http://mail-archives.apache.org/mod_mbox/httpd-announce/201110.mbox/%3C20111005141541.GA7696@redhat.com%3E patch for version 2.2.21, I don't know if it applies to our version : http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/ A workaround for users is to review and if needed update their configuration.
Assign to dmorgan (as maintainer of apache)
Assignee: bugsquad => dmorganec
Ping ?
Mandriva's patch (might be the same one): http://svn.mandriva.com/svn/packages/cooker/apache/current/SOURCES/httpd-2.2.21-CVE-2011-3368.diff Advisory: http://lists.mandriva.com/security-announce/2011-10/msg00017.php It looks like this one is valid for current Cauldron too.
CC: (none) => luigiwalser
Please test new rpm in updates_testing
Assignee: dmorganec => qa-bugs
apache update works for me on i586. I tested it by accessing a CGI. I didn't test mod_proxy itself.
D Morgan, I just found out we're missing a patch. The patch is here: http://lists.err.no/pipermail/mpm-itk/2011-March/000393.html It actually applies to another patch (patch100). The advisory from March 31 is here: http://lists.mandriva.com/security-announce/2011-03/msg00016.php
CC: (none) => dmorganec
CC: (none) => qa-bugsAssignee: qa-bugs => dmorganec
tks, i just fixed this.
The following 6 packages are going to be installed: - apache-base-2.2.17-5.6.mga1.x86_64 - apache-modules-2.2.17-5.6.mga1.x86_64 - apache-mod_dav-2.2.17-5.6.mga1.x86_64 - apache-mod_ssl-2.2.17-5.6.mga1.x86_64 - apache-mod_userdir-2.2.17-5.6.mga1.x86_64 - apache-mpm-prefork-2.2.17-5.6.mga1.x86_64 Testing complete x86_64 using phpmyadmin and zoneminder Requires re-testing i586.
apache works fine for me on i586. I didn't test mod_proxy or mpm-itk.
Validating the update Advisory ----------------- This is a security update for Apache tackling 2 vulnerabilities. CVE-2011-3368 The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character. CVE-2011-1176 The configuration merger in itk.c in the Steinar H. Gunderson mpm-itk Multi-Processing Module 2.2.11-01 and 2.2.11-02 for the Apache HTTP Server does not properly handle certain configuration sections that specify NiceValue but not AssignUserID, which might allow remote attackers to gain privileges by leveraging the root uid and root gid of an mpm-itk process. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1176 ----------------- SRPM: apache-2.2.17-5.6.mga1.src.rpm Could sysadmin please push from core/updates_testing to core/updates Thankyou!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Assignee: qa-bugs => sysadmin-bugs
Reassigning QA so it doesn't get lost. David please see:- https://wiki.mageia.org/en/QA_process_for_validating_updates#Assign :)
Assignee: sysadmin-bugs => qa-bugs
Update pushed.
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED