Apache has announced a security issue fixed upstream in APR on January 31: https://www.openwall.com/lists/oss-security/2023/01/31/3 The issue is fixed upstream in 1.7.1. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 1.7.1
Assigning to all packagers collectively, because there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
Suggested advisory: ======================== The updated packages fix a security vulnerability: Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. (CVE-2022-24963) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24963 https://www.openwall.com/lists/oss-security/2023/01/31/3 ======================== Updated packages in core/updates_testing: ======================== lib(64)apr1_0-1.7.2-1.mga8 lib(64)apr-devel-1.7.2-1.mga8 from SRPM: apr-1.7.2-1.mga8.src.rpm
CVE: (none) => CVE-2022-24963Whiteboard: MGA8TOO => (none)CC: (none) => nicolas.salgueroVersion: Cauldron => 8Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDSource RPM: apr-1.7.0-7.mga9.src.rpm => apr-1.7.0-3.2.mga8.src.rpmStatus comment: Fixed upstream in 1.7.1 => (none)
MGA8-64 MATE on Acer Aspire 5253 No installation issues Bug 31485 shows that starting httpd depends on the apr lib. After installing this update, I get error on httpd. But looking with ps -aux found different processes httpd, killed those and then # systemctl start httpd # systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2023-02-09 17:30:45 CET; 6s ago Main PID: 12958 (httpd) Status: "Processing requests..." Tasks: 11 (limit: 4364) Memory: 36.9M CPU: 1.664s CGroup: /system.slice/httpd.service ├─12958 /usr/sbin/httpd -DFOREGROUND ├─12960 /usr/sbin/httpd -DFOREGROUND ├─12961 /usr/sbin/httpd -DFOREGROUND ├─12963 /usr/sbin/httpd -DFOREGROUND ├─12966 /usr/sbin/httpd -DFOREGROUND └─12968 /usr/sbin/httpd -DFOREGROUND Feb 09 17:30:44 mach7.hviaene.thuis systemd[1]: Starting The Apache HTTP Server... Feb 09 17:30:45 mach7.hviaene.thuis systemd[1]: Started The Apache HTTP Server. # systemctl stop httpd # systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: inactive (dead) Feb 09 17:27:21 mach7.hviaene.thuis systemd[1]: Starting The Apache HTTP Server... Feb 09 17:27:21 mach7.hviaene.thuis httpd[12791]: httpd (pid 12010) already running Feb 09 17:27:21 mach7.hviaene.thuis systemd[1]: httpd.service: Failed with result 'protocol'. Feb 09 17:27:21 mach7.hviaene.thuis systemd[1]: Failed to start The Apache HTTP Server. Feb 09 17:30:44 mach7.hviaene.thuis systemd[1]: Starting The Apache HTTP Server... Feb 09 17:30:45 mach7.hviaene.thuis systemd[1]: Started The Apache HTTP Server. Feb 09 17:32:17 mach7.hviaene.thuis systemd[1]: Stopping The Apache HTTP Server... Feb 09 17:32:18 mach7.hviaene.thuis systemd[1]: httpd.service: Succeeded. Feb 09 17:32:18 mach7.hviaene.thuis systemd[1]: Stopped The Apache HTTP Server. Feb 09 17:32:18 mach7.hviaene.thuis systemd[1]: httpd.service: Consumed 2.272s CPU time. # systemctl start httpd # systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2023-02-09 17:33:21 CET; 3s ago Main PID: 13081 (httpd) Status: "Processing requests..." Tasks: 11 (limit: 4364) Memory: 36.9M CPU: 1.669s CGroup: /system.slice/httpd.service ├─13081 /usr/sbin/httpd -DFOREGROUND ├─13083 /usr/sbin/httpd -DFOREGROUND ├─13084 /usr/sbin/httpd -DFOREGROUND ├─13086 /usr/sbin/httpd -DFOREGROUND ├─13087 /usr/sbin/httpd -DFOREGROUND └─13091 /usr/sbin/httpd -DFOREGROUND Feb 09 17:33:21 mach7.hviaene.thuis systemd[1]: Starting The Apache HTTP Server... Feb 09 17:33:21 mach7.hviaene.thuis systemd[1]: Started The Apache HTTP Server. A second attempt to stop httpd returns a normal inactive status. # systemctl stop httpd [root@mach7 ~]# systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: inactive (dead) Feb 09 17:32:17 mach7.hviaene.thuis systemd[1]: Stopping The Apache HTTP Server... Feb 09 17:32:18 mach7.hviaene.thuis systemd[1]: httpd.service: Succeeded. Feb 09 17:32:18 mach7.hviaene.thuis systemd[1]: Stopped The Apache HTTP Server. Feb 09 17:32:18 mach7.hviaene.thuis systemd[1]: httpd.service: Consumed 2.272s CPU time. Feb 09 17:33:21 mach7.hviaene.thuis systemd[1]: Starting The Apache HTTP Server... Feb 09 17:33:21 mach7.hviaene.thuis systemd[1]: Started The Apache HTTP Server. Feb 09 17:35:43 mach7.hviaene.thuis systemd[1]: Stopping The Apache HTTP Server... Feb 09 17:35:44 mach7.hviaene.thuis systemd[1]: httpd.service: Succeeded. Feb 09 17:35:44 mach7.hviaene.thuis systemd[1]: Stopped The Apache HTTP Server. Feb 09 17:35:44 mach7.hviaene.thuis systemd[1]: httpd.service: Consumed 2.274s CPU time. I don't know what to make of this failure at the first stop command. Another start/stop sequence remains normal. I will not object an OK, but I'd rather have someone look into this.
CC: (none) => herman.viaene
@Herman with respect to comment 3. Stopping and starting httpd worked OK. Updated the libraries for Mageia8 x64. No trouble with stopping and starting httpd and restarting it. localhost:631 brings up the CUPS interface and http://localhost says "It Works!". Other sites work as before. Reinforcing your OK.
Whiteboard: (none) => MGA8-64-OKCC: (none) => tarazed25
Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0063.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED