Cauldron updated

Advisory
========

Apache has been updated to fix 2 new security issues.

CVE-2024-40898: Apache HTTP Server: SSRF with
mod_rewrite in server/vhost context on Windows (cve.mitre.org)
SSRF in Apache HTTP Server on Windows with mod_rewrite in
server/vhost context, allows to potentially leak NTML hashes to
a malicious server via SSRF and malicious requests.

CVE-2024-40725: Apache HTTP Server: source code
disclosure with handlers configured via AddType (cve.mitre.org)
A partial fix for  CVE-2024-39884 in the core of Apache HTTP
Server 2.4.61 ignores some use of the legacy content-type based
configuration of handlers. "AddType" and similar configuration,
under some circumstances where files are requested indirectly,
result in source code disclosure of local content. For example,
PHP scripts may be served instead of interpreted.

References
==========

https://downloads.apache.org/httpd/CHANGES_2.4.62

Files
=====

Uploaded to core/updates_testing

apache-mod_proxy-2.4.62-1.mga9
apache-devel-2.4.62-1.mga9
apache-mod_http2-2.4.62-1.mga9
apache-mod_ssl-2.4.62-1.mga9
apache-mod_dav-2.4.62-1.mga9
apache-mod_cache-2.4.62-1.mga9
apache-mod_ldap-2.4.62-1.mga9
apache-mod_session-2.4.62-1.mga9
apache-mod_proxy_html-2.4.62-1.mga9
apache-mod_dbd-2.4.62-1.mga9
apache-mod_suexec-2.4.62-1.mga9
apache-htcacheclean-2.4.62-1.mga9
apache-mod_brotli-2.4.62-1.mga9
apache-mod_userdir-2.4.62-1.mga9
apache-2.4.62-1.mga9
apache-doc-2.4.62-1.mga9

from apache-2.4.62-1.mga9.src.rpm

Assignee: smelror => qa-bugs
CVE: (none) => CVE-2024-40898, CVE-2024-40725

I believe that "PHP scripts may be served instead of interpreted" was fixed in previous round, or I'm wrong?

RH mageia 9 x86_64

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing apache-mod_ssl-2.4.62-1.mga9.x86_64.rpm apache-2.4.62-1.mga9.x86_64.rpm apache-mod_proxy-2.4.62-1.mga9.x86_64.rpm apache-mod_userdir-2.4.62-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/4: apache                ##################################################################################################
      2/4: apache-mod_ssl        ##################################################################################################
      3/4: apache-mod_proxy      ##################################################################################################
      4/4: apache-mod_userdir    ##################################################################################################
      1/4: removing apache-mod_userdir-2.4.61-1.mga9.x86_64
                                 ##################################################################################################
      2/4: removing apache-mod_proxy-2.4.61-1.mga9.x86_64
                                 ##################################################################################################
      3/4: removing apache-mod_ssl-2.4.61-1.mga9.x86_64                                                                              
                                 ##################################################################################################  
      4/4: removing apache-2.4.61-1.mga9.x86_64
                                 ##################################################################################################
----------------------------------------------------------------------
More information on package apache-2.4.62-1.mga9.x86_64
Starting with Apache 2.4.60, the fix for CVE-2024-38476 (Apache HTTP Server may
use exploitable/malicious backend application output to run local handlers via
internal redirect) caused some changes regarding the 'AddType' directive.

Some legacy uses of the 'AddType' directive to connect a request to a handler
must be ported to 'AddHandler'.

For instance, in order to use apache-mod_php or php-fpm-apache, be sure the
directives 'AddType application/x-httpd-php...' in 70_mod_php.conf or
10_php-fpm.conf were replaced by 'AddHandler application/x-httpd-php'.

----------------------------------------------------------------------

systemctl restart httpd.service
systemctl status httpd.service 
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
     Active: active (running) since Thu 2024-07-18 17:29:38 CST; 17s ago
   Main PID: 340565 (httpd)
     Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
      Tasks: 6 (limit: 6880)
     Memory: 6.1M
        CPU: 78ms
     CGroup: /system.slice/httpd.service
             ├─340565 /usr/sbin/httpd -DFOREGROUND
             ├─340568 /usr/sbin/httpd -DFOREGROUND
             ├─340569 /usr/sbin/httpd -DFOREGROUND
             ├─340570 /usr/sbin/httpd -DFOREGROUND
             ├─340571 /usr/sbin/httpd -DFOREGROUND
             └─340572 /usr/sbin/httpd -DFOREGROUND

jul 18 17:29:38 jgrey.phoenix systemd[1]: Starting httpd.service...
jul 18 17:29:38 jgrey.phoenix systemd[1]: Started httpd.service.

All my php pages works

Installed and tested without issues.

Tested for one day with several sites and scripts installed.

Tested:
- systemd socket activation;
- server status;
- server info;
- custom logs;
- IPv4 and IPv6;
- HTTPS with SNI;
- Lets Encrypt SSL signed certificates (managed using certbot);
- self signed certificates;
- SSL test using sslscan and https://www.ssllabs.com/ssltest/;
- multiple sites resolution by IP and host name;
- HTTP 1.1 and 2;
- HTTP 1.1 upgrade to HTTP 2;
- PHP through FPM;
- PHP scripts;
- APCu cache;
- mod_rewrite;
- mod_security;
- mod_proxy;
- mod_alias.



System: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz.



$ uname -a
Linux marte 6.6.37-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sat Jul  6 01:42:12 UTC 2024 x86_64 GNU/Linux
$ rpm -qa | grep apache.*2.4.62 | sort
apache-2.4.62-1.mga9
apache-mod_http2-2.4.62-1.mga9
apache-mod_proxy-2.4.62-1.mga9
apache-mod_proxy_html-2.4.62-1.mga9
apache-mod_ssl-2.4.62-1.mga9
$ systemctl status httpd.service
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
     Active: active (running) since Thu 2024-07-18 09:31:17 WEST; 1 day 8h ago
    Process: 276036 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS)
   Main PID: 4035080 (httpd)
     Status: "Total requests: 16558; Idle/Busy workers 100/0;Requests/sec: 0.142; Bytes served/sec: 3.0KB/sec"
      Tasks: 54 (limit: 19016)
     Memory: 65.1M
        CPU: 1min 5.038s
     CGroup: /system.slice/httpd.service
             ├─ 276090 /usr/sbin/httpd -DFOREGROUND
             ├─ 276091 /usr/sbin/httpd -DFOREGROUND
             └─4035080 /usr/sbin/httpd -DFOREGROUND

CC: (none) => mageia

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Also tested on my test instance of Nextcloud.

Working with files no issues.

CC: (none) => brtians1

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0272.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED