33353 – apache new security issues CVE-2024-36387, CVE-2024-3847[3-7], CVE-2024-39573 and CVE-2024-39884

Bug 33353 - apache new security issues CVE-2024-36387, CVE-2024-3847[3-7], CVE-2024-39573 and CVE-2024-39884

Summary: apache new security issues CVE-2024-36387, CVE-2024-3847[3-7], CVE-2024-39573...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-07-02 09:17 CEST by Nicolas Salguero
Modified:	2024-07-09 09:01 CEST (History)
CC List:	6 users (show)

See Also:
Source RPM:	apache-2.4.59-1.mga9.src.rpm
CVE:	CVE-2024-36387, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476 , CVE-2024-38477, CVE-2024-39573, CVE-2024-39884
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-07-02 09:17:24 CEST

Those CVEs were announced here:
https://www.openwall.com/lists/oss-security/2024/07/01/4
https://www.openwall.com/lists/oss-security/2024/07/01/6
https://www.openwall.com/lists/oss-security/2024/07/01/7
https://www.openwall.com/lists/oss-security/2024/07/01/8
https://www.openwall.com/lists/oss-security/2024/07/01/9
https://www.openwall.com/lists/oss-security/2024/07/01/10
https://www.openwall.com/lists/oss-security/2024/07/01/11

The problems are fixed in version 2.4.60.

Mageia 9 is also affected.

Nicolas Salguero 2024-07-02 09:18:48 CEST

Status comment: (none) => Fixed upstream in 2.4.60
Source RPM: (none) => apache-2.4.59-1.mga10.src.rpm
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-36387, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476 , CVE-2024-38477, CVE-2024-39573
Summary: apache new security issues, CVE-2024-36387, CVE-2024-3847[3-7] and CVE-2024-39573 => apache new security issues CVE-2024-36387, CVE-2024-3847[3-7] and CVE-2024-39573

Comment 1 Nicolas Salguero 2024-07-02 10:42:07 CEST Comment hidden (obsolete)

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. (CVE-2024-36387)

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. (CVE-2024-38473)

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified. (CVE-2024-38474)

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained. (CVE-2024-38475)

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable.  (CVE-2024-38476)

Null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. (CVE-2024-38477)

Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. (CVE-2024-39573)

References:
https://www.openwall.com/lists/oss-security/2024/07/01/4
https://www.openwall.com/lists/oss-security/2024/07/01/6
https://www.openwall.com/lists/oss-security/2024/07/01/7
https://www.openwall.com/lists/oss-security/2024/07/01/8
https://www.openwall.com/lists/oss-security/2024/07/01/9
https://www.openwall.com/lists/oss-security/2024/07/01/10
https://www.openwall.com/lists/oss-security/2024/07/01/11
========================

Updated packages in core/updates_testing:
========================
apache-2.4.60-1.mga9
apache-devel-2.4.60-1.mga9
apache-doc-2.4.60-1.mga9
apache-htcacheclean-2.4.60-1.mga9
apache-mod_brotli-2.4.60-1.mga9
apache-mod_cache-2.4.60-1.mga9
apache-mod_dav-2.4.60-1.mga9
apache-mod_dbd-2.4.60-1.mga9
apache-mod_http2-2.4.60-1.mga9
apache-mod_ldap-2.4.60-1.mga9
apache-mod_proxy-2.4.60-1.mga9
apache-mod_proxy_html-2.4.60-1.mga9
apache-mod_session-2.4.60-1.mga9
apache-mod_ssl-2.4.60-1.mga9
apache-mod_suexec-2.4.60-1.mga9
apache-mod_userdir-2.4.60-1.mga9

from SRPM:
apache-2.4.60-1.mga9.src.rpm

Status: NEW => ASSIGNED
Status comment: Fixed upstream in 2.4.60 => (none)
Source RPM: apache-2.4.59-1.mga10.src.rpm => apache-2.4.59-1.mga9.src.rpm
Assignee: bugsquad => qa-bugs
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

katnatek 2024-07-02 19:08:31 CEST

Keywords: (none) => advisory

Comment 2 katnatek 2024-07-03 00:44:47 CEST Comment hidden (obsolete)

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing apache-mod_ssl-2.4.60-1.mga9.x86_64.rpm apache-2.4.60-1.mga9.x86_64.rpm apache-mod_proxy-2.4.60-1.mga9.x86_64.rpm apache-mod_userdir-2.4.60-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/4: apache                ##################################################################################################
      2/4: apache-mod_ssl        ##################################################################################################
      3/4: apache-mod_proxy      ##################################################################################################
      4/4: apache-mod_userdir    ##################################################################################################
      1/4: removing apache-mod_userdir-2.4.59-1.mga9.x86_64
                                 ##################################################################################################
      2/4: removing apache-mod_proxy-2.4.59-1.mga9.x86_64
                                 ##################################################################################################
      3/4: removing apache-mod_ssl-2.4.59-1.mga9.x86_64
                                 ##################################################################################################
      4/4: removing apache-2.4.59-1.mga9.x86_64
                                 ##################################################################################################
                
systemctl start httpd.service 
systemctl -l status httpd.service 
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
     Active: active (running) since Tue 2024-07-02 16:40:33 CST; 8s ago
   Main PID: 66718 (httpd)
     Status: "Processing requests..."
      Tasks: 6 (limit: 6904)
     Memory: 6.1M
        CPU: 79ms
     CGroup: /system.slice/httpd.service
             ├─66718 /usr/sbin/httpd -DFOREGROUND
             ├─66742 /usr/sbin/httpd -DFOREGROUND
             ├─66743 /usr/sbin/httpd -DFOREGROUND
             ├─66744 /usr/sbin/httpd -DFOREGROUND
             ├─66745 /usr/sbin/httpd -DFOREGROUND
             └─66746 /usr/sbin/httpd -DFOREGROUND

jul 02 16:40:17 jgrey.phoenix systemd[1]: Starting httpd.service...
jul 02 16:40:33 jgrey.phoenix systemd[1]: Started httpd.service.

I can connect to my site from other remote system

katnatek 2024-07-03 03:44:05 CEST

Depends on: (none) => 33355

Comment 3 Herman Viaene 2024-07-03 10:37:55 CEST Comment hidden (obsolete)

MGA9-64 Plasma Wayland on HP-Pavillion
No isntallation issues.
Tested by running local phpmyadmin and browsing around in my test-databeses.
All works OK.

CC: (none) => herman.viaene

Comment 4 Nicolas Salguero 2024-07-03 11:24:05 CEST Comment hidden (obsolete)

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. (CVE-2024-36387)

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. (CVE-2024-38473)

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified. (CVE-2024-38474)

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained. (CVE-2024-38475)

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable.  (CVE-2024-38476)

Null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. (CVE-2024-38477)

Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. (CVE-2024-39573)

References:
https://www.openwall.com/lists/oss-security/2024/07/01/4
https://www.openwall.com/lists/oss-security/2024/07/01/6
https://www.openwall.com/lists/oss-security/2024/07/01/7
https://www.openwall.com/lists/oss-security/2024/07/01/8
https://www.openwall.com/lists/oss-security/2024/07/01/9
https://www.openwall.com/lists/oss-security/2024/07/01/10
https://www.openwall.com/lists/oss-security/2024/07/01/11
========================

Updated packages in core/updates_testing:
========================
apache-2.4.60-2.mga9
apache-devel-2.4.60-2.mga9
apache-doc-2.4.60-2.mga9
apache-htcacheclean-2.4.60-2.mga9
apache-mod_brotli-2.4.60-2.mga9
apache-mod_cache-2.4.60-2.mga9
apache-mod_dav-2.4.60-2.mga9
apache-mod_dbd-2.4.60-2.mga9
apache-mod_http2-2.4.60-2.mga9
apache-mod_ldap-2.4.60-2.mga9
apache-mod_proxy-2.4.60-2.mga9
apache-mod_proxy_html-2.4.60-2.mga9
apache-mod_session-2.4.60-2.mga9
apache-mod_ssl-2.4.60-2.mga9
apache-mod_suexec-2.4.60-2.mga9
apache-mod_userdir-2.4.60-2.mga9

from SRPM:
apache-2.4.60-2.mga9.src.rpm

Keywords: advisory => (none)

Marc Krämer 2024-07-03 14:52:33 CEST

Depends on: 33355 => (none)

PC LX 2024-07-03 17:58:21 CEST

CC: (none) => mageia

katnatek 2024-07-03 18:25:08 CEST

Keywords: (none) => advisory

Comment 5 katnatek 2024-07-03 18:33:39 CEST Comment hidden (obsolete)

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing apache-2.4.60-2.mga9.x86_64.rpm apache-mod_userdir-2.4.60-2.mga9.x86_64.rpm apache-mod_ssl-2.4.60-2.mga9.x86_64.rpm apache-mod_proxy-2.4.60-2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/4: apache                ##################################################################################################
      2/4: apache-mod_userdir    ##################################################################################################
      3/4: apache-mod_ssl        ##################################################################################################
      4/4: apache-mod_proxy      ##################################################################################################
      1/4: removing apache-mod_proxy-2.4.60-1.mga9.x86_64
                                 ##################################################################################################
      2/4: removing apache-mod_ssl-2.4.60-1.mga9.x86_64
                                 ##################################################################################################
      3/4: removing apache-mod_userdir-2.4.60-1.mga9.x86_64
                                 ##################################################################################################
      4/4: removing apache-2.4.60-1.mga9.x86_64
                                 ##################################################################################################
----------------------------------------------------------------------
More information on package apache-2.4.60-2.mga9.x86_64
Starting with Apache 2.4.60, the fix for CVE-2024-38476 (Apache HTTP Server may
use exploitable/malicious backend application output to run local handlers via
internal redirect) caused some changes regarding the 'AddType' directive.

Some legacy uses of the 'AddType' directive to connect a request to a handler
must be ported to 'AddHandler'.

For instance, in order to use apache-mod_php or php-fpm-apache, be sure the
directives 'AddType application/x-httpd-php...' in 70_mod_php.conf or
10_php-fpm.conf were replaced by 'AddHandler application/x-httpd-php'.

----------------------------------------------------------------------

systemctl restart httpd.service 
systemctl -l status httpd.service 
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
     Active: active (running) since Wed 2024-07-03 10:30:11 CST; 20s ago
   Main PID: 132486 (httpd)
     Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
      Tasks: 6 (limit: 6904)
     Memory: 6.0M
        CPU: 69ms
     CGroup: /system.slice/httpd.service
             ├─132486 /usr/sbin/httpd -DFOREGROUND
             ├─132488 /usr/sbin/httpd -DFOREGROUND
             ├─132489 /usr/sbin/httpd -DFOREGROUND
             ├─132490 /usr/sbin/httpd -DFOREGROUND
             ├─132491 /usr/sbin/httpd -DFOREGROUND
             └─132492 /usr/sbin/httpd -DFOREGROUND

jul 03 10:30:11 jgrey.phoenix systemd[1]: Starting httpd.service...
jul 03 10:30:11 jgrey.phoenix systemd[1]: Started httpd.service.

I have mixed behavior with my php pages some works other not, I need to check the warning but looks good the basic things

Comment 6 PC LX 2024-07-04 11:37:43 CEST Comment hidden (obsolete)

Installed and tested without issues.

Tested for a day with several sites and scripts installed.

Tested:
- systemd socket activation;
- server status;
- custom logs;
- HTTP 1.1/2 and 1.1 to 2 upgrade;
- HTTPS with SNI;
- Lets Encrypt SSL signed certificates;
- SSL test using sslscan and https://www.ssllabs.com/ssltest/;
- multiple sites resolution by IP and host name;
- PHP through FPM;
- multiple PHP scripts;
- Reverse proxies (e.g. gitea, goaccess). 
- mod_rewrite;
- mod_security.



System: Mageia 8, x86_64, Intel(R) Core(TM) i5-4590 CPU.



# uname -a
Linux marte 6.6.28-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Apr 17 17:19:36 UTC 2024 x86_64 GNU/Linux
# rpm -qa | grep -P 'apache.*2\.4\.60-2' | sort
apache-2.4.60-2.mga9
apache-mod_http2-2.4.60-2.mga9
apache-mod_proxy-2.4.60-2.mga9
apache-mod_proxy_html-2.4.60-2.mga9
apache-mod_ssl-2.4.60-2.mga9
# systemctl status httpd.service 
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
     Active: active (running) since Wed 2024-07-03 16:54:25 WEST; 17h ago
    Process: 1318965 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS)
   Main PID: 929995 (httpd)
     Status: "Total requests: 6052; Idle/Busy workers 100/0;Requests/sec: 0.095; Bytes served/sec: 3.0KB/sec"
      Tasks: 66 (limit: 19042)
     Memory: 106.5M
        CPU: 22.590s
     CGroup: /system.slice/httpd.service
             ├─ 929995 /usr/sbin/httpd -DFOREGROUND
             ├─1319021 /usr/sbin/httpd -DFOREGROUND
             └─1319025 /usr/sbin/httpd -DFOREGROUND

jul 03 16:54:25 marte systemd[1]: Starting httpd.service...
jul 03 16:54:25 marte systemd[1]: Started httpd.service.
jul 04 04:07:09 marte systemd[1]: Reloading httpd.service...
jul 04 04:07:09 marte systemd[1]: Reloaded httpd.service.

Comment 7 Nicolas Salguero 2024-07-04 15:11:51 CEST

The problem described in bug 33355 has received CVE-2024-39884 and is fixed in version 2.4.61. See: https://www.openwall.com/lists/oss-security/2024/07/03/8

Summary: apache new security issues CVE-2024-36387, CVE-2024-3847[3-7] and CVE-2024-39573 => apache new security issues CVE-2024-36387, CVE-2024-3847[3-7], CVE-2024-39573 and CVE-2024-39884
CVE: CVE-2024-36387, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476 , CVE-2024-38477, CVE-2024-39573 => CVE-2024-36387, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476 , CVE-2024-38477, CVE-2024-39573, CVE-2024-39884
Keywords: advisory => (none)

Comment 8 Nicolas Salguero 2024-07-04 15:16:14 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. (CVE-2024-36387)

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. (CVE-2024-38473)

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified. (CVE-2024-38474)

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained. (CVE-2024-38475)

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable.  (CVE-2024-38476)

Null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. (CVE-2024-38477)

Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. (CVE-2024-39573)

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers.   "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. (CVE-2024-39884)

References:
https://www.openwall.com/lists/oss-security/2024/07/01/4
https://www.openwall.com/lists/oss-security/2024/07/01/6
https://www.openwall.com/lists/oss-security/2024/07/01/7
https://www.openwall.com/lists/oss-security/2024/07/01/8
https://www.openwall.com/lists/oss-security/2024/07/01/9
https://www.openwall.com/lists/oss-security/2024/07/01/10
https://www.openwall.com/lists/oss-security/2024/07/01/11
https://www.openwall.com/lists/oss-security/2024/07/03/8
========================

Updated packages in core/updates_testing:
========================
apache-2.4.61-1.mga9
apache-devel-2.4.61-1.mga9
apache-doc-2.4.61-1.mga9
apache-htcacheclean-2.4.61-1.mga9
apache-mod_brotli-2.4.61-1.mga9
apache-mod_cache-2.4.61-1.mga9
apache-mod_dav-2.4.61-1.mga9
apache-mod_dbd-2.4.61-1.mga9
apache-mod_http2-2.4.61-1.mga9
apache-mod_ldap-2.4.61-1.mga9
apache-mod_proxy-2.4.61-1.mga9
apache-mod_proxy_html-2.4.61-1.mga9
apache-mod_session-2.4.61-1.mga9
apache-mod_ssl-2.4.61-1.mga9
apache-mod_suexec-2.4.61-1.mga9
apache-mod_userdir-2.4.61-1.mga9

from SRPM:
apache-2.4.61-1.mga9.src.rpm

Comment 9 Brian Rockwell 2024-07-04 17:46:51 CEST

LOL - I was just testing 2.4.60-2.  I'll wait for the mirror to catch up.

CC: (none) => brtians1

katnatek 2024-07-04 18:27:15 CEST

Keywords: (none) => advisory

Comment 10 Tony Blackwell 2024-07-04 23:50:13 CEST

Got it from Princeton.
Installed just the relevant packages (not task-lamp).
It Works!

No obvious issues with a rudimentary look at it.

CC: (none) => tablackwell

Comment 11 Tony Blackwell 2024-07-04 23:51:30 CEST

I see we don't yet have an apache listing in Testing Procedures

Comment 12 katnatek 2024-07-05 00:14:21 CEST

RH mga 9 x86_64

 LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing apache-mod_userdir-2.4.61-1.mga9.x86_64.rpm apache-mod_proxy-2.4.61-1.mga9.x86_64.rpm apache-mod_ssl-2.4.61-1.mga9.x86_64.rpm apache-2.4.61-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/4: apache                ##################################################################################################
      2/4: apache-mod_userdir    ##################################################################################################
      3/4: apache-mod_proxy      ##################################################################################################
      4/4: apache-mod_ssl        ##################################################################################################
      1/4: removing apache-mod_ssl-2.4.60-2.mga9.x86_64
                                 ##################################################################################################
      2/4: removing apache-mod_proxy-2.4.60-2.mga9.x86_64
                                 ##################################################################################################
      3/4: removing apache-mod_userdir-2.4.60-2.mga9.x86_64
                                 ##################################################################################################
      4/4: removing apache-2.4.60-2.mga9.x86_64
                                 ##################################################################################################
----------------------------------------------------------------------
More information on package apache-2.4.61-1.mga9.x86_64
Starting with Apache 2.4.60, the fix for CVE-2024-38476 (Apache HTTP Server may
use exploitable/malicious backend application output to run local handlers via
internal redirect) caused some changes regarding the 'AddType' directive.

