Bug 9704 - apache-mod_security new security issue CVE-2013-1915
Summary: apache-mod_security new security issue CVE-2013-1915
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/547020/
Whiteboard: has_procedure mga2-64-OK MGA2-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-04-11 19:09 CEST by David Walser
Modified: 2013-05-02 19:19 CEST (History)
5 users (show)

See Also:
Source RPM: apache-mod_security-2.7.2-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-04-11 19:09:54 CEST
Debian has issued an advisory on April 9:
http://www.debian.org/security/2013/dsa-2659

They linked to the upstream commit, and backported it to 2.6.x:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704625

Mageia 2 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2013-04-11 19:10:11 CEST

CC: (none) => guillomovitch, oe

Comment 1 Guillaume Rousse 2013-04-13 13:20:41 CEST
I just submitted version 2.7.3, fixing this issue, in cauldron.
Comment 2 Guillaume Rousse 2013-04-13 13:55:06 CEST
2.6.3-3.4 available in core/updates_testing for mageia2, with patch applied.

Status: NEW => ASSIGNED

Comment 3 David Walser 2013-04-13 17:10:50 CEST
Thanks Guillaume!

Advisory:
========================

Updated apache-mod_security packages fix security vulnerability:

Timur Yunusov and Alexey Osipov from Positive Technologies discovered that the
XML files parser of ModSecurity, an Apache module whose purpose is to tighten
the Web application security, is vulnerable to XML external entities attacks.
A specially-crafted XML file provided by a remote attacker, could lead to local
file disclosure or excessive resources (CPU, memory) consumption when processed
(CVE-2013-1915).

This update introduces a SecXmlExternalEntity option which is "Off" by default.
This will disable the ability of libxml2 to load external entities.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1915
http://www.debian.org/security/2013/dsa-2659
========================

Updated packages in core/updates_testing:
========================
apache-mod_security-2.6.3-3.4.mga2.i586.rpm
mlogc-2.6.3-3.4.mga2

from apache-mod_security-2.6.3-3.4.mga2.src.rpm

Version: Cauldron => 2
Assignee: bugsquad => qa-bugs

David Walser 2013-04-25 21:49:32 CEST

Severity: normal => major

Comment 4 Oden Eriksson 2013-04-26 08:18:56 CEST
======================================================
Name: CVE-2013-1915
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1915
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130219
Category: 
Reference: MLIST:[oss-security] 20130403 Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable  to XXE attacks
Reference: URL:http://www.openwall.com/lists/oss-security/2013/04/03/7
Reference: MISC:https://bugzilla.redhat.com/show_bug.cgi?id=947842
Reference: CONFIRM:https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES
Reference: CONFIRM:https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe
Reference: DEBIAN:DSA-2659
Reference: URL:http://www.debian.org/security/2013/dsa-2659
Reference: BID:58810
Reference: URL:http://www.securityfocus.com/bid/58810
Reference: SECUNIA:52847
Reference: URL:http://secunia.com/advisories/52847
Reference: SECUNIA:52977
Reference: URL:http://secunia.com/advisories/52977

ModSecurity before 2.7.3 allows remote attackers to read arbitrary
files, send HTTP requests to intranet servers, or cause a denial of
service (CPU and memory consumption) via an XML external entity
declaration in conjunction with an entity reference, aka an XML
External Entity (XXE) vulnerability.
Comment 5 claire robinson 2013-04-29 15:47:45 CEST
Testing complete mga2 64

Not much information to be able to reproduce so as with the previous modsecurity update, just checking it loads ok with..

# httpd -M 2>/dev/null |grep security

security_module (shared)

Whiteboard: (none) => has_procedure mga2-64-OK

Comment 6 Dave Hodgins 2013-04-30 05:21:33 CEST
Testing complete on Mageia 2 i586.

Could someone from the sysadmin team push the srpm
apache-mod_security-2.6.3-3.4.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated apache-mod_security packages fix security vulnerability:

Timur Yunusov and Alexey Osipov from Positive Technologies discovered that the
XML files parser of ModSecurity, an Apache module whose purpose is to tighten
the Web application security, is vulnerable to XML external entities attacks.
A specially-crafted XML file provided by a remote attacker, could lead to local
file disclosure or excessive resources (CPU, memory) consumption when processed
(CVE-2013-1915).

This update introduces a SecXmlExternalEntity option which is "Off" by default.
This will disable the ability of libxml2 to load external entities.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1915
http://www.debian.org/security/2013/dsa-2659

https://bugs.mageia.org/show_bug.cgi?id=9704

Keywords: (none) => validated_update
Whiteboard: has_procedure mga2-64-OK => has_procedure mga2-64-OK MGA2-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 7 Thomas Backlund 2013-05-02 19:19:19 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0129

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.