Bug 186219 - www-servers/apache Multiple issues (CVE-2006-{5752}, CVE-2007-{1862,1863,3304,3847,4465})
|
Bug#:
186219
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: jaervosz@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://httpd.apache.org/security/vulnerabilities_22.html
|
|
Summary: www-servers/apache Multiple issues (CVE-2006-{5752}, CVE-2007-{1862,1863,3304,3847,4465})
|
|
Keywords:
|
|
Status Whiteboard: A3 [glsa]
|
|
Opened: 2007-07-22 12:38 0000
|
Not sure we're affected by these ones either.
CVE-2006-5752
Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_status
module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a
public server-status page is used, allows remote attackers to inject arbitrary
web script or HTML via unspecified vectors involving charsets with browsers
that perform "charset detection" when the content-type is not specified.
CVE-2007-1863
Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_status
module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a
public server-status page is used, allows remote attackers to inject arbitrary
web script or HTML via unspecified vectors involving charsets with browsers
that perform "charset detection" when the content-type is not specified.
moderate: mod_status cross-site scripting CVE-2006-5752
Affects: 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50,
2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39,
2.0.37, 2.0.36, 2.0.35
Fixed in Apache httpd 2.0.61-dev
patched in apache-2.2.4-r12 or earlier
moderate: mod_cache proxy DoS CVE-2007-1863
Affects: 2.2.4, 2.2.3, 2.2.2, 2.2.0
Fixed in Apache httpd 2.2.6-dev
patched in apache-2.2.4-r12 or earlier
didn't check the 2.0.x branch.
however apache-2.2.4-r12 need a patch for
moderate: mod_proxy crash CVE-2007-3847
A flaw was found in the Apache HTTP Server mod_proxy module. On sites where a
reverse proxy is configured, a remote attacker could send a carefully crafted
request that would cause the Apache child process handling that request to
crash. On sites where a forward proxy is configured, an attacker could cause a
similar crash if a user could be persuaded to visit a malicious site using the
proxy. This could lead to a denial of service if using a threaded
Multi-Processing Module.
http://httpd.apache.org/security/vulnerabilities_22.html
there's also bug 191603, and I have to admit I'm a bit lost with all this
issues and versions. Apache, please advise on what needs to be done to fix
this, and maybe close the other bug if it's not necessary.
all CVEs have been backported to 2.0.59-r5/2.2.4-r12, except 2007-3847 is
missing in 2.2.4-r12, but fixed with 2.2.6, which is now in cvs, see also
#187258
*** Bug 191603 has been marked as a duplicate of this bug. ***
ok thanks for the info. So in the end, how do you want to proceed with
stabilization? In any case seems that we'll have to call arches for 2.2.6 as a
fix is missing with 2.2.4-r12, but should we call all arches for 2.0.61 or just
the ones that don't have 2.0.59-r5? please advise.
2.0.59-r5 is ok, but 2.2.6 should be stabilized asap for CVE-2007-3847
ok.
Arches, please test and mark stable
net-www/apache-2.0.59-r5 and net-www/apache-2.2.6.
Target keywordsare "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86
~x86-fbsd"
(In reply to comment #7)
> ok.
> Arches, please test and mark stable
> net-www/apache-2.0.59-r5 and net-www/apache-2.2.6.
> Target keywordsare "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86
> ~x86-fbsd"
>
That's www-servers/apache-2.0.59-r5 and www-servers/apache-2.2.6
Don't forget to mark app-admin/apache-tools-2.2.6 stable as well.
All stable for HPPA.
*** Bug 187258 has been marked as a duplicate of this bug. ***
apache-2.0.59-r5, apache-2.2.6 and apache-tools-2.2.6 all emerged fine here on
my sparc64.
Got the following notice for apache-2.0.59-r5:
dodoc: etc/apache2/*-std.conf does not exist
and the following notices for apache-2.2.6:
install: cannot stat
`/var/tmp/portage/www-servers/apache-2.2.6/work/gentoo-apache-2.2.6/scripts/apache2logserverstatus':
No such file or directory
install: cannot stat
`/var/tmp/portage/www-servers/apache-2.2.6/work/gentoo-apache-2.2.6/scripts/apache2splitlogfile':
No such file or directory
Tested with:
www-servers/apache-2.0.59-r5 (apache2 mpm-prefork ssl)
www-servers/apache-2.0.59-r5 (apache2 mpm-worker ssl)
www-servers/apache-2.0.59-r5 (apache2 mpm-leader static-modules threads)
app-admin/apache-tools-2.2.6
www-servers/apache-2.2.6 (mpm-prefork ssl)
app-admin/apache-tools-2.2.6 (ssl)
www-servers/apache-2.2.6 (mpm-worker ssl)
app-admin/apache-tools-2.2.6 (ssl)
www-servers/apache-2.2.6 (static-modules threads)
--- amd64 ---
www-servers/apache-2.2.6 - USE: -debug -doc -ldap -mpm-event -mpm-itk
-mpm-peruser -mpm-prefork -mpm-worker -no-suexec -selinux ssl -static-modules
threads
app-admin/apache-tools-2.2.6 - USE: ssl
1: emerges
2: passes collision-protect, (multilib-)strict, test
3: works (*) basic static web pages, php support tested
* app-admin/apache-tools-2.2.6 - log_server_status gives
Can't locate sys/socket.ph in @INC (did you run h2ph?) (@INC contains:
/etc/perl /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux
/usr/lib64/perl5/vendor_perl/5.8.8 /usr/lib64/perl5/vendor_perl
/usr/lib64/perl5/site_perl/5.8.8/x86_64-linux /usr/lib64/perl5/site_perl/5.8.8
/usr/lib64/perl5/site_perl /usr/lib64/perl5/5.8.8/x86_64-linux
/usr/lib64/perl5/5.8.8 /usr/local/lib/site_perl .) at
/usr/sbin/log_server_status line 28.
Portage 2.1.2.12 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4,
2.6.22-gentoo-r6 x86_64)
=================================================================
System uname: 2.6.22-gentoo-r6 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor
4200+
Gentoo Base System release 1.12.9
Timestamp of tree: Unknown
ccache version 2.4 [enabled]
app-shells/bash: 3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python: 2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache: 2.4-r7
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox: 1.2.17
sys-devel/autoconf: 2.13, 2.61
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils: 2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool: 1.5.24
virtual/os-headers: 2.6.21
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -ggdb -march=athlon64 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/gentoo-release
/etc/init.d /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/
/etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo
/etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -ggdb -march=athlon64 -pipe"
DISTDIR="/tmp/portage"
FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict
parallel-fetch sandbox sfperms splitdebug strict test"
GENTOO_MIRRORS="http://ds.thn.htu.se/linux/gentoo
http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/
http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/
http://mirror.switch.ch/mirror/gentoo/
http://trumpetti.atm.tut.fi/gentoo/"
LANG="en_US.utf-8"
LINGUAS="en sv"
MAKEOPTS="-j3"
PKGDIR="/tmp/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/private"
SYNC="rsync://dx/gentoo-portage"
USE="3dnow 3dnowext X a52 aac acpi aiglx alsa amd64 apache2 arts asf avi
bash-completion berkdb bitmap-fonts branding browserplugin cairo ccache cdr cli
cpudetection cracklib crypt cscope css cups cvs dbus divx divx4linux dlloader
dri dvd dvdr dvdread eds emboss encode esd evo fam ffmpeg firefox flac
foomaticdb fortran freetype gdbm geoip gif gimp gmedia gnokii gnome gpm
gstreamer gtk hal http iconv ieee1394 imap imlib ipv6 isdnlog java javascript
jfs jpeg kde kdeenablefinal kdehiddenvisibility kdepim kerberos logitech-mouse
mad madwifi maildir midi mikmod mmx mmx2 mmxext mono mozbranding moznopango
mozsvg mp3 mpeg mplayer msn mudflap mysql ncurses nls nptl nptlonly nsplugin
ntfs nvidia obex ogg oggvorbis opengl openmp oss pam pcre pdf pdflib perl png
pppd python qt qt3 qt3support qt4 quicktime readline realmedia reflection
reiserfs samba scanner sdl session spell spl sse sse2 ssl subversion svg
symlink tcpd test tetex theora threads tiff truetype truetype-fonts type1-fonts
udev unicode usb v4l v4l2 vim-syntax vim-with-x visualization vorbis wifi wmf
wmp wxwindows xcomposite xface xfs xine xinerama xml xorg xosd xpm xprint xv
xvid zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix
dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter
mulaw multi null plug rate route share shm softvol" ELIBC="glibc"
INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz
cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en sv"
USERLAND="GNU" VIDEO_CARDS="nv nvidia"
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS,
PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
amd64 done... now to upgrade all my web servers... :P
Tested apache with the above use flags again after updating to gcc-4.1.2 got
the same results.
sparc stable, thanks Jorge Manuel.
This is ready to go
A3 => no vote here :p
glsa request filed.
finally closing with GLSA 200711-06,sorry for the delay :/
