Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 385859 (CVE-2011-3368)

Summary: <www-servers/apache-2.2.21-r1 mod_proxy Reverse Proxy Mode Security Bypass (CVE-2011-3368)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: apache-bugs, axiator, pva
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/46288/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 368651    

Description Agostino Sarubbo gentoo-dev 2011-10-06 12:49:02 UTC
From secunia security advisory at $URL: 

Description:
The weakness is caused due to the mod_proxy module, when configured in reverse proxy mode, incorrectly processing certain web requests. This can be exploited to send requests to an unintended server behind the proxy via a specially crafted URL.

Successful exploitation requires the use of "ProxyPassMatch" and "RewriteRule" configuration directives with a certain pattern match.

The weakness is reported in all 2.x versions.


Solution:
Apply patch.
https://www.apache.org/dist/httpd/patches/apply_to_2.2.21/CVE-2011-3368.patch
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2011-10-07 22:49:57 UTC
CVE-2011-3368 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3368):
  The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x
  through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use
  of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration
  of a reverse proxy, which allows remote attackers to send requests to
  intranet servers via a malformed URI containing an initial @ (at sign)
  character.
Comment 2 Peter Volkov (RETIRED) gentoo-dev 2011-10-18 06:42:44 UTC
Patch was added in apache-2.2.21-r1. Also I've added dependency on >=apr-1.4.5 for moderate: apr_fnmatch flaw leads to mod_autoindex remote DoS CVE-2011-0419 (bug 368651). Also a number of bugs were fixed:

Use extra_{,started}commands, bug #385637 by Martin von Gagern.
Check config during restart, bug #384997 wrt Christian Ruppert (idl0r).
Don't use pidof to check for running instances to make it more ConTainer friendly, bug #384267 by Stef Simoens.
Updated defaults in 00_default_settings.conf to better match upstream intentions, bug #387157 by Steve Dibb.

Arch teams, please, stabilize:
www-servers/apache-2.2.21-r1
dev-libs/apr-1.4.5
dev-libs/apr-util-1.3.12
Comment 3 Agostino Sarubbo gentoo-dev 2011-10-18 09:01:06 UTC
looks ok on a server. amd64 ok
Comment 4 Ian Delaney (RETIRED) gentoo-dev 2011-10-18 11:30:17 UTC
looks ok on a desktop
Comment 5 Tony Vroon (RETIRED) gentoo-dev 2011-10-19 11:23:38 UTC
+  19 Oct 2011; Tony Vroon <chainsaw@gentoo.org> apr-1.4.5.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian
+  "idella4" Delaney in security bug #385859.

+  19 Oct 2011; Tony Vroon <chainsaw@gentoo.org> apr-util-1.3.12.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian
+  "idella4" Delaney in security bug #385859.

+  19 Oct 2011; Tony Vroon <chainsaw@gentoo.org> apache-2.2.21-r1.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian
+  "idella4" Delaney in security bug #385859.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2011-10-19 12:02:11 UTC
Stable for HPPA.
Comment 7 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-10-22 16:21:00 UTC
ppc/ppc64 stable
Comment 8 Markus Meier gentoo-dev 2011-10-23 11:45:23 UTC
arm stable
Comment 9 Markus Meier gentoo-dev 2011-10-24 19:54:46 UTC
x86 stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2011-10-29 18:46:49 UTC
alpha/ia64/s390/sh/sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2011-10-29 19:12:16 UTC
Thanks all. Added glsa vote request.
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-10-31 16:01:29 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2012-03-06 01:03:27 UTC
Vote: Yes. GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2012-06-24 14:29:06 UTC
This issue was resolved and addressed in
 GLSA 201206-25 at http://security.gentoo.org/glsa/glsa-201206-25.xml
by GLSA coordinator Tobias Heinlein (keytoaster).