That CVE was announced here: https://www.openwall.com/lists/oss-security/2024/04/03/16 See also: https://nowotarski.info/http2-continuation-flood/ Mageia 9 is also affected.
Whiteboard: (none) => MGA9TOOSource RPM: (none) => apache-2.4.58-1.mga10.src.rpmCVE: (none) => CVE-2024-27316
Problem: no solution is offered or in sight. Necessarily assigning to 'all' packagers pending a fix. CC'ing Stig who currently updates Apache.
Assignee: bugsquad => pkg-bugsStatus comment: (none) => No fix yet available.CC: (none) => smelror
Advisory ======== Apache has been updated to version 2.4.59 to fix CVE-2024-27316, CVE-2024-24795 and CVE-2023-38709. CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames (cve.mitre.org) HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. Credits: Bartek Nowotarski (https://nowotarski.info/) CVE-2024-24795: Apache HTTP Server: HTTP Response Splitting in multiple modules (cve.mitre.org) HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue. Credits: Keran Mu, Tsinghua University and Zhongguancun Laboratory. CVE-2023-38709: Apache HTTP Server: HTTP response splitting (cve.mitre.org) Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58. Credits: Orange Tsai (@orange_8361) from DEVCORE References ========== https://www.openwall.com/lists/oss-security/2024/04/03/16 https://nowotarski.info/http2-continuation-flood/ https://downloads.apache.org/httpd/CHANGES_2.4.59 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27316 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24795 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38709 Files ===== Uploaded to core/updates_testing apache-mod_proxy-2.4.59-1.mga9 apache-mod_http2-2.4.59-1.mga9 apache-devel-2.4.59-1.mga9 apache-mod_ssl-2.4.59-1.mga9 apache-mod_cache-2.4.59-1.mga9 apache-mod_dav-2.4.59-1.mga9 apache-mod_ldap-2.4.59-1.mga9 apache-mod_session-2.4.59-1.mga9 apache-mod_proxy_html-2.4.59-1.mga9 apache-mod_dbd-2.4.59-1.mga9 apache-htcacheclean-2.4.59-1.mga9 apache-mod_suexec-2.4.59-1.mga9 apache-mod_brotli-2.4.59-1.mga9 apache-mod_userdir-2.4.59-1.mga9 apache-2.4.59-1.mga9 apache-doc-2.4.59-1.mga9 from apache-2.4.59-1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)CVE: CVE-2024-27316 => CVE-2024-27316, CVE-2024-24795, CVE-2023-38709Assignee: pkg-bugs => qa-bugsSource RPM: apache-2.4.58-1.mga10.src.rpm => apache-2.4.58-1.mga9.src.rpmStatus comment: No fix yet available. => (none)Version: Cauldron => 9
CC: (none) => mageia
Keywords: (none) => advisory
RH mageia 9 x86_64 LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/media_info/20240405-221940-synthesis.hdlist.cz https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/media_info/20240405-221940-info.xml.lzma https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/media_info/20240405-221940-files.xml.lzma https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/media_info/20240405-221940-changelog.xml.lzma updated medium "Core Updates (distrib3)" medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/core/updates/media_info/20240405-221649-synthesis.hdlist.cz https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/core/updates/media_info/20240405-221649-info.xml.lzma https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/core/updates/media_info/20240405-221649-files.xml.lzma https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/core/updates/media_info/20240405-221649-changelog.xml.lzma updated medium "Core 32bit Updates (distrib32)" medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing apache-mod_proxy-2.4.59-1.mga9.x86_64.rpm apache-mod_userdir-2.4.59-1.mga9.x86_64.rpm apache-mod_ssl-2.4.59-1.mga9.x86_64.rpm apache-2.4.59-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/4: apache ################################################################################################## 2/4: apache-mod_proxy ################################################################################################## 3/4: apache-mod_userdir ################################################################################################## 4/4: apache-mod_ssl ################################################################################################## 1/4: removing apache-mod_ssl-2.4.58-1.mga9.x86_64 ################################################################################################## 2/4: removing apache-mod_userdir-2.4.58-1.mga9.x86_64 ################################################################################################## 3/4: removing apache-mod_proxy-2.4.58-1.mga9.x86_64 ################################################################################################## 4/4: removing apache-2.4.58-1.mga9.x86_64 ################################################################################################## service httpd restart Redirecting to /bin/systemctl restart httpd.service service httpd status Redirecting to /bin/systemctl status httpd.service ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled) Active: active (running) since Fri 2024-04-05 16:52:23 CST; 23s ago Main PID: 147925 (httpd) Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec: 0 B/sec" Tasks: 6 (limit: 6904) Memory: 6.0M CPU: 82ms CGroup: /system.slice/httpd.service ├─147925 /usr/sbin/httpd -DFOREGROUND ├─147927 /usr/sbin/httpd -DFOREGROUND ├─147928 /usr/sbin/httpd -DFOREGROUND ├─147929 /usr/sbin/httpd -DFOREGROUND ├─147930 /usr/sbin/httpd -DFOREGROUND └─147931 /usr/sbin/httpd -DFOREGROUND abr 05 16:52:23 phoenix systemd[1]: Starting httpd.service... abr 05 16:52:23 phoenix httpd[147925]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using > abr 05 16:52:23 phoenix systemd[1]: Started httpd.service. Test my https site, it works as before the update
MGA9-64, Nextcloud test The following 4 packages are going to be installed: - apache-2.4.59-1.mga9.x86_64 - apache-htcacheclean-2.4.59-1.mga9.x86_64 - apache-mod_cache-2.4.59-1.mga9.x86_64 - apache-mod_ssl-2.4.59-1.mga9.x86_64 202KB of additional disk space will be use served pages - no issues running for the day with nextcloud - no issues
CC: (none) => brtians1
Installed and tested without issues. Tested for one day with several sites and scripts installed. Tested: - systemd socket activation; - server status; - server info; - custom logs; - IPv4 and IPv6; - HTTPS with SNI; - Lets Encrypt SSL signed certificates (managed using certbot); - self signed certificates; - SSL test using sslscan and https://www.ssllabs.com/ssltest/; - multiple sites resolution by IP and host name; - HTTP 1.1 and 2; - HTTP 1.1 upgrade to HTTP 2; - PHP through FPM; - PHP scripts; - APCu cache; - mod_rewrite; - mod_security; - mod_proxy; - mod_alias. System: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz. $ uname -a Linux marte 6.6.22-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sun Mar 17 18:04:51 UTC 2024 x86_64 GNU/Linux $ rpm -qa | grep apache.*2.4.59 | sort apache-2.4.59-1.mga9 apache-mod_http2-2.4.59-1.mga9 apache-mod_proxy-2.4.59-1.mga9 apache-mod_proxy_html-2.4.59-1.mga9 apache-mod_ssl-2.4.59-1.mga9 $ systemctl status httpd.service ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled) Active: active (running) since Fri 2024-04-05 14:25:26 WEST; 22h ago Process: 1048599 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS) Main PID: 576435 (httpd) Status: "Total requests: 24369; Idle/Busy workers 100/0;Requests/sec: 0.304; Bytes served/sec: 11KB/sec" Tasks: 54 (limit: 19042) Memory: 40.3M CPU: 1min 11.686s CGroup: /system.slice/httpd.service ├─ 576435 /usr/sbin/httpd -DFOREGROUND ├─1048628 /usr/sbin/httpd -DFOREGROUND └─1048630 /usr/sbin/httpd -DFOREGROUND
CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0118.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Blocks: (none) => 33087
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=33087
Blocks: 33087 => (none)