Bug 25638 - libapreq2 new security issue CVE-2019-12412
Summary: libapreq2 new security issue CVE-2019-12412
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2019-10-31 04:34 CET by David Walser
Modified: 2019-11-14 01:43 CET (History)
5 users (show)

See Also:
Source RPM: libapreq2-2.130.0-28.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-10-31 04:34:43 CET
Debian has issued an advisory on October 4:
https://www.debian.org/security/2019/dsa-4541

Mageia 7 is also affected.
David Walser 2019-10-31 04:35:05 CET

Summary: libapreq2 new security issue => libapreq2 new security issue CVE-2019-12412
Whiteboard: (none) => MGA7TOO

Comment 1 David GEIGER 2019-10-31 06:53:37 CET
Done!

CC: (none) => geiger.david68210

Comment 2 Lewis Smith 2019-10-31 09:37:27 CET
This package has no maintainer, so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 3 David Walser 2019-10-31 13:04:36 CET
Advisory:
========================

Updated libapreq2 packages fix security vulnerability:

Max Kellermann reported a NULL pointer dereference flaw in libapreq2, allowing
a remote attacker to cause a denial of service against an application using the
library (application crash) if an invalid nested "multipart" body is processed
(CVE-2019-12412).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12412
https://www.debian.org/security/2019/dsa-4541
========================

Updated packages in core/updates_testing:
========================
libapreq2_3-2.130.0-28.1.mga7
libapreq-devel-2.130.0-28.1.mga7
perl-libapreq2-2.130.0-28.1.mga7
apache-mod_apreq-2.130.0-28.1.mga7

from libapreq-2.130.0-28.1.mga7.src.rpm

Version: Cauldron => 7
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA7TOO => (none)

Comment 4 Herman Viaene 2019-11-02 14:03:49 CET
MGA7-64 Plasma on Lenovo B50
No installation issues.
Tried to find anything that uses these packages, the only thing I found was mason. Found a  tutorial for that, but this seems real developer stuff. Not in my league.
I will agree on OK'ing on a clean install.

CC: (none) => herman.viaene

Comment 5 Len Lawrence 2019-11-09 07:49:37 CET
@Hermam, comment 4
Had a look at this and have to agree, it would take a month of Sundays to get to grips with mason or autodia.  A clean install was all that could be achieved here.  Adding the OK for you.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 6 Thomas Andrews 2019-11-14 01:43:59 CET
Going with that, then. Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs


Note You need to log in before you can comment on or make changes to this bug.