Summary: | <www-servers/apache-2.2.27-r4: httpd mod_status Heap Buffer Overflow Remote Code Execution Vulnerability (CVE-2014-0226) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | gentoo, polynomial-c |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.zerodayinitiative.com/advisories/ZDI-14-236/ | ||
Whiteboard: | A1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Hanno Böck
2014-07-17 07:29:53 UTC
(In reply to Hanno Boeck from comment #0) > I don't know about the status in apache 2.2. Seems to be fixed in 2.2.28, but also not released yet: http://mail-archives.apache.org/mod_mbox/httpd-cvs/201407.mbox/%3C20140714203433.31B4D23889D5@eris.apache.org%3E Finally apache 2.4.10 has been released. 2.2.28 not yet. CVE-2014-0226 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0226): Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c. Ebuilds for 2.4.10 have been committed Maintainer(s): please let us know when the ebuild is ready for stabilization. (In reply to Yury German from comment #5) > Maintainer(s): please let us know when the ebuild is ready for > stabilization. Unfortunately not yet. Patrick added the ebuilds without my permission omitting all the changes I wanted to incorporate in a new patchset. So please wait for apache-2.4.10-r1. Please advise or call for stabilization when ready. +*apache-2.4.10-r1 (31 Jul 2014) +*apache-2.2.27-r4 (31 Jul 2014) + + 31 Jul 2014; Lars Wendler <polynomial-c@gentoo.org> -apache-2.2.27-r3.ebuild, + +apache-2.2.27-r4.ebuild, -apache-2.4.10.ebuild, +apache-2.4.10-r1.ebuild: + Revbumps to fix security bugs (see #517298). Removed old. + I've added apache-2.2.27-r4 which fixes the following security bugs: CVE-2014-0118, CVE-2014-0226 and CVE-2014-0231 apache-2.4.x still isn't stable and I prefer to not stbilize it yet. Arches please test and mark stable =www-server/apache-2.2.27-r4 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd Stabilized www-servers/apache-2.2.27-r4 on alpha. Stabilizing only: apache-2.2.27-r4 Please do not close bug at the end, we will wait for apache-2.4.x to stabilize. amd64 stable x86 stable arm stable Stable for HPPA. ppc stable ppc64 stable ia64 stable sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. + 16 Aug 2014; Lars Wendler <polynomial-c@gentoo.org> -apache-2.2.27.ebuild, + -apache-2.4.9-r3.ebuild, -files/00_systemd.conf, + -files/httpd-2.4.3-mod_systemd.patch, -files/2.2.22-envvars-std.in, + -files/apache2.4.service, -files/gentoo-apache-2.2.23-initd_fixups.patch: + Removed vulnerable versions. + Arches and Mainter(s), Thank you for your work. Added to an existing GLSA request. This issue was resolved and addressed in GLSA 201408-12 at http://security.gentoo.org/glsa/glsa-201408-12.xml by GLSA coordinator Kristian Fiskerstrand (K_F). |