Bug 24226 - apache new security issue CVE-2018-17189 and CVE-2018-17199
Summary: apache new security issue CVE-2018-17189 and CVE-2018-17199
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-01-23 03:08 CET by David Walser
Modified: 2019-03-14 22:41 CET (History)
9 users (show)

See Also:
Source RPM: apache-2.4.37-4.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-01-23 03:08:59 CET
Apache has issued advisories today (January 22):
https://www.openwall.com/lists/oss-security/2019/01/22/2
https://www.openwall.com/lists/oss-security/2019/01/22/3

These issues are fixed upstream in 2.4.38:
http://www.apache.org/dist/httpd/CHANGES_2.4.38

Mageia 6 is also affected.
David Walser 2019-01-23 03:09:06 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marc Krämer 2019-01-25 01:15:18 CET
this should be assigned to shlomif by default.

CC: (none) => mageia

Comment 2 Marja Van Waes 2019-01-25 19:56:15 CET
(In reply to Marc Krämer from comment #1)
> this should be assigned to shlomif by default.

Indeed, he's the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 3 David Walser 2019-02-02 22:53:41 CET
Advisory:
========================

Updated apache packages fix security vulnerabilities:

By sending request bodies in a slow loris way to plain resources, the h2 stream
for that request unnecessarily occupied a server thread cleaning up that
incoming data. This affects only HTTP/2 (mod_http2) connections in Apache HTTP
Server versions 2.4.37 and prior (CVE-2018-17189).

In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the
session expiry time before decoding the session. This causes session expiry
time to be ignored for mod_session_cookie sessions since the expiry time is
loaded when the session is decoded (CVE-2018-17199).

The apache package has been updated to version 2.4.38, fixing these issues and
several other bugs.  See the upstream CHANGES files for details.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17189
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17199
http://www.apache.org/dist/httpd/CHANGES_2.4.38
https://httpd.apache.org/security/vulnerabilities_24.html
========================

Updated packages in core/updates_testing:
========================
apache-2.4.38-1.mga6
apache-mod_dav-2.4.38-1.mga6
apache-mod_ldap-2.4.38-1.mga6
apache-mod_session-2.4.38-1.mga6
apache-mod_cache-2.4.38-1.mga6
apache-mod_proxy-2.4.38-1.mga6
apache-mod_proxy_html-2.4.38-1.mga6
apache-mod_suexec-2.4.38-1.mga6
apache-mod_userdir-2.4.38-1.mga6
apache-mod_ssl-2.4.38-1.mga6
apache-mod_dbd-2.4.38-1.mga6
apache-mod_http2-2.4.38-1.mga6
apache-htcacheclean-2.4.38-1.mga6
apache-devel-2.4.38-1.mga6
apache-doc-2.4.38-1.mga6

from apache-2.4.38-1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Assignee: shlomif => qa-bugs
Version: Cauldron => 6

Comment 4 PC LX 2019-02-03 13:52:45 CET
Installed and tested without issue.

Tested only a few modules of the available modules so will not mark as OK and wait for more tests.

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.14.89-desktop-1.mga6 #1 SMP Mon Dec 17 13:14:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep apache | sort
apache-2.4.38-1.mga6
apache-mod_php-7.2.14-1.mga6
apache-mod_ssl-2.4.38-1.mga6

CC: (none) => mageia

Comment 5 Herman Viaene 2019-02-05 11:00:20 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
This laptop had a working previous version of http, used a.o. to test phpmyadmin.
Now at CLI before the update:
# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: enabled)
   Active: inactive (dead)

After the update
# systemctl  start httpd
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xe" for details.

Both status and journal show anything but 
 httpd.service: Unit entered failed state.
 httpd.service: Failed with result 'exit-code'.
Checked /var/log/httpd, log files are empty
and
# journalctl -b | grep http
httpd.service: Main process exited, code=exited, status=1/FAILURE
httpd.service: Unit entered failed state.
httpd.service: Failed with result 'exit-code'.

CC: (none) => herman.viaene

Comment 6 Herman Viaene 2019-02-05 11:19:34 CET
Removed whol apache bunch, and installed just the apache package alone, and at CLI:
# systemctl  start httpd
# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: enabled)
   Active: active (running) since di 2019-02-05 11:04:34 CET; 3s ago
 Main PID: 20832 (httpd)
   Status: "Processing requests..."
   CGroup: /system.slice/httpd.service
           ├─20832 /usr/sbin/httpd -DFOREGROUND
           ├─20834 /usr/sbin/httpd -DFOREGROUND
           ├─20835 /usr/sbin/httpd -DFOREGROUND
           ├─20836 /usr/sbin/httpd -DFOREGROUND
           ├─20837 /usr/sbin/httpd -DFOREGROUND
           └─20838 /usr/sbin/httpd -DFOREGROUND

feb 05 11:04:33 mach6.hviaene.thuis systemd[1]: Starting The Apache HTTP Server...
feb 05 11:04:34 mach6.hviaene.thuis systemd[1]: Started The Apache HTTP Server.
Seems OK, now

# systemctl  stop httpd
# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since di 2019-02-05 11:04:57 CET; 3min 57s ago
  Process: 20832 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=0/SUCCESS)
 Main PID: 20832 (code=exited, status=0/SUCCESS)
   Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"

feb 05 11:04:33 mach6.hviaene.thuis systemd[1]: Starting The Apache HTTP Server...
feb 05 11:04:34 mach6.hviaene.thuis systemd[1]: Started The Apache HTTP Server.
feb 05 11:04:56 mach6.hviaene.thuis systemd[1]: Stopping The Apache HTTP Server...
feb 05 11:04:57 mach6.hviaene.thuis systemd[1]: Stopped The Apache HTTP Server.

Looks OK
Now install the apache-mod packages and# systemctl  start httpd
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xe" for details.

I noticed during selecting the packages that one of them draws in nghttp and that is advertized as "experimental http client and server", so I am suspecting this is causing the problem. I'm not sure whether I'll be able to go thru all mod packages individually today. Wait , come back and see.
Comment 7 Herman Viaene 2019-02-05 11:41:07 CET
Removed all apache again and started adding packages one by one at CLI with urpmi, starting with apache: each time checking whether httpd would start properly and stop it again before adding the next one.
So
apache: OK
apache-mod_dav: OK
apache-mod_ldap: draws in apr-util-dbd-ldap-1.5.4-8.mga6, then OK
apache-mod_session: draws in apr-util-openssl-1.5.4-8.mga6, but then
# systemctl  start httpd
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xe" for details.
Never seen that before.
Comment 8 Mauricio Andrés Bustamante Viveros 2019-02-05 15:40:48 CET
This behaviour was detected in other bug report
Try to continue installing mods and end with the failed

May be other mod ordering issue

CC: (none) => neoser10

Comment 9 Herman Viaene 2019-02-06 10:08:59 CET
Started from scratch again, installing packages each individually in the sequence as listed in Comment 3, but skipping apache-mod_session.
All goes well till 
# urpmi apache-mod_dbd


installeren van apache-mod_dbd-2.4.38-1.mga6.i586.rpm vanaf /mnt/updaterpm/i586
Voorbereiden...                  ####################################################################
      1/1: apache-mod_dbd        ####################################################################
# systemctl  start httpd
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xe" for details.
Comment 10 Marc Krämer 2019-02-06 23:31:37 CET
@Herman: "mod_dbd manages SQL database connections using apr_dbd". I assume this module needs more configuation to start. It is quite the same for SSL connections in apache, if the certificate does not match, the server won't start.

Most of our modules are automatically enabled on install, for my servers I've changed this behaviour like debian does. After installing they need manual enabling, because a missing configuration could stop a running apache instance.

For mod_session my apache tells me (/var/log/httpd/error_log): "AH02618: You must load mod_request to enable the mod_auth_form functions"

In /etc/apache2/conf/modules.d/00_base.conf this module is disabled by default.
After enabling, apache is able to start, even with mod_session.
Comment 11 Herman Viaene 2019-02-07 10:28:29 CET
@Marc
While I accept that with fiddling with some configuration settings, one could successfully install this update, I have not experienced an update to apache before which needed this kind of intervention, certainly not on a - as far as apache is concerned - on a blank installation.
From what I read from you I even suspect installing this update could even blow an existing working but very basic apache out of the water.
Comment 12 Marc Krämer 2019-02-07 11:07:02 CET
I've experiemented with 2.4.37 (latest in mga6) not the testing version. So at least for mod-session this is already true.
Comment 13 William Kenney 2019-03-05 01:43:15 CET
In VirtualBox, M6, Mate, 32-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.37-1.2.mga6.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.37-1.2.mga6.i586 is already installed

Vbox client webpage can be accessed locally with http://localhost/~wilcal/
and from a browser on the LAN @ http://192.168.0.46/~wilcal/

installing apache-mod_dav, apache-mod_ldap, apache-mod_session & apache-mod_dbd

The following 13 packages are going to be installed:

- apache-mod_dav-2.4.37-1.2.mga6.i586
- apache-mod_dbd-2.4.37-1.2.mga6.i586
- apache-mod_ldap-2.4.37-1.2.mga6.i586
- apache-mod_session-2.4.37-1.2.mga6.i586
- apr-util-dbd-freetds-1.5.4-8.mga6.i586
- apr-util-dbd-ldap-1.5.4-8.mga6.i586
- apr-util-dbd-mysql-1.5.4-8.mga6.i586
- apr-util-dbd-odbc-1.5.4-8.mga6.i586
- apr-util-dbd-pgsql-1.5.4-8.mga6.i586
- apr-util-dbd-sqlite3-1.5.4-8.mga6.i586
- apr-util-openssl-1.5.4-8.mga6.i586
- libfreetds0-0.95.87-1.mga6.i586
- libpq5-9.6.10-3.mga6.i586

Rebooting system and httpd no longer works nor can it be manually started.

CC: (none) => wilcal.int

Comment 14 William Kenney 2019-03-05 01:43:32 CET
In VirtualBox, M6, Mate, 32-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.37-1.2.mga6.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.37-1.2.mga6.i586 is already installed

Vbox client webpage can be accessed locally with http://localhost/~wilcal/
and from a browser on the LAN @ http://192.168.0.46/~wilcal/

installing apache & apache-mod_userdir from updates_testing

The following 3 packages are going to be installed:

- apache-2.4.38-1.mga6.i586
- apache-mod_userdir-2.4.38-1.mga6.i586
- meta-task-6-3.3.mga6.noarch

reboot Vbox client

[root@localhost wilcal]# urpmi apache
Package apache-2.4.38-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.38-1.mga6.i586 is already installed

Vbox client webpage can be accessed locally with http://localhost/~wilcal/
and from a browser on the LAN @ http://192.168.0.46/~wilcal/
Comment 15 William Kenney 2019-03-05 01:43:46 CET
In VirtualBox, M6, Mate, 64-bit

Package(s) under test:
apache apache-mod_userdir

default install of apache & apache-mod_userdir

[root@localhost wilcal]# urpmi apache
Package apache-2.4.37-1.2.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.37-1.2.mga6.x86_64 is already installed

Vbox client webpage can be accessed locally with http://localhost/~wilcal/
and from a browser on the LAN @ http://192.168.0.47/~wilcal/

installing apache & apache-mod_userdir from updates_testing

reboot Vbox client

[root@localhost wilcal]# urpmi apache
Package apache-2.4.38-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_userdir
Package apache-mod_userdir-2.4.38-1.mga6.x86_64 is already installed

Vbox client webpage can be accessed locally with http://localhost/~wilcal/
and from a browser on the LAN @ http://192.168.0.47/~wilcal/
Comment 16 Brian Rockwell 2019-03-07 21:48:26 CET
# uname -a
Linux localhost 4.14.100-desktop-1.mga6 #1 SMP Fri Feb 15 08:58:09 UTC 2019 i686 i686 i686 GNU/Linux


The following 3 packages are going to be installed:

- apache-2.4.38-1.mga6.i586
- apache-doc-2.4.38-1.mga6.noarch
- apache-mod_ssl-2.4.38-1.mga6.i586

-- after reboot

# httpd -v
Server version: Apache/2.4.38 (Unix)
Server built:   Feb  2 2019 20:04:20


I was able to verify the web-server is still running and serving pages

CC: (none) => brtians1

Brian Rockwell 2019-03-11 03:17:11 CET

Whiteboard: (none) => MGA6-32-OK

Dave Hodgins 2019-03-14 20:34:08 CET

CC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 17 Mageia Robot 2019-03-14 22:41:12 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0109.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.