Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 538182 - <www-servers/apache-2.4.12: multiple vulnerabilities (CVE-2014-{3583,3581,8109,5704})
Summary: <www-servers/apache-2.4.12: multiple vulnerabilities (CVE-2014-{3583,3581,810...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.apache.org/dist/httpd/Ann...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-29 17:16 UTC by Hanno Böck
Modified: 2015-12-31 06:07 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2015-01-29 17:16:51 UTC
From upstream release notes:

CVE-2014-3583 (cve.mitre.org)
 mod_proxy_fcgi: Fix a potential crash due to buffer over-read, with 
 response headers' size above 8K.

CVE-2014-3581 (cve.mitre.org)
 mod_cache: Avoid a crash when Content-Type has an empty value.
 PR 56924.

CVE-2014-8109 (cve.mitre.org)
 mod_lua: Fix handling of the Require line when a LuaAuthzProvider is
 used in multiple Require directives with different arguments.
 PR57204.

CVE-2013-5704 (cve.mitre.org)
 core: HTTP trailers could be used to replace HTTP headers
 late during request processing, potentially undoing or
 otherwise confusing modules that examined or modified
 request headers earlier.  Adds "MergeTrailers" directive to restore
 legacy behavior.

Please bump.
Comment 1 Tomáš Mózes 2015-01-30 11:00:18 UTC
Just renaming 2.4.10 to 2.4.12 yields a working instance, tested with PHP (also fpm).
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-02-01 07:18:33 UTC
From RedHat Bug:

This flaw was introduced via the following commit:

http://svn.apache.org/viewvc?view=revision&revision=1594537

Prior to the change, the code ensured that the buffer passed to the handle_headers() function was always properly NUL terminated, as was expected by the function.

The change was added in the httpd upstream version 2.4.10, which is the only version affected by this flaw.  The upstream vulnerabilities page is now updated to no longer list 2.4.1 - 2.4.9 as affected by this issue.
Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-02-04 18:18:59 UTC
+*apache-2.4.12 (04 Feb 2015)
+
+  04 Feb 2015; Lars Wendler <polynomial-c@gentoo.org> +apache-2.4.12.ebuild:
+  Security bump (bug #538182).
+

+*apache-tools-2.4.12 (04 Feb 2015)
+
+  04 Feb 2015; Lars Wendler <polynomial-c@gentoo.org>
+  -apache-tools-2.4.9-r1.ebuild, +apache-tools-2.4.12.ebuild:
+  Security bump (bug #538182). Removed old.
+
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-02-22 03:24:19 UTC
Since version 2.4.X is not stable. Unless you have plans to stabilize it, please clean up vulnerable version.

Please change whiteboard accordingly.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-12-31 06:07:03 UTC
Thank you all. Closing as noglsa.