Bug 33514 - apr new security issue CVE-2023-49582
Summary: apr new security issue CVE-2023-49582
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-09-02 12:51 CEST by Nicolas Salguero
Modified: 2024-09-10 18:41 CEST (History)
5 users (show)

See Also:
Source RPM: apr-1.7.2-1.mga9.src.rpm
CVE: CVE-2023-49582
Status comment:


Attachments

Description Nicolas Salguero 2024-09-02 12:51:38 CEST
CVE-2023-49582 was announced here:
https://openwall.com/lists/oss-security/2024/08/26/1

Fixed in 1.7.5.
Nicolas Salguero 2024-09-02 12:52:41 CEST

Source RPM: (none) => apr-1.7.4-1.mga10.src.rpm
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2023-49582

Comment 1 Marja Van Waes 2024-09-04 08:10:06 CEST
No registered maintainer, so assigning to all.
CC'ing daviddavid, who was the last one to touch this package

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, marja11

Comment 2 Nicolas Salguero 2024-09-07 09:29:19 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data. (CVE-203-49582)

References:
https://openwall.com/lists/oss-security/2024/08/26/1
========================

Updated packages in core/updates_testing:
========================
lib(64)apr1_0-1.7.5-1.mga9
lib(64)apr-devel-1.7.5-1.mga9

from SRPM:
apr-1.7.5-1.mga9.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Source RPM: apr-1.7.4-1.mga10.src.rpm => apr-1.7.2-1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

katnatek 2024-09-07 18:35:57 CEST

Keywords: (none) => advisory

Comment 3 Herman Viaene 2024-09-09 11:32:49 CEST
MGA9-64 server Plasma Wayland on HP-Pavillion
No installation issues.
Similar problem as in bug 31485, had processes for httpd running while status said inactive.
Had to issue two consecutive stop commands and then all seems to work normally.
# systemctl -l status httpd
× httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
     Active: failed (Result: exit-code) since Mon 2024-09-09 11:15:31 CEST; 4min 13s ago
    Process: 61295 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
   Main PID: 61295 (code=exited, status=1/FAILURE)
     Status: "Reading configuration..."
        CPU: 135ms

Sep 09 11:15:31 mach4.hviaene.thuis systemd[1]: Starting httpd.service...
Sep 09 11:15:31 mach4.hviaene.thuis systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAI>
Sep 09 11:15:32 mach4.hviaene.thuis httpd[61295]: (98)Address already in use: AH00072: make_sock: could not b>
Sep 09 11:15:32 mach4.hviaene.thuis httpd[61295]: (98)Address already in use: AH00072: make_sock: could not b>
Sep 09 11:15:32 mach4.hviaene.thuis httpd[61295]: no listening sockets available, shutting down
Sep 09 11:15:32 mach4.hviaene.thuis httpd[61295]: AH00015: Unable to open logs
Sep 09 11:15:31 mach4.hviaene.thuis systemd[1]: httpd.service: Failed with result 'exit-code'.
Sep 09 11:15:31 mach4.hviaene.thuis systemd[1]: Failed to start httpd.service.

# systemctl stop httpd

# systemctl stop httpd

# systemctl start httpd

# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
     Active: active (running) since Mon 2024-09-09 11:20:21 CEST; 29s ago
   Main PID: 61583 (/usr/sbin/httpd)
     Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
      Tasks: 6 (limit: 4473)
     Memory: 36.6M
        CPU: 787ms
     CGroup: /system.slice/httpd.service
             ├─61583 /usr/sbin/httpd -DFOREGROUND
             ├─61587 /usr/sbin/httpd -DFOREGROUND
             ├─61588 /usr/sbin/httpd -DFOREGROUND
             ├─61589 /usr/sbin/httpd -DFOREGROUND
             ├─61590 /usr/sbin/httpd -DFOREGROUND
             └─61591 /usr/sbin/httpd -DFOREGROUND

Sep 09 11:20:20 mach4.hviaene.thuis systemd[1]: Starting httpd.service...
Sep 09 11:20:21 mach4.hviaene.thuis systemd[1]: Started httpd.service.

# systemctl stop httpd

# systemctl -l status httpd
○ httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
     Active: inactive (dead) since Mon 2024-09-09 11:25:53 CEST; 3s ago
   Duration: 5min 31.454s
    Process: 61583 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=0/SUCCESS)
   Main PID: 61583 (code=exited, status=0/SUCCESS)
     Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
        CPU: 1.213s

Sep 09 11:20:20 mach4.hviaene.thuis systemd[1]: Starting httpd.service...
Sep 09 11:20:21 mach4.hviaene.thuis systemd[1]: Started httpd.service.
Sep 09 11:25:52 mach4.hviaene.thuis systemd[1]: Stopping httpd.service...
Sep 09 11:25:53 mach4.hviaene.thuis systemd[1]: httpd.service: Deactivated successfully.
Sep 09 11:25:53 mach4.hviaene.thuis systemd[1]: Stopped httpd.service.
Sep 09 11:25:53 mach4.hviaene.thuis systemd[1]: httpd.service: Consumed 1.213s CPU time.

# systemctl start httpd

# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
     Active: active (running) since Mon 2024-09-09 11:26:07 CEST; 2s ago
   Main PID: 61857 (/usr/sbin/httpd)
     Status: "Processing requests..."
      Tasks: 6 (limit: 4473)
     Memory: 18.2M
        CPU: 416ms
     CGroup: /system.slice/httpd.service
             ├─61857 /usr/sbin/httpd -DFOREGROUND
             ├─61859 /usr/sbin/httpd -DFOREGROUND
             ├─61860 /usr/sbin/httpd -DFOREGROUND
             ├─61861 /usr/sbin/httpd -DFOREGROUND
             ├─61862 /usr/sbin/httpd -DFOREGROUND
             └─61863 /usr/sbin/httpd -DFOREGROUND

Sep 09 11:26:07 mach4.hviaene.thuis systemd[1]: Starting httpd.service...
Sep 09 11:26:07 mach4.hviaene.thuis systemd[1]: Started httpd.service.

pointing to http://localhost:631/ brings up CUPS OK.
Seems good enough.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 4 Thomas Andrews 2024-09-10 03:06:05 CEST
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Mageia Robot 2024-09-10 18:41:34 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0292.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.