Bug 25638 - libapreq2 new security issue CVE-2019-12412
Summary: libapreq2 new security issue CVE-2019-12412
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
: 27624 (view as bug list)
Depends on:
Blocks:
 
Reported: 2019-10-31 04:34 CET by David Walser
Modified: 2020-11-19 09:37 CET (History)
6 users (show)

See Also:
Source RPM: libapreq2-2.130.0-28.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-10-31 04:34:43 CET 
Debian has issued an advisory on October 4:
https://www.debian.org/security/2019/dsa-4541

Mageia 7 is also affected.
David Walser 2019-10-31 04:35:05 CET

Whiteboard: (none) => MGA7TOO
Summary: libapreq2 new security issue => libapreq2 new security issue CVE-2019-12412

Comment 1 David GEIGER 2019-10-31 06:53:37 CET 
Done!

CC: (none) => geiger.david68210

Comment 2 Lewis Smith 2019-10-31 09:37:27 CET 
This package has no maintainer, so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 3 David Walser 2019-10-31 13:04:36 CET 
Advisory:
========================

Updated libapreq2 packages fix security vulnerability:

Max Kellermann reported a NULL pointer dereference flaw in libapreq2, allowing
a remote attacker to cause a denial of service against an application using the
library (application crash) if an invalid nested "multipart" body is processed
(CVE-2019-12412).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12412
https://www.debian.org/security/2019/dsa-4541
========================

Updated packages in core/updates_testing:
========================
libapreq2_3-2.130.0-28.1.mga7
libapreq-devel-2.130.0-28.1.mga7
perl-libapreq2-2.130.0-28.1.mga7
apache-mod_apreq-2.130.0-28.1.mga7

from libapreq-2.130.0-28.1.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 4 Herman Viaene 2019-11-02 14:03:49 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Tried to find anything that uses these packages, the only thing I found was mason. Found a  tutorial for that, but this seems real developer stuff. Not in my league.
I will agree on OK'ing on a clean install.

CC: (none) => herman.viaene

Comment 5 Len Lawrence 2019-11-09 07:49:37 CET 
@Hermam, comment 4
Had a look at this and have to agree, it would take a month of Sundays to get to grips with mason or autodia.  A clean install was all that could be achieved here.  Adding the OK for you.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 6 Thomas Andrews 2019-11-14 01:43:59 CET 
Going with that, then. Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-11-14 16:41:18 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 7 Mageia Robot 2019-11-14 18:34:29 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0327.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 8 Nicolas Salguero 2020-11-19 09:37:46 CET 
*** Bug 27624 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.