Bug 9168 - apache new security issues CVE-2012-3499 and CVE-2012-4558
: apache new security issues CVE-2012-3499 and CVE-2012-4558
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/540078/
: has_procedure MGA2-64-OK MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-02-24 03:42 CET by David Walser
Modified: 2013-02-27 22:10 CET (History)
5 users (show)

See Also:
Source RPM: apache-2.4.3-9.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-02-24 03:42:28 CET
Upstream has released 2.4.4, fixing two XSS security issues:
- CVE-2012-3499
- CVE-2012-4558

http://www.apache.org/dist/httpd/CHANGES_2.4

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-02-24 10:33:31 CET
Don't forget there's a CRIME mitigation (CVE-2012-4929) in there for 2.2.24 and 2.4.4.

https://issues.apache.org/bugzilla/show_bug.cgi?id=53219

NOTE: Even if the fix is similar for both, SSLCompression is "on" for 2.2.x and "off" per default in 2.4.x
Comment 3 David Walser 2013-02-26 13:04:42 CET
Thanks, adding Mageia 2 to the whiteboard.

A freeze push has been requested for 2.4.4 in Cauldron, and apache-2.2.24-1.mga2 is in updates_testing.
Comment 4 David Walser 2013-02-26 13:22:10 CET
Fixed in Cauldron in apache-2.4.4-1.mga3.
Comment 5 David Walser 2013-02-26 13:27:41 CET
Assigning to QA for Mageia 2.

If the PHP update is ready (Bug 8489), these can be tested together.

Oden, is that one ready too?

Advisory:
========================

Updated apache packages fix security vulnerabilities:

Various XSS (cross-site scripting vulnerability) flaws due to unescaped
hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap,
mod_ldap, and mod_proxy_ftp (CVE-2012-3499).

XSS (cross-site scripting vulnerability) in mod_proxy_balancer manager
interface (CVE-2012-4558).

Additionally the ASF bug 53219 was resolved which provides a way
to mitigate the CRIME attack vulnerability by disabling TLS-level
compression. Use the new directive SSLCompression on|off to enable or
disable TLS-level compression, by default SSLCompression is turned on.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558
http://www.apache.org/dist/httpd/CHANGES_2.2.24
http://httpd.apache.org/security/vulnerabilities_22.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=53219
http://www.mandriva.com/en/support/security/advisories/mes5/MDVSA-2013:015/
========================

Updated packages in core/updates_testing:
========================
apache-2.2.24-1.mga2
apache-mpm-prefork-2.2.24-1.mga2
apache-mpm-worker-2.2.24-1.mga2
apache-mpm-event-2.2.24-1.mga2
apache-mpm-itk-2.2.24-1.mga2
apache-mpm-peruser-2.2.24-1.mga2
apache-mod_dav-2.2.24-1.mga2
apache-mod_ldap-2.2.24-1.mga2
apache-mod_cache-2.2.24-1.mga2
apache-mod_disk_cache-2.2.24-1.mga2
apache-mod_mem_cache-2.2.24-1.mga2
apache-mod_file_cache-2.2.24-1.mga2
apache-mod_deflate-2.2.24-1.mga2
apache-mod_proxy-2.2.24-1.mga2
apache-mod_proxy_ajp-2.2.24-1.mga2
apache-mod_proxy_scgi-2.2.24-1.mga2
apache-mod_suexec-2.2.24-1.mga2
apache-mod_userdir-2.2.24-1.mga2
apache-mod_ssl-2.2.24-1.mga2
apache-mod_dbd-2.2.24-1.mga2
apache-mod_authn_dbd-2.2.24-1.mga2
apache-mod_reqtimeout-2.2.24-1.mga2
apache-htcacheclean-2.2.24-1.mga2
apache-devel-2.2.24-1.mga2
apache-source-2.2.24-1.mga2
apache-doc-2.2.24-1.mga2

from apache-2.2.24-1.mga2.src.rpm
Comment 6 claire robinson 2013-02-26 16:51:32 CET
Is CVE-2012-4558 relevant for mageia 2?

urpmq -a apache-mod_proxy_
apache-mod_proxy_ajp
apache-mod_proxy_scg
Comment 7 Oden Eriksson 2013-02-26 17:07:37 CET
======================================================
Name: CVE-2012-3499
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20120614
Category: 
Reference: CONFIRM:http://httpd.apache.org/security/vulnerabilities_22.html
Reference: CONFIRM:http://httpd.apache.org/security/vulnerabilities_24.html
Reference: CONFIRM:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_info.c?r1=1225799&r2=1413732&diff_format=h
Reference: CONFIRM:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_status.c?r1=1389564&r2=1413732&diff_format=h
Reference: CONFIRM:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ldap/util_ldap_cache_mgr.c?r1=1209766&r2=1418752&diff_format=h
Reference: CONFIRM:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/mappers/mod_imagemap.c?r1=1398480&r2=1413732&diff_format=h
Reference: CONFIRM:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_ftp.c?r1=1404625&r2=1413732&diff_format=h

Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP
Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote
attackers to inject arbitrary web script or HTML via vectors involving
hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3)
mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules.



======================================================
Name: CVE-2012-4558
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20120821
Category: 
Reference: CONFIRM:http://httpd.apache.org/security/vulnerabilities_22.html
Reference: CONFIRM:http://httpd.apache.org/security/vulnerabilities_24.html
Reference: CONFIRM:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c?r1=1404653&r2=1413732&diff_format=h

Multiple cross-site scripting (XSS) vulnerabilities in the
balancer_handler function in the manager interface in
mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache
HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow
remote attackers to inject arbitrary web script or HTML via a crafted
string.
Comment 8 Oden Eriksson 2013-02-26 17:09:06 CET
http://www.apache.org/dist/httpd/CHANGES_2.2.24
Comment 9 claire robinson 2013-02-26 17:48:50 CET
Is that in response to comment 6 Oden?

apache-mod_proxy_balancer isn't included in Mageia 2, or is it something extraneous which causes the problem if that module is locally compiled?
Comment 10 claire robinson 2013-02-26 17:51:30 CET
Ahh NM. I see it's part of apache-mod_proxy
Comment 11 claire robinson 2013-02-26 19:15:15 CET
Testing x86_64

After installing apache-mod_proxy, edited etc/httpd/modules.d/30_mod_proxy.conf and at the bottom changed Allow from to 127.0.0.1 and restarted httpd.

It can then be accessed at http://localhost/balancer-manager

apache-mod_status, one affected by cve-2012-3499 can be tested by visiting http://localhost/server-status
Comment 12 claire robinson 2013-02-26 19:34:47 CET
Testing complete mga2 64

Used the above and checked with various webapps (zoneminder, phpmyadmin etc)
Comment 13 Dave Hodgins 2013-02-27 02:05:54 CET
Testing complete on Mageia 2 i586.

Could someone from the sysadmin team push the srpm
apache-2.2.24-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated apache packages fix security vulnerabilities:

Various XSS (cross-site scripting vulnerability) flaws due to unescaped
hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap,
mod_ldap, and mod_proxy_ftp (CVE-2012-3499).

XSS (cross-site scripting vulnerability) in mod_proxy_balancer manager
interface (CVE-2012-4558).

Additionally the ASF bug 53219 was resolved which provides a way
to mitigate the CRIME attack vulnerability by disabling TLS-level
compression. Use the new directive SSLCompression on|off to enable or
disable TLS-level compression, by default SSLCompression is turned on.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558
http://www.apache.org/dist/httpd/CHANGES_2.2.24
http://httpd.apache.org/security/vulnerabilities_22.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=53219
http://www.mandriva.com/en/support/security/advisories/mes5/MDVSA-2013:015/
https://bugs.mageia.org/show_bug.cgi?id=9168
Comment 14 Thomas Backlund 2013-02-27 22:10:49 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0073

Note You need to log in before you can comment on or make changes to this bug.