Cherokee 0.4.27 to 1.2.104 is affected by a denial of service due to a NULL pointer dereferences. A remote unauthenticated attacker can crash the server by sending an HTTP request to protected resources using a malformed Authorization header that is mishandled during a cherokee_buffer_add call within cherokee_validator_parse_basic or cherokee_validator_parse_digest.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12845 Package dropped in Cauldron.
Summary: cherokee security vulnerability CVE-2020-12845 => cherokee new security issue CVE-2020-12845Source RPM: cherokee => cherokee-1.2.103-17.mga7.src.rpm
Assignee: bugsquad => shlomif
Hi, thanks for reporting this. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
CC: (none) => ouaurelien
Assignee: shlomif => pkg-bugs
Fixes here: https://github.com/cherokee/webserver/pull/1243
Status comment: (none) => Patches available in pull request upstream
Suggested advisory: ======================== The updated packages fix a security vulnerability: Cherokee 0.4.27 to 1.2.104 is affected by a denial of service due to a NULL pointer dereferences. A remote unauthenticated attacker can crash the server by sending an HTTP request to protected resources using a malformed Authorization header that is mishandled during a cherokee_buffer_add call within cherokee_validator_parse_basic or cherokee_validator_parse_digest. (CVE-2020-12845) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12845 ======================== Updated packages in core/updates_testing: ======================== cherokee-1.2.103-17.1.mga7 cget-1.2.103-17.1.mga7 lib(64)cherokee-base0-1.2.103-17.1.mga7 lib(64)cherokee-client0-1.2.103-17.1.mga7 lib(64)cherokee-server0-1.2.103-17.1.mga7 cherokee-devel-1.2.103-17.1.mga7 from SRPM: cherokee-1.2.103-17.1.mga7.src.rpm
Status: NEW => ASSIGNEDCC: (none) => nicolas.salgueroStatus comment: Patches available in pull request upstream => (none)CVE: (none) => CVE-2020-12845Assignee: pkg-bugs => qa-bugs
$ uname -a Linux linux.local 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux The following 31 packages are going to be installed: - cget-1.2.103-17.1.mga7.x86_64 - cherokee-1.2.103-17.1.mga7.x86_64 - cherokee-devel-1.2.103-17.1.mga7.x86_64 - lib64cherokee-base0-1.2.103-17.1.mga7.x86_64 - lib64cherokee-client0-1.2.103-17.1.mga7.x86_64 - lib64cherokee-server0-1.2.103-17.1.mga7.x86_64 - lib64dbi1-0.9.0-7.mga7.x86_64 - lib64pcre-devel-8.44-1.mga7.x86_64 - lib64pcre16_0-8.44-1.mga7.x86_64 - lib64pcre32_0-8.44-1.mga7.x86_64 - lib64php_common7-7.4.12-1.mga7.x86_64 - lib64rrdtool8-1.7.1-1.mga7.x86_64 - php-cgi-7.4.12-1.mga7.x86_64 - php-ctype-7.4.12-1.mga7.x86_64 - php-dom-7.4.12-1.mga7.x86_64 - php-filter-7.4.12-1.mga7.x86_64 - php-ftp-7.4.12-1.mga7.x86_64 - php-gettext-7.4.12-1.mga7.x86_64 - php-ini-7.4.12-1.mga7.x86_64 - php-json-7.4.12-1.mga7.x86_64 - php-openssl-7.4.12-1.mga7.x86_64 - php-posix-7.4.12-1.mga7.x86_64 - php-session-7.4.12-1.mga7.x86_64 - php-sysvsem-7.4.12-1.mga7.x86_64 - php-sysvshm-7.4.12-1.mga7.x86_64 - php-tokenizer-7.4.12-1.mga7.x86_64 - php-xmlreader-7.4.12-1.mga7.x86_64 - php-xmlwriter-7.4.12-1.mga7.x86_64 - php-zlib-7.4.12-1.mga7.x86_64 - rrdtool-1.7.1-1.mga7.x86_64 - webserver-base-2.0-12.mga7.noarch -- started services -- go 127.0.0.1 and see the following This page is used to test the proper operation of the Cherokee Web Server after it has been installed. If you can read this page, it means that the Cherokee Web Server installed at this site is working properly.
Whiteboard: (none) => MGA7-64-OKCC: (none) => brtians1
Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory pushed to SVN.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0019.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED