Apache 2.2.23 has been released, fixing these issues (see the announcement).
Whiteboard: (none) => MGA1TOO
Assignee: bugsquad => guillomovitch
I can handle this one, I'm just waiting for Mandriva to issue the update first. Our 2.2.22 packages in Mageia 1 and Mageia 2 are pretty close to theirs, so I just wanted to see if they do anything more than upgrade the tarball, and I'll follow their changes. I also plan to issue the bugfix update for PHP 5.3.16 at the same time, along with php-apc and php-timezonedb as Mandriva has done, and they can all be tested together.
Speaking of PHP, some work from Oden: http://testing.mandriva.com/php/
Updated Apache packages uploaded for Mageia 1 and Mageia 2. I'll wait to assign to QA until the PHP update is also ready. Additional references for the advisory: http://www.apache.org/dist/httpd/CHANGES_2.2.23 http://httpd.apache.org/security/vulnerabilities_22.html Packages list for the advisory: apache-mpm-prefork-2.2.23-1.mga1 apache-mpm-worker-2.2.23-1.mga1 apache-mpm-event-2.2.23-1.mga1 apache-mpm-itk-2.2.23-1.mga1 apache-mpm-peruser-2.2.23-1.mga1 apache-base-2.2.23-1.mga1 apache-modules-2.2.23-1.mga1 apache-mod_dav-2.2.23-1.mga1 apache-mod_ldap-2.2.23-1.mga1 apache-mod_cache-2.2.23-1.mga1 apache-mod_disk_cache-2.2.23-1.mga1 apache-mod_mem_cache-2.2.23-1.mga1 apache-mod_file_cache-2.2.23-1.mga1 apache-mod_deflate-2.2.23-1.mga1 apache-mod_proxy-2.2.23-1.mga1 apache-mod_proxy_ajp-2.2.23-1.mga1 apache-mod_proxy_scgi-2.2.23-1.mga1 apache-mod_userdir-2.2.23-1.mga1 apache-mod_ssl-2.2.23-1.mga1 apache-mod_dbd-2.2.23-1.mga1 apache-mod_authn_dbd-2.2.23-1.mga1 apache-mod_reqtimeout-2.2.23-1.mga1 apache-htcacheclean-2.2.23-1.mga1 apache-devel-2.2.23-1.mga1 apache-source-2.2.23-1.mga1 apache-doc-2.2.23-1.mga1 apache-conf-2.2.23-1.mga1 apache-mod_suexec-2.2.23-1.mga1 apache-2.2.23-1.mga2 apache-mpm-prefork-2.2.23-1.mga2 apache-mpm-worker-2.2.23-1.mga2 apache-mpm-event-2.2.23-1.mga2 apache-mpm-itk-2.2.23-1.mga2 apache-mpm-peruser-2.2.23-1.mga2 apache-mod_dav-2.2.23-1.mga2 apache-mod_ldap-2.2.23-1.mga2 apache-mod_cache-2.2.23-1.mga2 apache-mod_disk_cache-2.2.23-1.mga2 apache-mod_mem_cache-2.2.23-1.mga2 apache-mod_file_cache-2.2.23-1.mga2 apache-mod_deflate-2.2.23-1.mga2 apache-mod_proxy-2.2.23-1.mga2 apache-mod_proxy_ajp-2.2.23-1.mga2 apache-mod_proxy_scgi-2.2.23-1.mga2 apache-mod_suexec-2.2.23-1.mga2 apache-mod_userdir-2.2.23-1.mga2 apache-mod_ssl-2.2.23-1.mga2 apache-mod_dbd-2.2.23-1.mga2 apache-mod_authn_dbd-2.2.23-1.mga2 apache-mod_reqtimeout-2.2.23-1.mga2 apache-htcacheclean-2.2.23-1.mga2 apache-devel-2.2.23-1.mga2 apache-source-2.2.23-1.mga2 apache-doc-2.2.23-1.mga2 from SRPMS: apache-2.2.23-1.mga1.src.rpm apache-conf-2.2.23-1.mga1.src.rpm apache-mod_suexec-2.2.23-1.mga1.src.rpm apache-2.2.23-1.mga2.src.rpm
Mandriva has issued an advisory for this today (September 28): http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2012:154
PHP update is finally ready, which can be tested together with this one. Assigning to QA. Advisory: ======================== Updated apache packages fix security vulnerabilities: Insecure handling of LD_LIBRARY_PATH was found that could lead to the current working directory to be searched for DSOs. This could allow a local user to execute code as root if an administrator runs apachectl from an untrusted directory (CVE-2012-0883). Possible XSS for sites which use mod_negotiation and allow untrusted uploads to locations which have MultiViews enabled (CVE-2012-2687). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0883 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2687 http://httpd.apache.org/dev/dist/Announcement2.2.html http://www.apache.org/dist/httpd/CHANGES_2.2.23 http://httpd.apache.org/security/vulnerabilities_22.html http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2012:154 ======================== Updated packages in core/updates_testing: ======================== apache-mpm-prefork-2.2.23-1.mga1 apache-mpm-worker-2.2.23-1.mga1 apache-mpm-event-2.2.23-1.mga1 apache-mpm-itk-2.2.23-1.mga1 apache-mpm-peruser-2.2.23-1.mga1 apache-base-2.2.23-1.mga1 apache-modules-2.2.23-1.mga1 apache-mod_dav-2.2.23-1.mga1 apache-mod_ldap-2.2.23-1.mga1 apache-mod_cache-2.2.23-1.mga1 apache-mod_disk_cache-2.2.23-1.mga1 apache-mod_mem_cache-2.2.23-1.mga1 apache-mod_file_cache-2.2.23-1.mga1 apache-mod_deflate-2.2.23-1.mga1 apache-mod_proxy-2.2.23-1.mga1 apache-mod_proxy_ajp-2.2.23-1.mga1 apache-mod_proxy_scgi-2.2.23-1.mga1 apache-mod_userdir-2.2.23-1.mga1 apache-mod_ssl-2.2.23-1.mga1 apache-mod_dbd-2.2.23-1.mga1 apache-mod_authn_dbd-2.2.23-1.mga1 apache-mod_reqtimeout-2.2.23-1.mga1 apache-htcacheclean-2.2.23-1.mga1 apache-devel-2.2.23-1.mga1 apache-source-2.2.23-1.mga1 apache-doc-2.2.23-1.mga1 apache-conf-2.2.23-1.mga1 apache-mod_suexec-2.2.23-1.mga1 apache-2.2.23-1.mga2 apache-mpm-prefork-2.2.23-1.mga2 apache-mpm-worker-2.2.23-1.mga2 apache-mpm-event-2.2.23-1.mga2 apache-mpm-itk-2.2.23-1.mga2 apache-mpm-peruser-2.2.23-1.mga2 apache-mod_dav-2.2.23-1.mga2 apache-mod_ldap-2.2.23-1.mga2 apache-mod_cache-2.2.23-1.mga2 apache-mod_disk_cache-2.2.23-1.mga2 apache-mod_mem_cache-2.2.23-1.mga2 apache-mod_file_cache-2.2.23-1.mga2 apache-mod_deflate-2.2.23-1.mga2 apache-mod_proxy-2.2.23-1.mga2 apache-mod_proxy_ajp-2.2.23-1.mga2 apache-mod_proxy_scgi-2.2.23-1.mga2 apache-mod_suexec-2.2.23-1.mga2 apache-mod_userdir-2.2.23-1.mga2 apache-mod_ssl-2.2.23-1.mga2 apache-mod_dbd-2.2.23-1.mga2 apache-mod_authn_dbd-2.2.23-1.mga2 apache-mod_reqtimeout-2.2.23-1.mga2 apache-htcacheclean-2.2.23-1.mga2 apache-devel-2.2.23-1.mga2 apache-source-2.2.23-1.mga2 apache-doc-2.2.23-1.mga2 from SRPMS: apache-2.2.23-1.mga1.src.rpm apache-conf-2.2.23-1.mga1.src.rpm apache-mod_suexec-2.2.23-1.mga1.src.rpm apache-2.2.23-1.mga2.src.rpm
Assignee: guillomovitch => qa-bugs
For bug 2317 on Mageia 2, The following packages will require linking: pdksh-5.2.14-29.mga1 (Core 32bit Release (distrib31)) pdksh-5.2.14-29.mga1 (Core Release (distrib1)) (Now required by apache-source). I'll check Mageia 1 shortly.
CC: (none) => davidwhodginsDepends on: (none) => 2317
Same for Mageia 1 pdksh-5.2.14-29.mga1 (Core 32bit Release) pdksh-5.2.14-29.mga1 (Core Release)
Just testing for regressions, using phpmyadmin, and on Mageia 2, squirrelmail. Testing complete on Mageia 1 and 2, i586 and x86-64. Could someone from the sysadmin team push the srpms apache-2.2.23-1.mga2.src.rpm php-5.3.17-1.mga2.src.rpm php-eaccelerator-0.9.6.1-10.3.mga2.src.rpm php-timezonedb-2012.6-1.mga2.src.rpm php-apc-3.1.13-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpms apache-2.2.23-1.mga1.src.rpm apache-conf-2.2.23-1.mga1.src.rpm apache-mod_suexec-2.2.23-1.mga1.src.rpm php-ini-5.3.17-1.mga1.src.rpm php-5.3.17-2.mga1.src.rpm php-eaccelerator-0.9.6.1-6.8.mga1.src.rpm php-gd-bundled-5.3.17-1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core updates and link the rpm package pdksh from Core Release to Core Updates for both Mageia 1 and 2, i586 and x86-64. Advisory: Updated apache packages fix security vulnerabilities: Insecure handling of LD_LIBRARY_PATH was found that could lead to the current working directory to be searched for DSOs. This could allow a local user to execute code as root if an administrator runs apachectl from an untrusted directory (CVE-2012-0883). Possible XSS for sites which use mod_negotiation and allow untrusted uploads to locations which have MultiViews enabled (CVE-2012-2687). Also the dependency changes correct the installation of squirrelmail. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0883 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2687 http://httpd.apache.org/dev/dist/Announcement2.2.html http://www.apache.org/dist/httpd/CHANGES_2.2.23 http://httpd.apache.org/security/vulnerabilities_22.html http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2012:154 https://bugs.mageia.org/show_bug.cgi?id=7553 https://bugs.mageia.org/show_bug.cgi?id=7618 https://bugs.mageia.org/show_bug.cgi?id=7316
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO => MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK
(In reply to comment #8) > Also the dependency changes correct the installation of squirrelmail. That particular bit has nothing to do with the Apache update, it's an added Provides in the PHP update that fixes it. I believe it affects more than just squirrelmail also. Speaking of which, however, someone else tried making a change in squirrelmail itself to fix the problem, which wasn't needed, so could the sysadmins please remove squirrelmail from Mageia 2 updates_testing? Thanks.
(In reply to comment #8) > https://bugs.mageia.org/show_bug.cgi?id=7553 > https://bugs.mageia.org/show_bug.cgi?id=7618 Those bug references also are regarding the PHP update, not the apache one.
squirrelmail removed from 2/updates_testing. Packages linked and update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0280
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
So... this update broke running servers: [root@zeus ~]# service httpd status httpd-prefork.service - The Apache HTTP Server (prefork MPM) Loaded: loaded (/lib/systemd/system/httpd-prefork.service; enabled) Active: failed (Result: exit-code) since Sun, 07 Oct 2012 18:11:17 +0300; 6min ago Process: 15055 ExecStart=/usr/sbin/httpd $OPTIONS -k start (code=exited, status=1/FAILURE) CGroup: name=systemd:/system/httpd-prefork.service Oct 07 18:11:17 zeus.yrkesakademin.fi httpd[15055]: Syntax error on line 5 of /etc/httpd/conf/vhosts.d/20_domain.conf: Oct 07 18:11:17 zeus.comain.fi httpd[15055]: Invalid command 'SSLEngine', perhaps misspelled or defined by a module not included in the server configuration Use /etc/init.d/httpd extendedstatus for more information. [root@zeus ~]# rpm -qa |grep apache apache-mpm-prefork-2.2.23-1.mga2 apache-mod_ssl-2.2.23-1.mga2 apache-mod_perl-2.0.5-15.mga2 apache-mod_php-5.3.17-2.mga2 apache-2.2.23-1.mga2 [root@zeus ~]# rpm -qa |grep ssl lib64openssl1.0.0-1.0.0j-1.mga2 apache-mod_ssl-2.2.23-1.mga2 php-openssl-5.3.17-2.mga2 openssl-1.0.0j-1.mga2 lib64openssl-engines1.0.0-1.0.0j-1.mga2
Status: RESOLVED => REOPENEDCC: (none) => oeResolution: FIXED => (none)
Priority: Normal => HighSeverity: normal => critical
Keywords: validated_update => (none)CC: (none) => ed_rus099
(In reply to comment #12) > So... this update broke running servers: > Oct 07 18:11:17 zeus.yrkesakademin.fi httpd[15055]: Syntax error on line 5 of > /etc/httpd/conf/vhosts.d/20_domain.conf: > [root@zeus ~]# rpm -qa |grep ssl > lib64openssl1.0.0-1.0.0j-1.mga2 > apache-mod_ssl-2.2.23-1.mga2 > php-openssl-5.3.17-2.mga2 > openssl-1.0.0j-1.mga2 > lib64openssl-engines1.0.0-1.0.0j-1.mga2 Is ssl enabled? grep ssl /etc/httpd/conf/httpd.conf LoadModule ssl_module modules/mod_ssl.so
Crap, that was it... seems 2.2.23 does not support same conf that worked before... The server had: [root@zeus conf]# head -n 6 vhosts.d/01_default_ssl_vhost.conf <IfDefine HAVE_SSL> <IfModule !mod_ssl.c> LoadModule ssl_module modules/mod_ssl.so </IfModule> </IfDefine> wich had no problem in enabling / supporting ssl connections, but apparently 2.2.23 does not support that anymore... :/ Oh well, it works now with 2.2.23...
Status: REOPENED => RESOLVEDResolution: (none) => FIXED