31457 – apache-mod_security new security issues CVE-2022-48279 and CVE-2023-24021

Bug 31457 - apache-mod_security new security issues CVE-2022-48279 and CVE-2023-24021

Summary: apache-mod_security new security issues CVE-2022-48279 and CVE-2023-24021

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-01-26 23:58 CET by David Walser
Modified:	2023-05-21 10:44 CEST (History)
CC List:	7 users (show)

See Also:	30977
Source RPM:	apache-mod_security-2.9.5-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-01-26 23:58:49 CET

Debian-LTS has issued an advisory today (January 26):
https://www.debian.org/lts/security/2023/dla-3283

The issues are fixed upstream in 2.9.7.

Mageia 8 is also affected.

David Walser 2023-01-26 23:59:03 CET

Whiteboard: (none) => MGA8TOO
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=30977
Status comment: (none) => Fixed upstream in 2.9.7

Comment 1 Marja Van Waes 2023-02-04 23:10:46 CET

Assigning to all packagers collectively, because there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2023-05-07 00:55:32 CEST

Fedora has issued an advisory for this on April 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SYRTXTOQQI6SB2TLI5QXU76DURSLS4XI/

It also switches to pcre2, fixing other issues (see Bug 31791).

Comment 3 David GEIGER 2023-05-07 17:59:29 CEST

Already done for cauldron.

$ mgarepo rpmlog apache-mod_security
* Sun Apr 16 2023 daviddavid <daviddavid> 1:2.9.7-1.mga9
+ Revision: 1953094
- new version: 2.9.7
- switch to pcre2 (mga#31791)

CC: (none) => geiger.david68210

Comment 4 David GEIGER 2023-05-07 18:10:23 CEST

Done now for mga8.

Comment 5 David Walser 2023-05-07 19:41:37 CEST

mlogc-2.9.7-1.mga8
apache-mod_security-2.9.7-1.mga8

from apache-mod_security-2.9.7-1.mga8.src.rpm

Source RPM: apache-mod_security-2.9.5-2.mga9.src.rpm => apache-mod_security-2.9.5-1.mga8.src.rpm
Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 2.9.7 => (none)

PC LX 2023-05-11 23:57:04 CEST

CC: (none) => mageia

Comment 6 Herman Viaene 2023-05-17 11:34:58 CEST

MGA8-64 MATE on Acer Aspire 5253
No installation issues
Test as in bug 29787
# httpd -M 2>/dev/null |grep security
 security2_module (shared)
is OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 7 Thomas Andrews 2023-05-17 13:50:33 CEST

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-05-21 02:47:48 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2023-05-21 10:44:15 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0175.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.