Bug 26418 - apache new security issues CVE-2020-1927 and CVE-2020-1934
Summary: apache new security issues CVE-2020-1927 and CVE-2020-1934
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-04-02 03:10 CEST by David Walser
Modified: 2020-04-23 20:49 CEST (History)
6 users (show)

See Also:
Source RPM: apache-2.4.41-4.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-04-02 03:10:48 CEST
Apache has issued advisories today (April 1):
https://www.openwall.com/lists/oss-security/2020/04/01/4
https://www.openwall.com/lists/oss-security/2020/04/01/5

The issues are fixed upstream in 2.4.42:
https://httpd.apache.org/security/vulnerabilities_24.html

Mageia 7 is also affected.
David Walser 2020-04-02 03:11:08 CEST

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 2.4.42

Comment 1 David Walser 2020-04-02 03:13:54 CEST
The fixes are actually in 2.4.43:
https://downloads.apache.org/httpd/CHANGES_2.4.43

Status comment: Fixed upstream in 2.4.42 => Fixed upstream in 2.4.43

Comment 2 Lewis Smith 2020-04-02 11:06:45 CEST
Assigning to Shlomi as registered maintainer, CC Thomas as recent committer.

CC: (none) => tmb
Assignee: bugsquad => shlomif

Comment 3 David Walser 2020-04-02 21:05:22 CEST
apache-2.4.43-1.mga8 uploaded for Cauldron by Shlomi.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 4 Shlomi Fish 2020-04-04 18:49:53 CEST
(In reply to David Walser from comment #3)
> apache-2.4.43-1.mga8 uploaded for Cauldron by Shlomi.

I've now submitted apache-2.4.43 for mga7/updates-testing too, let's see how it goes:

http://pkgsubmit.mageia.org/ .
Comment 5 David Walser 2020-04-04 20:50:27 CEST
Advisory:
========================

Updated apache packages fix security vulnerabilities:

In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite
that were intended to be self-referential might be fooled by encoded newlines
and redirect instead to an an unexpected URL within the request URL
(CVE-2020-1927).

In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized
memory when proxying to a malicious FTP server (CVE-2020-1934).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1934
http://www.apache.org/dist/httpd/CHANGES_2.4.43
https://httpd.apache.org/security/vulnerabilities_24.html
========================

Updated packages in core/updates_testing:
========================
apache-2.4.43-1.mga7
apache-mod_dav-2.4.43-1.mga7
apache-mod_ldap-2.4.43-1.mga7
apache-mod_session-2.4.43-1.mga7
apache-mod_cache-2.4.43-1.mga7
apache-mod_proxy-2.4.43-1.mga7
apache-mod_proxy_html-2.4.43-1.mga7
apache-mod_suexec-2.4.43-1.mga7
apache-mod_userdir-2.4.43-1.mga7
apache-mod_ssl-2.4.43-1.mga7
apache-mod_dbd-2.4.43-1.mga7
apache-mod_http2-2.4.43-1.mga7
apache-mod_brotli-2.4.43-1.mga7
apache-htcacheclean-2.4.43-1.mga7
apache-devel-2.4.43-1.mga7
apache-doc-2.4.43-1.mga7

from apache-2.4.43-1.mga7.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs
Status comment: Fixed upstream in 2.4.43 => (none)

Comment 6 PC LX 2020-04-07 14:33:51 CEST
Installed and tested without issues.

Tests revealed no regressions.

System: Mageia 7, x86_64, Intel CPU.


$ uname -a
Linux marte 5.5.15-desktop-3.mga7 #1 SMP Sat Apr 4 19:06:09 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep apache | sort
apache-2.4.43-1.mga7
apache-commons-io-2.6-3.mga7
apache-commons-logging-1.2-9.mga7
apache-mod_http2-2.4.43-1.mga7
apache-mod_php-7.3.16-1.mga7
apache-mod_ssl-2.4.43-1.mga7
$ systemctl status httpd.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2020-04-07 12:12:52 WEST; 39s ago
 Main PID: 9552 (httpd)
   Status: "Total requests: 2; Idle/Busy workers 100/0;Requests/sec: 0.0513; Bytes served/sec: 2.4KB/sec"
   Memory: 33.3M
   CGroup: /system.slice/httpd.service
           ├─9552 /usr/sbin/httpd -DFOREGROUND
           ├─9553 /usr/sbin/httpd -DFOREGROUND
           ├─9554 /usr/sbin/httpd -DFOREGROUND
           ├─9555 /usr/sbin/httpd -DFOREGROUND
           ├─9556 /usr/sbin/httpd -DFOREGROUND
           ├─9557 /usr/sbin/httpd -DFOREGROUND
           └─9562 /usr/sbin/httpd -DFOREGROUND

abr 07 12:12:52 marte systemd[1]: Starting The Apache HTTP Server...
abr 07 12:12:52 marte systemd[1]: Started The Apache HTTP Server.

CC: (none) => mageia

Comment 7 Herman Viaene 2020-04-07 14:46:47 CEST
MGA7-64 Plasma on lenovo B50
No installation issues
At CLI:
# systemctl start httpd
# systemctl status -l httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2020-04-07 14:34:29 CEST; 17s ago
 Main PID: 21581 (httpd)
   Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
   Memory: 32.3M
   CGroup: /system.slice/httpd.service
           ├─21581 /usr/sbin/httpd -DFOREGROUND
           ├─21583 /usr/sbin/httpd -DFOREGROUND
           ├─21584 /usr/sbin/httpd -DFOREGROUND
           ├─21589 /usr/sbin/httpd -DFOREGROUND
           ├─21594 /usr/sbin/httpd -DFOREGROUND
           ├─21599 /usr/sbin/httpd -DFOREGROUND
           └─21604 /usr/sbin/httpd -DFOREGROUND

Apr 07 14:34:29 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server...
Apr 07 14:34:29 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server.
Pointed browser to localhost: It works!

[root@mach5 ~]# systemctl start mysqld
And then exercised apache by running phpmyadmin: all OK.

CC: (none) => herman.viaene

Comment 8 PC LX 2020-04-13 15:02:43 CEST
Two OK tests for x86_64 and two weeks of usage without issues so I'm OKing this to push it forward. Feel free to unOK it if you think its appropriate.

Whiteboard: (none) => MGA7-64-OK

Comment 9 Thomas Andrews 2020-04-13 23:16:50 CEST
Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-04-15 10:58:04 CEST

Keywords: (none) => advisory

Comment 10 Mageia Robot 2020-04-15 12:13:45 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0166.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 11 David Walser 2020-04-23 20:49:00 CEST
This update also fixed CVE-2020-1938:
http://lists.suse.com/pipermail/sle-security-updates/2020-April/006719.html

Note You need to log in before you can comment on or make changes to this bug.