Upstream has released 2.4.4, fixing two XSS security issues: - CVE-2012-3499 - CVE-2012-4558 http://www.apache.org/dist/httpd/CHANGES_2.4 Reproducible: Steps to Reproduce:
CC: (none) => oe
CC: (none) => guillomovitch
Don't forget there's a CRIME mitigation (CVE-2012-4929) in there for 2.2.24 and 2.4.4. https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 NOTE: Even if the fix is similar for both, SSLCompression is "on" for 2.2.x and "off" per default in 2.4.x
Fixed here: http://svnweb.mageia.org/packages?view=revision&revision=400359 http://svnweb.mageia.org/packages?view=revision&revision=400366 http://www.mandriva.com/en/support/security/advisories/mes5/MDVSA-2013:015/
Thanks, adding Mageia 2 to the whiteboard. A freeze push has been requested for 2.4.4 in Cauldron, and apache-2.2.24-1.mga2 is in updates_testing.
Whiteboard: (none) => MGA2TOO
Fixed in Cauldron in apache-2.4.4-1.mga3.
Version: Cauldron => 2Whiteboard: MGA2TOO => (none)
Assigning to QA for Mageia 2. If the PHP update is ready (Bug 8489), these can be tested together. Oden, is that one ready too? Advisory: ======================== Updated apache packages fix security vulnerabilities: Various XSS (cross-site scripting vulnerability) flaws due to unescaped hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp (CVE-2012-3499). XSS (cross-site scripting vulnerability) in mod_proxy_balancer manager interface (CVE-2012-4558). Additionally the ASF bug 53219 was resolved which provides a way to mitigate the CRIME attack vulnerability by disabling TLS-level compression. Use the new directive SSLCompression on|off to enable or disable TLS-level compression, by default SSLCompression is turned on. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558 http://www.apache.org/dist/httpd/CHANGES_2.2.24 http://httpd.apache.org/security/vulnerabilities_22.html https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 http://www.mandriva.com/en/support/security/advisories/mes5/MDVSA-2013:015/ ======================== Updated packages in core/updates_testing: ======================== apache-2.2.24-1.mga2 apache-mpm-prefork-2.2.24-1.mga2 apache-mpm-worker-2.2.24-1.mga2 apache-mpm-event-2.2.24-1.mga2 apache-mpm-itk-2.2.24-1.mga2 apache-mpm-peruser-2.2.24-1.mga2 apache-mod_dav-2.2.24-1.mga2 apache-mod_ldap-2.2.24-1.mga2 apache-mod_cache-2.2.24-1.mga2 apache-mod_disk_cache-2.2.24-1.mga2 apache-mod_mem_cache-2.2.24-1.mga2 apache-mod_file_cache-2.2.24-1.mga2 apache-mod_deflate-2.2.24-1.mga2 apache-mod_proxy-2.2.24-1.mga2 apache-mod_proxy_ajp-2.2.24-1.mga2 apache-mod_proxy_scgi-2.2.24-1.mga2 apache-mod_suexec-2.2.24-1.mga2 apache-mod_userdir-2.2.24-1.mga2 apache-mod_ssl-2.2.24-1.mga2 apache-mod_dbd-2.2.24-1.mga2 apache-mod_authn_dbd-2.2.24-1.mga2 apache-mod_reqtimeout-2.2.24-1.mga2 apache-htcacheclean-2.2.24-1.mga2 apache-devel-2.2.24-1.mga2 apache-source-2.2.24-1.mga2 apache-doc-2.2.24-1.mga2 from apache-2.2.24-1.mga2.src.rpm
Assignee: bugsquad => qa-bugs
Is CVE-2012-4558 relevant for mageia 2? urpmq -a apache-mod_proxy_ apache-mod_proxy_ajp apache-mod_proxy_scg
====================================================== Name: CVE-2012-3499 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20120614 Category: Reference: CONFIRM:http://httpd.apache.org/security/vulnerabilities_22.html Reference: CONFIRM:http://httpd.apache.org/security/vulnerabilities_24.html Reference: CONFIRM:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_info.c?r1=1225799&r2=1413732&diff_format=h Reference: CONFIRM:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_status.c?r1=1389564&r2=1413732&diff_format=h Reference: CONFIRM:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ldap/util_ldap_cache_mgr.c?r1=1209766&r2=1418752&diff_format=h Reference: CONFIRM:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/mappers/mod_imagemap.c?r1=1398480&r2=1413732&diff_format=h Reference: CONFIRM:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_ftp.c?r1=1404625&r2=1413732&diff_format=h Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules. ====================================================== Name: CVE-2012-4558 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20120821 Category: Reference: CONFIRM:http://httpd.apache.org/security/vulnerabilities_22.html Reference: CONFIRM:http://httpd.apache.org/security/vulnerabilities_24.html Reference: CONFIRM:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c?r1=1404653&r2=1413732&diff_format=h Multiple cross-site scripting (XSS) vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via a crafted string.
http://www.apache.org/dist/httpd/CHANGES_2.2.24
Is that in response to comment 6 Oden? apache-mod_proxy_balancer isn't included in Mageia 2, or is it something extraneous which causes the problem if that module is locally compiled?
Ahh NM. I see it's part of apache-mod_proxy
Testing x86_64 After installing apache-mod_proxy, edited etc/httpd/modules.d/30_mod_proxy.conf and at the bottom changed Allow from to 127.0.0.1 and restarted httpd. It can then be accessed at http://localhost/balancer-manager apache-mod_status, one affected by cve-2012-3499 can be tested by visiting http://localhost/server-status
URL: http://www.apache.org/dist/httpd/CHANGES_2.4 => http://lwn.net/Vulnerabilities/540078/
Testing complete mga2 64 Used the above and checked with various webapps (zoneminder, phpmyadmin etc)
Whiteboard: (none) => has_procedure MGA2-64-OK
Testing complete on Mageia 2 i586. Could someone from the sysadmin team push the srpm apache-2.2.24-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated apache packages fix security vulnerabilities: Various XSS (cross-site scripting vulnerability) flaws due to unescaped hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp (CVE-2012-3499). XSS (cross-site scripting vulnerability) in mod_proxy_balancer manager interface (CVE-2012-4558). Additionally the ASF bug 53219 was resolved which provides a way to mitigate the CRIME attack vulnerability by disabling TLS-level compression. Use the new directive SSLCompression on|off to enable or disable TLS-level compression, by default SSLCompression is turned on. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558 http://www.apache.org/dist/httpd/CHANGES_2.2.24 http://httpd.apache.org/security/vulnerabilities_22.html https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 http://www.mandriva.com/en/support/security/advisories/mes5/MDVSA-2013:015/ https://bugs.mageia.org/show_bug.cgi?id=9168
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: has_procedure MGA2-64-OK => has_procedure MGA2-64-OK MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0073
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED