Apache has issued advisories today (August 7): https://www.openwall.com/lists/oss-security/2020/08/07/1 https://www.openwall.com/lists/oss-security/2020/08/07/3 https://www.openwall.com/lists/oss-security/2020/08/07/4 The issues are fixed upstream in 2.4.46: https://httpd.apache.org/security/vulnerabilities_24.html https://downloads.apache.org/httpd/CHANGES_2.4.46 Mageia 7 is also affected.
Status comment: (none) => Fixed upstream in 2.4.46Whiteboard: (none) => MGA7TOO
*** Bug 27063 has been marked as a duplicate of this bug. ***
CC: (none) => smelror
Shlomi uploaded apache-2.4.46-1.mga8 for Cauldron.
Assignee: bugsquad => shlomifVersion: Cauldron => 7Whiteboard: MGA7TOO => (none)
(In reply to David Walser from comment #2) > Shlomi uploaded apache-2.4.46-1.mga8 for Cauldron. OK, just note that kekePower and David/Luigi helped as well.
I've now pushed apache2.4.46 to http://pkgsubmit.mageia.org/ / mga7 updates-testing - let's see if it builds.
Advisory: ======================== Updated apache packages fix security vulnerabilities: Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers (CVE-2020-9490). Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible remote code execution (CVE-2020-11984). Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers (CVE-2020-11993). The apache package has been updated to version 2.4.46, fixing these issues and other bugs. See the upstream CHANGES file for details. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9490 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11984 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11993 https://httpd.apache.org/security/vulnerabilities_24.html#2.4.44 https://downloads.apache.org/httpd/CHANGES_2.4.46 ======================== Updated packages in core/updates_testing: ======================== apache-2.4.46-1.mga7 apache-mod_dav-2.4.46-1.mga7 apache-mod_ldap-2.4.46-1.mga7 apache-mod_session-2.4.46-1.mga7 apache-mod_cache-2.4.46-1.mga7 apache-mod_proxy-2.4.46-1.mga7 apache-mod_proxy_html-2.4.46-1.mga7 apache-mod_suexec-2.4.46-1.mga7 apache-mod_userdir-2.4.46-1.mga7 apache-mod_ssl-2.4.46-1.mga7 apache-mod_dbd-2.4.46-1.mga7 apache-mod_http2-2.4.46-1.mga7 apache-mod_brotli-2.4.46-1.mga7 apache-htcacheclean-2.4.46-1.mga7 apache-devel-2.4.46-1.mga7 apache-doc-2.4.46-1.mga7 from apache-2.4.46-1.mga7.src.rpm
CC: (none) => shlomifAssignee: shlomif => qa-bugsStatus comment: Fixed upstream in 2.4.46 => (none)
Thanks, David (Walser)! Just a note that the updated apache 2.4.46 packages were built successfully for mga 7 / updates-testing: http://pkgsubmit.mageia.org/ .
Installed and tested without issues. Tested: - HTTP 1.1. - HTTP 2. - HTTP 1.1 upgrade to HTTP 2. - HTTPS with SNI. - SSL test using https://www.ssllabs.com/ssltest/. - PHP through FPM. - systemd socket activation. - multiple sites resolution by IP and Host name. - multiple large PHP scripts. - mod_rewrite. - mod_security. - custom logs. - server status. All is working as expected. No regressions noticed. System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.7.14-desktop-1.mga7 #1 SMP Fri Aug 7 14:45:09 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep apache | sort apache-2.4.46-1.mga7 apache-commons-io-2.6-3.mga7 apache-commons-logging-1.2-9.mga7 apache-mod_http2-2.4.46-1.mga7 apache-mod_php-7.3.19-2.mga7 apache-mod_proxy-2.4.46-1.mga7 apache-mod_ssl-2.4.46-1.mga7 $ systemctl status httpd.socket httpd.service ● httpd.socket - httpd server activation socket Loaded: loaded (/usr/local/lib/systemd/system/httpd.socket; enabled; vendor preset: disabled) Active: active (running) since Wed 2020-08-12 09:49:25 WEST; 39min ago Listen: [::]:80 (Stream) [::]:443 (Stream) Tasks: 0 (limit: 4697) Memory: 92.0K CGroup: /system.slice/httpd.socket ago 12 09:49:25 marte systemd[1]: Listening on httpd server activation socket. ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2020-08-12 10:28:24 WEST; 58s ago Main PID: 6395 (httpd) Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec: 0 B/sec" Tasks: 66 (limit: 4697) Memory: 29.5M CGroup: /system.slice/httpd.service ├─6395 /usr/sbin/httpd -DFOREGROUND ├─6397 /usr/sbin/httpd -DFOREGROUND └─6398 /usr/sbin/httpd -DFOREGROUND ago 12 10:28:24 marte systemd[1]: Starting The Apache HTTP Server... ago 12 10:28:24 marte systemd[1]: Started The Apache HTTP Server. $ systemctl status php-fpm.socket php-fpm.service ● php-fpm.socket - php-fpm Server Socket Loaded: loaded (/usr/local/lib/systemd/system/php-fpm.socket; enabled; vendor preset: disabled) Active: inactive (dead) since Wed 2020-08-12 10:07:11 WEST; 23min ago Listen: /var/lib/php-fpm/php-fpm.sock (Stream) ago 12 09:49:25 marte systemd[1]: Listening on php-fpm Server Socket. ago 12 10:07:11 marte systemd[1]: php-fpm.socket: Succeeded. ago 12 10:07:11 marte systemd[1]: Closed php-fpm Server Socket. ● php-fpm.service - The PHP FastCGI Process Manager Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2020-08-12 10:07:11 WEST; 23min ago Main PID: 3868 (php-fpm) Status: "Processes active: 0, idle: 2, Requests: 86, slow: 0, Traffic: 0req/sec" Tasks: 3 (limit: 4697) Memory: 56.5M CGroup: /system.slice/php-fpm.service ├─3868 php-fpm: master process (/etc/php-fpm.conf) ├─3870 php-fpm: pool www └─4446 php-fpm: pool www ago 12 10:07:11 marte systemd[1]: Starting The PHP FastCGI Process Manager... ago 12 10:07:11 marte php-fpm[3868]: [NOTICE] fpm is running, pid 3868 ago 12 10:07:11 marte php-fpm[3868]: [NOTICE] ready to handle connections ago 12 10:07:11 marte systemd[1]: Started The PHP FastCGI Process Manager. ago 12 10:07:11 marte php-fpm[3868]: [NOTICE] systemd monitor interval set to 10000ms
CC: (none) => mageia
MGA7-64 On Lenovo B50 No installation issues ref bug 26418 for testing After installation: ]# systemctl start httpd [root@mach5 ~]# systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2020-08-14 11:43:34 CEST; 18s ago Main PID: 2911 (httpd) Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec: 0 B/sec" Tasks: 26 (limit: 4915) Memory: 23.4M CGroup: /system.slice/httpd.service ├─2911 /usr/sbin/httpd -DFOREGROUND ├─2914 /usr/sbin/httpd -DFOREGROUND ├─2916 /usr/sbin/httpd -DFOREGROUND ├─2920 /usr/sbin/httpd -DFOREGROUND ├─2929 /usr/sbin/httpd -DFOREGROUND └─2931 /usr/sbin/httpd -DFOREGROUND Aug 14 11:43:34 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server... Aug 14 11:43:34 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server. point browser to localhost: "It works!" # systemctl start mysqld [root@mach5 ~]# systemctl -l status mysqld ● mysqld.service - MySQL database server Loaded: loaded (/usr/lib/systemd/system/mysqld.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2020-08-14 11:44:55 CEST; 1min 23s ago Process: 10089 ExecStartPre=/usr/sbin/mysqld-prepare-db-dir (code=exited, status=0/SUCCESS) Main PID: 10103 (mysqld) Status: "Taking your SQL requests now..." Tasks: 30 (limit: 4915) Memory: 76.0M CGroup: /system.slice/mysqld.service └─10103 /usr/sbin/mysqld Aug 14 11:44:54 mach5.hviaene.thuis mysqld[10103]: 2020-08-14 11:44:54 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB. Aug 14 11:44:54 mach5.hviaene.thuis mysqld[10103]: 2020-08-14 11:44:54 0 [Note] InnoDB: 10.3.23 started; log sequence number 5435446; transaction id 2170 Aug 14 11:44:54 mach5.hviaene.thuis mysqld[10103]: 2020-08-14 11:44:54 0 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool Aug 14 11:44:54 mach5.hviaene.thuis mysqld[10103]: 200814 11:44:54 server_audit: MariaDB Audit Plugin version 1.4.8 STARTED. Aug 14 11:44:55 mach5.hviaene.thuis mysqld[10103]: 200814 11:44:54 server_audit: Query cache is enabled with the TABLE events. Some table reads can be veiled.2020-08-> Aug 14 11:44:55 mach5.hviaene.thuis mysqld[10103]: 2020-08-14 11:44:55 0 [Note] Added new Master_info '' to hash table Aug 14 11:44:55 mach5.hviaene.thuis mysqld[10103]: 2020-08-14 11:44:55 0 [Note] /usr/sbin/mysqld: ready for connections. Aug 14 11:44:55 mach5.hviaene.thuis mysqld[10103]: Version: '10.3.23-MariaDB' socket: '/var/lib/mysql/mysql.sock' port: 0 Mageia MariaDB Server Aug 14 11:44:55 mach5.hviaene.thuis systemd[1]: Started MySQL database server. Aug 14 11:44:56 mach5.hviaene.thuis mysqld[10103]: 2020-08-14 11:44:56 0 [Note] InnoDB: Buffer pool(s) load completed at 200814 11:44:56 phpmyadmin was already installed on this laptop, so tried it and got: Service unavailable! error 503. Beats me????
CC: (none) => herman.viaene
In error log: [Fri Aug 14 11:43:34.873057 2020] [ssl:warn] [pid 2911] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name [Fri Aug 14 11:43:34.878583 2020] [suexec:notice] [pid 2911] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Aug 14 11:43:34.910009 2020] [ssl:warn] [pid 2911] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name [Fri Aug 14 11:43:34.910162 2020] [lbmethod_heartbeat:notice] [pid 2911] AH02282: No slotmem from mod_heartmonitor [Fri Aug 14 11:43:34.910225 2020] [http2:warn] [pid 2911] AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm will just not do. This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive. [Fri Aug 14 11:43:35.526070 2020] [mpm_prefork:notice] [pid 2911] AH00163: Apache/2.4.46 (Unix) OpenSSL/1.1.0l PHP/7.3.19 configured -- resuming normal operations [Fri Aug 14 11:43:35.526126 2020] [core:notice] [pid 2911] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND' [Fri Aug 14 11:44:27.135202 2020] [proxy:error] [pid 2916] (2)No such file or directory: AH02454: FCGI: attempt to connect to Unix domain socket /var/lib/php-fpm/php-fpm.sock (*) failed [Fri Aug 14 11:44:27.135271 2020] [proxy_fcgi:error] [pid 2916] [client ::1:46006] AH01079: failed to make connection to backend: httpd-UDS [Fri Aug 14 11:45:10.006219 2020] [proxy:error] [pid 2920] (2)No such file or directory: AH02454: FCGI: attempt to connect to Unix domain socket /var/lib/php-fpm/php-fpm.sock (*) failed [Fri Aug 14 11:45:10.006347 2020] [proxy_fcgi:error] [pid 2920] [client ::1:46008] AH01079: failed to make connection to backend: httpd-UDS
Try with apache-mod_php. I think there's a bug in php-fpm (with a php in updates_testing to fix it).
I can confirm current updates php works with updates_testing Apache with my normal test cases.
Whiteboard: (none) => MGA7-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory and package list in Comment 5.
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0327.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Ubuntu has issued an advisory for this on August 13: https://ubuntu.com/security/notices/USN-4458-1