-bugsAssignee: qa-bugs => pkg-bugs
The patch is ok, it does not touch any session related stuff... For those hitting this issue, is apache-mod_session installed ?
There's a more complete fix in 2.4.28. More info about this issue from upstream: https://www.mail-archive.com/dev@httpd.apache.org/msg69489.html
Apache 2.4.29 has been released, fixing this issue: https://httpd.apache.org/security/vulnerabilities_24.html
Mageia 5 moved to Bug 20002. People that said there was a problem with this update need to respond to Thomas's question in Comment 14.
Assignee: pkg-bugs => qa-bugsCC: qa-bugs => (none)Whiteboard: MGA5TOO feedback => (none)
In VirtualBox, M6, Mate, 32-bit Package(s) under test: apache apache-mod_userdir default install of apache & apache-mod_userdir [root@localhost wilcal]# urpmi apache Package apache-2.4.27-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi apache-mod_userdir Package apache-mod_userdir-2.4.27-1.mga6.i586 is already installed http://localhost/~wilcal/ ( works ) 192.168.1.73/~wilcal/ ( local LAN IP works ) awstats tracks httpd traffic install apache apache-mod_userdir from updates_testing stop then restart httpd [root@localhost wilcal]# urpmi apache Package apache-2.4.27-1.1.mga6.i586 is already installed [root@localhost wilcal]# urpmi apache-mod_userdir Package apache-mod_userdir-2.4.27-1.1.mga6.i586 is already installed http://localhost/~wilcal/ ( works ) 192.168.1.73/~wilcal/ ( local LAN IP works ) awstats tracks httpd traffic
CC: (none) => wilcal.int
In VirtualBox, M6, Plasma, 64-bit Package(s) under test: apache apache-mod_userdir default install of apache & apache-mod_userdir [root@localhost wilcal]# urpmi apache Package apache-2.4.27-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_userdir Package apache-mod_userdir-2.4.27-1.mga6.x86_64 is already installed http://localhost/~wilcal/ ( works ) 192.168.1.89/~wilcal/ ( local LAN IP works ) awstats tracks httpd traffic install apache apache-mod_userdir from updates_testing stop then restart httpd [root@localhost wilcal]# urpmi apache Package apache-2.4.27-1.1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_userdir Package apache-mod_userdir-2.4.27-1.1.mga6.x86_64 is already installed http://localhost/~wilcal/ ( works ) 192.168.1.89/~wilcal/ ( local LAN IP works ) awstats tracks httpd traffic
Whiteboard: (none) => MGA6-32-OK MGA6-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0009.html
Status: NEW => RESOLVEDResolution: (none) => FIXED