Some legacy uses of the 'AddType' directive to connect a request to a handler
must be ported to 'AddHandler'.

For instance, in order to use apache-mod_php or php-fpm-apache, be sure the
directives 'AddType application/x-httpd-php...' in 70_mod_php.conf or
10_php-fpm.conf were replaced by 'AddHandler application/x-httpd-php'.

----------------------------------------------------------------------

systemctl restart httpd.service 
systemctl -l status httpd.service 
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
     Active: active (running) since Thu 2024-07-04 16:10:05 CST; 8s ago
   Main PID: 97663 (httpd)
     Status: "Processing requests..."
      Tasks: 6 (limit: 6904)
     Memory: 6.0M
        CPU: 63ms
     CGroup: /system.slice/httpd.service
             ├─97663 /usr/sbin/httpd -DFOREGROUND
             ├─97668 /usr/sbin/httpd -DFOREGROUND
             ├─97669 /usr/sbin/httpd -DFOREGROUND
             ├─97670 /usr/sbin/httpd -DFOREGROUND
             ├─97671 /usr/sbin/httpd -DFOREGROUND
             └─97672 /usr/sbin/httpd -DFOREGROUND

jul 04 16:10:05 jgrey.phoenix systemd[1]: Starting httpd.service...
jul 04 16:10:05 jgrey.phoenix systemd[1]: Started httpd.service.

I can connect to my page from remote server, I fix my issue with a php page and all my pages works

Comment 13 katnatek 2024-07-05 00:22:23 CEST

About bug#33355 I can't confirm is fixed because I use php-fpm
And the issue is also produced by apache-mod_php

Comment 14 PC LX 2024-07-07 11:25:47 CEST

Installed and tested without issues.

Tested for two day with several sites and scripts installed.

Tested:
- systemd socket activation;
- server status;
- server info;
- custom logs;
- IPv4 and IPv6;
- HTTP 1.1 and 2;
- HTTP 1.1 upgrade to HTTP 2;
- HTTPS with SNI;
- Lets Encrypt SSL signed certificates (managed using certbot);
- self signed certificates;
- SSL test using sslscan and https://www.ssllabs.com/ssltest/;
- multiple sites resolution by IP and host name;
- PHP through FPM;
- PHP scripts;
- APCu cache;
- proxying several sites (e.g. Gitea, goaccess);
- mod_rewrite;
- mod_security;
- mod_proxy;
- mod_alias.



System: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz.



# uname -a
Linux marte 6.6.28-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Apr 17 17:19:36 UTC 2024 x86_64 GNU/Linux
# rpm -qa | grep apache.*2.4.61 | sort
apache-2.4.61-1.mga9
apache-mod_http2-2.4.61-1.mga9
apache-mod_proxy-2.4.61-1.mga9
apache-mod_proxy_html-2.4.61-1.mga9
apache-mod_ssl-2.4.61-1.mga9
# systemctl status httpd
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
     Active: active (running) since Sun 2024-07-07 10:23:17 WEST; 2min 5s ago
   Main PID: 2802203 (httpd)
     Status: "Total requests: 1563; Idle/Busy workers 100/0;Requests/sec: 13.1; Bytes served/sec: 730KB/sec"
      Tasks: 66 (limit: 19042)
     Memory: 67.2M
        CPU: 1.468s
     CGroup: /system.slice/httpd.service
             ├─2802203 /usr/sbin/httpd -DFOREGROUND
             ├─2802206 /usr/sbin/httpd -DFOREGROUND
             └─2802207 /usr/sbin/httpd -DFOREGROUND

jul 07 10:23:17 marte systemd[1]: Starting httpd.service...
jul 07 10:23:17 marte systemd[1]: Started httpd.service.

Comment 15 Brian Rockwell 2024-07-08 15:17:13 CEST

Upgrade

Installed for nextcloud server.

After using for awhile confirmed it is working as expected.

I'm moving this one along.

Whiteboard: (none) => MGA9-64-OK

katnatek 2024-07-08 18:49:53 CEST

CC: (none) => andrewsfarm

Comment 16 Thomas Andrews 2024-07-09 04:48:14 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 17 Mageia Robot 2024-07-09 09:01:51 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0258.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.