Cauldron updated to version 2.4.58.

Version: Cauldron => 9
CVE: (none) => CVE-2023-45802, CVE-2023-43622, CVE-2023-31122

Advisory
========

Apache has been updated to version 2.4.58 to fix several security issues.

CVE-2023-45802: Apache HTTP Server: HTTP/2 stream
memory not reclaimed right away on RST (cve.mitre.org)
When a HTTP/2 stream was reset (RST frame) by a client, there
was a time window were the request's memory resources were not
reclaimed immediately. Instead, de-allocation was deferred to
connection close. A client could send new requests and resets,
keeping the connection busy and open and causing the memory
footprint to keep on growing. On connection close, all resources
were reclaimed, but the process might run out of memory before
that.
This was found by the reporter during testing of CVE-2023-44487
(HTTP/2 Rapid Reset Exploit) with their own test client. During
"normal" HTTP/2 use, the probability to hit this bug is very
low. The kept memory would not become noticeable before the
connection closes or times out.
Users are recommended to upgrade to version 2.4.58, which fixes
the issue.
Credits: Will Dormann of Vul Labs

CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with
initial windows size 0 (cve.mitre.org)
An attacker, opening a HTTP/2 connection with an initial window
size of 0, was able to block handling of that connection
indefinitely in Apache HTTP Server. This could be used to
exhaust worker resources in the server, similar to the well
known "slow loris" attack pattern.
This has been fixed in version 2.4.58, so that such connection
are terminated properly after the configured connection timeout.
This issue affects Apache HTTP Server: from 2.4.55 through
2.4.57.
Users are recommended to upgrade to version 2.4.58, which fixes
the issue.
Credits: Prof. Sven Dietrich (City University of New York)

CVE-2023-31122: mod_macro buffer over-read
(cve.mitre.org)
Out-of-bounds Read vulnerability in mod_macro of Apache HTTP
Server.This issue affects Apache HTTP Server: through 2.4.57.
Credits: David Shoon (github/davidshoon)


References
==========
https://downloads.apache.org/httpd/CHANGES_2.4.58


Files
=====

Uploaded to core/updates_testing

apache-mod_proxy-2.4.58-1.mga8            
apache-devel-2.4.58-1.mga8            
apache-mod_http2-2.4.58-1.mga8            
apache-mod_ssl-2.4.58-1.mga8            
apache-mod_dav-2.4.58-1.mga8            
apache-mod_cache-2.4.58-1.mga8            
apache-mod_proxy_html-2.4.58-1.mga8            
apache-mod_ldap-2.4.58-1.mga8            
apache-mod_session-2.4.58-1.mga8            
apache-mod_dbd-2.4.58-1.mga8            
apache-htcacheclean-2.4.58-1.mga8            
apache-mod_suexec-2.4.58-1.mga8            
apache-mod_userdir-2.4.58-1.mga8            
apache-mod_brotli-2.4.58-1.mga8            
apache-2.4.58-1.mga8
apache-doc-2.4.58-1.mga8

From apache-2.4.58-1.mga8.src.rpm

apache-mod_proxy-2.4.58-1.mga9
apache-devel-2.4.58-1.mga9
apache-mod_http2-2.4.58-1.mga9
apache-mod_ssl-2.4.58-1.mga9
apache-mod_dav-2.4.58-1.mga9
apache-mod_cache-2.4.58-1.mga9
apache-mod_proxy_html-2.4.58-1.mga9
apache-mod_ldap-2.4.58-1.mga9
apache-mod_session-2.4.58-1.mga9
apache-mod_dbd-2.4.58-1.mga9
apache-htcacheclean-2.4.58-1.mga9
apache-mod_suexec-2.4.58-1.mga9
apache-mod_userdir-2.4.58-1.mga9
apache-mod_brotli-2.4.58-1.mga9
apache-2.4.58-1.mga9
apache-doc-2.4.58-1.mga9

From apache-2.4.58-1.mga9.src.rpm

Advisory from comment 3 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory
CC: (none) => marja11

MGA9-64, server

Installed a few modules I use for the server.  Nextcloud, etc. working as expected.

CC: (none) => brtians1

Installed and tested without issues.

Tested for two days with several sites and scripts installed.

Tested:
- systemd socket activation;
- server status;
- server info;
- custom logs;
- IPv4 and IPv6;
- HTTPS with SNI;
- Lets Encrypt SSL signed certificates;
- SSL test using sslscan and https://www.ssllabs.com/ssltest/;
- multiple sites resolution by IP and host name;
- HTTP 1.1 and 2;
- HTTP 1.1 upgrade to HTTP 2;
- PHP through FPM;
- PHP scripts;
- mod_rewrite;
- mod_security;
- mod_proxy;
- mod_alias.



System: Mageia 8, x86_64, Intel CPU.



# uname -a
Linux marte 6.1.45-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Fri Aug 11 22:01:56 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
# rpm -qa | grep apache.*2.4.58 | sort
apache-2.4.58-1.mga8
apache-mod_http2-2.4.58-1.mga8
apache-mod_proxy-2.4.58-1.mga8
apache-mod_ssl-2.4.58-1.mga8
# systemctl status httpd.socket httpd.service
● httpd.socket - httpd server activation socket
     Loaded: loaded (/usr/local/lib/systemd/system/httpd.socket; disabled; vendor preset: disabled)
     Active: active (running) since Sun 2023-10-22 19:32:33 WEST; 6min ago
   Triggers: ● httpd.service
     Listen: [::]:80 (Stream)
             [::]:443 (Stream)
      Tasks: 0 (limit: 19046)
     Memory: 8.0K
        CPU: 717us
     CGroup: /system.slice/httpd.socket

out 22 19:32:33 marte systemd[1]: Listening on httpd server activation socket.

● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
     Active: active (running) since Sun 2023-10-22 19:34:47 WEST; 4min 6s ago
TriggeredBy: ● httpd.socket
   Main PID: 142513 (httpd)
     Status: "Total requests: 19; Idle/Busy workers 100/0;Requests/sec: 0.0795; Bytes served/sec: 405 B/sec"
      Tasks: 54 (limit: 19046)
     Memory: 7.5G
        CPU: 1min 40.963s
     CGroup: /system.slice/httpd.service
             ├─142513 /usr/sbin/httpd -DFOREGROUND
             ├─142516 /usr/sbin/httpd -DFOREGROUND
             └─142517 /usr/sbin/httpd -DFOREGROUND

out 22 19:34:47 marte systemd[1]: Starting The Apache HTTP Server...
out 22 19:34:47 marte systemd[1]: Started The Apache HTTP Server.

Seems strange to me: no update on apache-mod_proxy?

CC: (none) => herman.viaene

MGA9-64 Xfce on Acer Aspire 5253
No installation issues, apart from remark above.
# systemctl start httpd
# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled)
     Active: active (running) since Tue 2023-10-24 16:52:02 CEST; 7s ago
   Main PID: 87354 (/usr/sbin/httpd)
     Status: "Processing requests..."
      Tasks: 11 (limit: 4317)
     Memory: 10.8M
        CPU: 741ms
     CGroup: /system.slice/httpd.service
             ├─87354 /usr/sbin/httpd -DFOREGROUND
             ├─87366 /usr/sbin/httpd -DFOREGROUND
             ├─87367 /usr/sbin/httpd -DFOREGROUND
             ├─87369 /usr/sbin/httpd -DFOREGROUND
             ├─87372 /usr/sbin/httpd -DFOREGROUND
             └─87373 /usr/sbin/httpd -DFOREGROUND

Oct 24 16:52:02 mach7.hviaene.thuis systemd[1]: Starting httpd.service...
Oct 24 16:52:02 mach7.hviaene.thuis systemd[1]: Started httpd.service.
 
Pointed browset at localhost and get "It works"
If it is confirmed that apache-mod_proxy does not require an update, this update can go.

After a week of use without issues and considering comment 5, comment 6 and comment 8, I'm giving it an OK to push this security update forward. Please undo if appropriate.

Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK MGA9-64-OK

(In reply to Herman Viaene from comment #7)
> Seems strange to me: no update on apache-mod_proxy?

The list in comment 3 does show an mga9 update for apache-mod_proxy. Perhaps you missed it somehow.

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0304.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED