Bug 517298 (CVE-2014-0226)

(In reply to Hanno Boeck from comment #0)
> I don't know about the status in apache 2.2.

Seems to be fixed in 2.2.28, but also not released yet:
http://mail-archives.apache.org/mod_mbox/httpd-cvs/201407.mbox/%3C20140714203433.31B4D23889D5@eris.apache.org%3E

Comment 2 Hanno Böck 2014-07-21 22:56:51 UTC

Finally apache 2.4.10 has been released. 2.2.28 not yet.

Comment 3 GLSAMaker/CVETool Bot 2014-07-22 12:33:12 UTC

CVE-2014-0226 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0226):
  Race condition in the mod_status module in the Apache HTTP Server before
  2.4.10 allows remote attackers to cause a denial of service (heap-based
  buffer overflow), or possibly obtain sensitive credential information or
  execute arbitrary code, via a crafted request that triggers improper
  scoreboard handling within the status_handler function in
  modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in
  modules/lua/lua_request.c.

Comment 4 Patrick Lauer 2014-07-24 02:30:32 UTC

Ebuilds for 2.4.10 have been committed

Comment 5 Yury German 2014-07-26 04:03:52 UTC

Maintainer(s): please let us know when the ebuild is ready for  stabilization.

Comment 6 Lars Wendler (Polynomial-C) (RETIRED) 2014-07-27 10:16:57 UTC

(In reply to Yury German from comment #5)
> Maintainer(s): please let us know when the ebuild is ready for 
> stabilization.

Unfortunately not yet. Patrick added the ebuilds without my permission omitting all the changes I wanted to incorporate in a new patchset. So please wait for apache-2.4.10-r1.

Comment 7 Yury German 2014-07-27 19:16:10 UTC

Please advise or call for stabilization when ready.

Comment 8 Lars Wendler (Polynomial-C) (RETIRED) 2014-07-31 11:41:24 UTC

+*apache-2.4.10-r1 (31 Jul 2014)
+*apache-2.2.27-r4 (31 Jul 2014)
+
+  31 Jul 2014; Lars Wendler <polynomial-c@gentoo.org> -apache-2.2.27-r3.ebuild,
+  +apache-2.2.27-r4.ebuild, -apache-2.4.10.ebuild, +apache-2.4.10-r1.ebuild:
+  Revbumps to fix security bugs (see #517298). Removed old.
+

I've added apache-2.2.27-r4 which fixes the following security bugs:
CVE-2014-0118, CVE-2014-0226 and CVE-2014-0231
apache-2.4.x still isn't stable and I prefer to not stbilize it yet.


Arches please test and mark stable =www-server/apache-2.2.27-r4 with target KEYWORDS:
alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd

Comment 9 Tobias Klausmann (RETIRED) 2014-07-31 15:07:03 UTC

Stabilized www-servers/apache-2.2.27-r4 on alpha.

Comment 10 Yury German 2014-07-31 17:48:34 UTC

Stabilizing only:
apache-2.2.27-r4

Please do not close bug at the end, we will wait for apache-2.4.x to stabilize.

Comment 11 Agostino Sarubbo 2014-08-02 13:44:31 UTC

amd64 stable

Comment 12 Agostino Sarubbo 2014-08-02 13:48:10 UTC

x86 stable

Comment 13 Markus Meier 2014-08-03 18:28:54 UTC

arm stable

Comment 14 Jeroen Roovers (RETIRED) 2014-08-06 09:20:51 UTC

Stable for HPPA.

Comment 15 Agostino Sarubbo 2014-08-08 21:42:35 UTC

ppc stable

Comment 16 Agostino Sarubbo 2014-08-09 10:49:36 UTC

ppc64 stable

Comment 17 Agostino Sarubbo 2014-08-10 09:14:27 UTC

ia64 stable

Comment 18 Agostino Sarubbo 2014-08-10 17:27:22 UTC

sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 19 Lars Wendler (Polynomial-C) (RETIRED) 2014-08-16 11:53:25 UTC

+  16 Aug 2014; Lars Wendler <polynomial-c@gentoo.org> -apache-2.2.27.ebuild,
+  -apache-2.4.9-r3.ebuild, -files/00_systemd.conf,
+  -files/httpd-2.4.3-mod_systemd.patch, -files/2.2.22-envvars-std.in,
+  -files/apache2.4.service, -files/gentoo-apache-2.2.23-initd_fixups.patch:
+  Removed vulnerable versions.
+

Comment 20 Yury German 2014-08-16 17:54:38 UTC

Arches and Mainter(s), Thank you for your work.

Added to an existing GLSA request.

Comment 21 GLSAMaker/CVETool Bot 2014-08-31 11:18:37 UTC

This issue was resolved and addressed in
 GLSA 201408-12 at http://security.gentoo.org/glsa/glsa-201408-12.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).