Bug 9704 - apache-mod_security new security issue CVE-2013-1915
: apache-mod_security new security issue CVE-2013-1915
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/547020/
: has_procedure mga2-64-OK MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-04-11 19:09 CEST by David Walser
Modified: 2013-05-02 19:19 CEST (History)
5 users (show)

See Also:
Source RPM: apache-mod_security-2.7.2-1.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-04-11 19:09:54 CEST
Debian has issued an advisory on April 9:
http://www.debian.org/security/2013/dsa-2659

They linked to the upstream commit, and backported it to 2.6.x:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704625

Mageia 2 is also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Guillaume Rousse 2013-04-13 13:20:41 CEST
I just submitted version 2.7.3, fixing this issue, in cauldron.
Comment 2 Guillaume Rousse 2013-04-13 13:55:06 CEST
2.6.3-3.4 available in core/updates_testing for mageia2, with patch applied.
Comment 3 David Walser 2013-04-13 17:10:50 CEST
Thanks Guillaume!

Advisory:
========================

Updated apache-mod_security packages fix security vulnerability:

Timur Yunusov and Alexey Osipov from Positive Technologies discovered that the
XML files parser of ModSecurity, an Apache module whose purpose is to tighten
the Web application security, is vulnerable to XML external entities attacks.
A specially-crafted XML file provided by a remote attacker, could lead to local
file disclosure or excessive resources (CPU, memory) consumption when processed
(CVE-2013-1915).

This update introduces a SecXmlExternalEntity option which is "Off" by default.
This will disable the ability of libxml2 to load external entities.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1915
http://www.debian.org/security/2013/dsa-2659
========================

Updated packages in core/updates_testing:
========================
apache-mod_security-2.6.3-3.4.mga2.i586.rpm
mlogc-2.6.3-3.4.mga2

from apache-mod_security-2.6.3-3.4.mga2.src.rpm
Comment 4 Oden Eriksson 2013-04-26 08:18:56 CEST
======================================================
Name: CVE-2013-1915
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1915
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130219
Category: 
Reference: MLIST:[oss-security] 20130403 Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable  to XXE attacks
Reference: URL:http://www.openwall.com/lists/oss-security/2013/04/03/7
Reference: MISC:https://bugzilla.redhat.com/show_bug.cgi?id=947842
Reference: CONFIRM:https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES
Reference: CONFIRM:https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe
Reference: DEBIAN:DSA-2659
Reference: URL:http://www.debian.org/security/2013/dsa-2659
Reference: BID:58810
Reference: URL:http://www.securityfocus.com/bid/58810
Reference: SECUNIA:52847
Reference: URL:http://secunia.com/advisories/52847
Reference: SECUNIA:52977
Reference: URL:http://secunia.com/advisories/52977

ModSecurity before 2.7.3 allows remote attackers to read arbitrary
files, send HTTP requests to intranet servers, or cause a denial of
service (CPU and memory consumption) via an XML external entity
declaration in conjunction with an entity reference, aka an XML
External Entity (XXE) vulnerability.
Comment 5 claire robinson 2013-04-29 15:47:45 CEST
Testing complete mga2 64

Not much information to be able to reproduce so as with the previous modsecurity update, just checking it loads ok with..

# httpd -M 2>/dev/null |grep security

security_module (shared)
Comment 6 Dave Hodgins 2013-04-30 05:21:33 CEST
Testing complete on Mageia 2 i586.

Could someone from the sysadmin team push the srpm
apache-mod_security-2.6.3-3.4.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated apache-mod_security packages fix security vulnerability:

Timur Yunusov and Alexey Osipov from Positive Technologies discovered that the
XML files parser of ModSecurity, an Apache module whose purpose is to tighten
the Web application security, is vulnerable to XML external entities attacks.
A specially-crafted XML file provided by a remote attacker, could lead to local
file disclosure or excessive resources (CPU, memory) consumption when processed
(CVE-2013-1915).

This update introduces a SecXmlExternalEntity option which is "Off" by default.
This will disable the ability of libxml2 to load external entities.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1915
http://www.debian.org/security/2013/dsa-2659

https://bugs.mageia.org/show_bug.cgi?id=9704
Comment 7 Thomas Backlund 2013-05-02 19:19:19 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0129

Note You need to log in before you can comment on or make changes to this bug.