7064 – apache-mod_authnz_external missing update for security issue CVE-2011-2688

Bug 7064 - apache-mod_authnz_external missing update for security issue CVE-2011-2688

Summary: apache-mod_authnz_external missing update for security issue CVE-2011-2688

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	2
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:	http://lwn.net/Vulnerabilities/452167/
Whiteboard:	MGA1TOO has_procedure MGA1-32-OK MGA2...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2012-08-14 23:31 CEST by David Walser
Modified:	2012-08-21 16:24 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	apache-mod_authnz_external-3.2.5-5.mga2.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-08-14 23:31:24 CEST

Debian has issued an advisory on July 19, 2011:
http://www.debian.org/security/2011/dsa-2279

Cauldron is not affected as this code is no longer present.

Patched package uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

Updated apache-mod_authnz_external package fixes security vulnerability:

SQL injection vulnerability in mysql/mysql-auth.pl in the
mod_authnz_external module 3.2.5 and earlier for the Apache HTTP Server
allows remote attackers to execute arbitrary SQL commands via the user
field (CVE-2011-2688).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2688
http://www.debian.org/security/2011/dsa-2279
========================

Updated packages in core/updates_testing:
========================
apache-mod_authnz_external-3.2.5-3.1.mga1
apache-mod_authnz_external-3.2.5-5.2.mga2

from SRPMS:
apache-mod_authnz_external-3.2.5-3.1.mga1.src.rpm
apache-mod_authnz_external-3.2.5-5.2.mga2.src.rpm

David Walser 2012-08-15 17:49:42 CEST

Whiteboard: (none) => MGA1TOO

Comment 1 Samuel Verschelde 2012-08-17 23:43:10 CEST

CCing dmorgan as the maintainer and guillomovitch since David said you are using this package. See my question at the end of this comment please :)

Just testing that the module loads. If you have a better testing procedure I can follow, don't hesitate to give it.

In the version in Mageia 1 updates_testing as well as in release, I have to remove the <IfDefine HAVE_AUTHNZ_EXTERNAL> part from the module config file, otherwise httpd -M doesn't show the module loaded. After removing it httpd -M shows it loaded. I'm considering testing OK regarding regressions.

(non blocking) Question: why do I have to remove that part from the config file? What is the proper way to do it?

CC: (none) => dmorganec, stormi
Whiteboard: MGA1TOO => MGA1TOO has_procedure MGA1-32-OK

Comment 2 Samuel Verschelde 2012-08-17 23:43:38 CEST

Really CCing guillomovitch, see previous comment.

CC: (none) => guillomovitch

Comment 3 Samuel Verschelde 2012-08-20 11:43:17 CEST

In Mageia 2 the module loads correctly without any config file change (in Mageia 1 it doesn't). Testing complete on Mageia 2 x86_64.

Whiteboard: MGA1TOO has_procedure MGA1-32-OK => MGA1TOO has_procedure MGA1-32-OK MGA2-64-OK

Comment 4 Samuel Verschelde 2012-08-20 22:05:29 CEST

Testing complete Mageia 2 i586.

Update validated.

See comment #0 for packages and advisory.

Samuel Verschelde 2012-08-20 22:06:06 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO has_procedure MGA1-32-OK MGA2-64-OK => MGA1TOO has_procedure MGA1-32-OK MGA2-64-OK MGA1-64-OK MGA2-32-OK

Comment 5 Thomas Backlund 2012-08-21 16:24:58 CEST

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0231

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.