Bug 27058 - apache new security issues CVE-2020-9490, CVE-2020-11984, CVE-2020-11993
Summary: apache new security issues CVE-2020-9490, CVE-2020-11984, CVE-2020-11993
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
: 27063 (view as bug list)
Depends on:
Blocks:
 
Reported: 2020-08-07 18:47 CEST by David Walser
Modified: 2020-08-21 20:58 CEST (History)
6 users (show)

See Also:
Source RPM: apache-2.4.43-2.mga8.src.rpm
CVE:
Status comment:


Attachments

David Walser 2020-08-07 18:48:14 CEST

Status comment: (none) => Fixed upstream in 2.4.46
Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-08-07 22:32:26 CEST
*** Bug 27063 has been marked as a duplicate of this bug. ***

CC: (none) => smelror

Comment 2 David Walser 2020-08-08 00:32:07 CEST
Shlomi uploaded apache-2.4.46-1.mga8 for Cauldron.

Assignee: bugsquad => shlomif
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 3 Shlomi Fish 2020-08-08 10:06:37 CEST
(In reply to David Walser from comment #2)
> Shlomi uploaded apache-2.4.46-1.mga8 for Cauldron.

OK, just note that kekePower and David/Luigi helped as well.
Comment 4 Shlomi Fish 2020-08-11 17:06:19 CEST
I've now pushed apache2.4.46 to http://pkgsubmit.mageia.org/ / mga7 updates-testing - let's see if it builds.
Comment 5 David Walser 2020-08-11 17:14:42 CEST
Advisory:
========================

Updated apache packages fix security vulnerabilities:

Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the
'Cache-Digest' header in a HTTP/2 request would result in a crash when the
server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the
HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched
servers (CVE-2020-9490).

Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and
possible remote code execution (CVE-2020-11984).

Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for
the HTTP/2 module and on certain traffic edge patterns, logging statements were
made on the wrong connection, causing concurrent use of memory pools.
Configuring the LogLevel of mod_http2 above "info" will mitigate this
vulnerability for unpatched servers (CVE-2020-11993).

The apache package has been updated to version 2.4.46, fixing these issues and
other bugs.  See the upstream CHANGES file for details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9490
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11984
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11993
https://httpd.apache.org/security/vulnerabilities_24.html#2.4.44
https://downloads.apache.org/httpd/CHANGES_2.4.46
========================

Updated packages in core/updates_testing:
========================
apache-2.4.46-1.mga7
apache-mod_dav-2.4.46-1.mga7
apache-mod_ldap-2.4.46-1.mga7
apache-mod_session-2.4.46-1.mga7
apache-mod_cache-2.4.46-1.mga7
apache-mod_proxy-2.4.46-1.mga7
apache-mod_proxy_html-2.4.46-1.mga7
apache-mod_suexec-2.4.46-1.mga7
apache-mod_userdir-2.4.46-1.mga7
apache-mod_ssl-2.4.46-1.mga7
apache-mod_dbd-2.4.46-1.mga7
apache-mod_http2-2.4.46-1.mga7
apache-mod_brotli-2.4.46-1.mga7
apache-htcacheclean-2.4.46-1.mga7
apache-devel-2.4.46-1.mga7
apache-doc-2.4.46-1.mga7

from apache-2.4.46-1.mga7.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs
Status comment: Fixed upstream in 2.4.46 => (none)

Comment 6 Shlomi Fish 2020-08-11 17:27:47 CEST
Thanks, David (Walser)!

Just a note that the updated apache 2.4.46 packages were built successfully for mga 7 / updates-testing: http://pkgsubmit.mageia.org/ .
Comment 7 PC LX 2020-08-12 11:48:04 CEST
Installed and tested without issues.

Tested:
- HTTP 1.1.
- HTTP 2.
- HTTP 1.1 upgrade to HTTP 2.
- HTTPS with SNI.
- SSL test using https://www.ssllabs.com/ssltest/.
- PHP through FPM.
- systemd socket activation.
- multiple sites resolution by IP and Host name.
- multiple large PHP scripts.
- mod_rewrite.
- mod_security.
- custom logs.
- server status.

All is working as expected. No regressions noticed.


System: Mageia 7, x86_64, Intel CPU.


$ uname -a
Linux marte 5.7.14-desktop-1.mga7 #1 SMP Fri Aug 7 14:45:09 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep apache | sort
apache-2.4.46-1.mga7
apache-commons-io-2.6-3.mga7
apache-commons-logging-1.2-9.mga7
apache-mod_http2-2.4.46-1.mga7
apache-mod_php-7.3.19-2.mga7
apache-mod_proxy-2.4.46-1.mga7
apache-mod_ssl-2.4.46-1.mga7
$ systemctl status httpd.socket httpd.service 
● httpd.socket - httpd server activation socket
   Loaded: loaded (/usr/local/lib/systemd/system/httpd.socket; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-08-12 09:49:25 WEST; 39min ago
   Listen: [::]:80 (Stream)
           [::]:443 (Stream)
    Tasks: 0 (limit: 4697)
   Memory: 92.0K
   CGroup: /system.slice/httpd.socket

ago 12 09:49:25 marte systemd[1]: Listening on httpd server activation socket.

● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-08-12 10:28:24 WEST; 58s ago
 Main PID: 6395 (httpd)
   Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
    Tasks: 66 (limit: 4697)
   Memory: 29.5M
   CGroup: /system.slice/httpd.service
           ├─6395 /usr/sbin/httpd -DFOREGROUND
           ├─6397 /usr/sbin/httpd -DFOREGROUND
           └─6398 /usr/sbin/httpd -DFOREGROUND

ago 12 10:28:24 marte systemd[1]: Starting The Apache HTTP Server...
ago 12 10:28:24 marte systemd[1]: Started The Apache HTTP Server.
$ systemctl status php-fpm.socket php-fpm.service 
● php-fpm.socket - php-fpm Server Socket
   Loaded: loaded (/usr/local/lib/systemd/system/php-fpm.socket; enabled; vendor preset: disabled)
   Active: inactive (dead) since Wed 2020-08-12 10:07:11 WEST; 23min ago
   Listen: /var/lib/php-fpm/php-fpm.sock (Stream)

ago 12 09:49:25 marte systemd[1]: Listening on php-fpm Server Socket.
ago 12 10:07:11 marte systemd[1]: php-fpm.socket: Succeeded.
ago 12 10:07:11 marte systemd[1]: Closed php-fpm Server Socket.

● php-fpm.service - The PHP FastCGI Process Manager
   Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-08-12 10:07:11 WEST; 23min ago
 Main PID: 3868 (php-fpm)
   Status: "Processes active: 0, idle: 2, Requests: 86, slow: 0, Traffic: 0req/sec"
    Tasks: 3 (limit: 4697)
   Memory: 56.5M
   CGroup: /system.slice/php-fpm.service
           ├─3868 php-fpm: master process (/etc/php-fpm.conf)
           ├─3870 php-fpm: pool www
           └─4446 php-fpm: pool www

ago 12 10:07:11 marte systemd[1]: Starting The PHP FastCGI Process Manager...
ago 12 10:07:11 marte php-fpm[3868]: [NOTICE] fpm is running, pid 3868
ago 12 10:07:11 marte php-fpm[3868]: [NOTICE] ready to handle connections
ago 12 10:07:11 marte systemd[1]: Started The PHP FastCGI Process Manager.
ago 12 10:07:11 marte php-fpm[3868]: [NOTICE] systemd monitor interval set to 10000ms

CC: (none) => mageia

Comment 8 Herman Viaene 2020-08-14 11:56:51 CEST
MGA7-64 On Lenovo B50
No installation issues
ref bug 26418 for testing
After installation:
]# systemctl start httpd
[root@mach5 ~]# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2020-08-14 11:43:34 CEST; 18s ago
 Main PID: 2911 (httpd)
   Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
    Tasks: 26 (limit: 4915)
   Memory: 23.4M
   CGroup: /system.slice/httpd.service
           ├─2911 /usr/sbin/httpd -DFOREGROUND
           ├─2914 /usr/sbin/httpd -DFOREGROUND
           ├─2916 /usr/sbin/httpd -DFOREGROUND
           ├─2920 /usr/sbin/httpd -DFOREGROUND
           ├─2929 /usr/sbin/httpd -DFOREGROUND
           └─2931 /usr/sbin/httpd -DFOREGROUND

Aug 14 11:43:34 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server...
Aug 14 11:43:34 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server.
point browser to localhost: "It works!"

# systemctl start mysqld
[root@mach5 ~]# systemctl -l status mysqld
● mysqld.service - MySQL database server
   Loaded: loaded (/usr/lib/systemd/system/mysqld.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2020-08-14 11:44:55 CEST; 1min 23s ago
  Process: 10089 ExecStartPre=/usr/sbin/mysqld-prepare-db-dir (code=exited, status=0/SUCCESS)
 Main PID: 10103 (mysqld)
   Status: "Taking your SQL requests now..."
    Tasks: 30 (limit: 4915)
   Memory: 76.0M
   CGroup: /system.slice/mysqld.service
           └─10103 /usr/sbin/mysqld

Aug 14 11:44:54 mach5.hviaene.thuis mysqld[10103]: 2020-08-14 11:44:54 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
Aug 14 11:44:54 mach5.hviaene.thuis mysqld[10103]: 2020-08-14 11:44:54 0 [Note] InnoDB: 10.3.23 started; log sequence number 5435446; transaction id 2170
Aug 14 11:44:54 mach5.hviaene.thuis mysqld[10103]: 2020-08-14 11:44:54 0 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool
Aug 14 11:44:54 mach5.hviaene.thuis mysqld[10103]: 200814 11:44:54 server_audit: MariaDB Audit Plugin version 1.4.8 STARTED.
Aug 14 11:44:55 mach5.hviaene.thuis mysqld[10103]: 200814 11:44:54 server_audit: Query cache is enabled with the TABLE events. Some table reads can be veiled.2020-08->
Aug 14 11:44:55 mach5.hviaene.thuis mysqld[10103]: 2020-08-14 11:44:55 0 [Note] Added new Master_info '' to hash table
Aug 14 11:44:55 mach5.hviaene.thuis mysqld[10103]: 2020-08-14 11:44:55 0 [Note] /usr/sbin/mysqld: ready for connections.
Aug 14 11:44:55 mach5.hviaene.thuis mysqld[10103]: Version: '10.3.23-MariaDB'  socket: '/var/lib/mysql/mysql.sock'  port: 0  Mageia MariaDB Server
Aug 14 11:44:55 mach5.hviaene.thuis systemd[1]: Started MySQL database server.
Aug 14 11:44:56 mach5.hviaene.thuis mysqld[10103]: 2020-08-14 11:44:56 0 [Note] InnoDB: Buffer pool(s) load completed at 200814 11:44:56
phpmyadmin was already installed on this laptop, so tried it and got:
Service unavailable! error 503.

Beats me????

CC: (none) => herman.viaene

Comment 9 Herman Viaene 2020-08-14 12:03:20 CEST
In error log:
[Fri Aug 14 11:43:34.873057 2020] [ssl:warn] [pid 2911] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Fri Aug 14 11:43:34.878583 2020] [suexec:notice] [pid 2911] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Aug 14 11:43:34.910009 2020] [ssl:warn] [pid 2911] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Fri Aug 14 11:43:34.910162 2020] [lbmethod_heartbeat:notice] [pid 2911] AH02282: No slotmem from mod_heartmonitor
[Fri Aug 14 11:43:34.910225 2020] [http2:warn] [pid 2911] AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm will just not do. This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive.
[Fri Aug 14 11:43:35.526070 2020] [mpm_prefork:notice] [pid 2911] AH00163: Apache/2.4.46 (Unix) OpenSSL/1.1.0l PHP/7.3.19 configured -- resuming normal operations
[Fri Aug 14 11:43:35.526126 2020] [core:notice] [pid 2911] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Fri Aug 14 11:44:27.135202 2020] [proxy:error] [pid 2916] (2)No such file or directory: AH02454: FCGI: attempt to connect to Unix domain socket /var/lib/php-fpm/php-fpm.sock (*) failed
[Fri Aug 14 11:44:27.135271 2020] [proxy_fcgi:error] [pid 2916] [client ::1:46006] AH01079: failed to make connection to backend: httpd-UDS
[Fri Aug 14 11:45:10.006219 2020] [proxy:error] [pid 2920] (2)No such file or directory: AH02454: FCGI: attempt to connect to Unix domain socket /var/lib/php-fpm/php-fpm.sock (*) failed
[Fri Aug 14 11:45:10.006347 2020] [proxy_fcgi:error] [pid 2920] [client ::1:46008] AH01079: failed to make connection to backend: httpd-UDS
Comment 10 David Walser 2020-08-14 12:39:33 CEST
Try with apache-mod_php.  I think there's a bug in php-fpm (with a php in updates_testing to fix it).
Comment 11 David Walser 2020-08-18 18:32:32 CEST
I can confirm current updates php works with updates_testing Apache with my normal test cases.

Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 David Walser 2020-08-18 18:32:58 CEST
Advisory and package list in Comment 5.
Dave Hodgins 2020-08-18 18:48:37 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 13 Mageia Robot 2020-08-18 19:43:13 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0327.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 14 David Walser 2020-08-21 20:58:58 CEST
Ubuntu has issued an advisory for this on August 13:
https://ubuntu.com/security/notices/USN-4458-1

Note You need to log in before you can comment on or make changes to this bug.