|Summary:||<www-servers/apache-2.2.27-r4: httpd mod_status Heap Buffer Overflow Remote Code Execution Vulnerability (CVE-2014-0226)|
|Product:||Gentoo Security||Reporter:||Hanno Böck <hanno>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Hanno Böck 2014-07-17 07:29:53 UTC
A race condition in apache's mod_status can lead to a buffer overflow. Source: http://www.zerodayinitiative.com/advisories/ZDI-14-236/ Fix is in upstream's apache 2.4.10 which is not yet released but a pre-release package is available and release should be ready within the next days: https://mail-archives.apache.org/mod_mbox/httpd-dev/201407.mbox/%3C81300987-8AB3-4364-81F5-53F803B39DA4%40jaguNET.com%3E I don't know about the status in apache 2.2.
Comment 1 Marcel Pennewiß 2014-07-17 20:13:29 UTC
(In reply to Hanno Boeck from comment #0) > I don't know about the status in apache 2.2. Seems to be fixed in 2.2.28, but also not released yet: http://mail-archives.apache.org/mod_mbox/httpd-cvs/201407.mbox/%3C20140714203433.31B4D23889D5@eris.apache.org%3E
Comment 2 Hanno Böck 2014-07-21 22:56:51 UTC
Finally apache 2.4.10 has been released. 2.2.28 not yet.
Comment 3 GLSAMaker/CVETool Bot 2014-07-22 12:33:12 UTC
CVE-2014-0226 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0226): Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.
Comment 4 Patrick Lauer 2014-07-24 02:30:32 UTC
Ebuilds for 2.4.10 have been committed
Comment 5 Yury German 2014-07-26 04:03:52 UTC
Maintainer(s): please let us know when the ebuild is ready for stabilization.
Comment 6 Lars Wendler (Polynomial-C) 2014-07-27 10:16:57 UTC
(In reply to Yury German from comment #5) > Maintainer(s): please let us know when the ebuild is ready for > stabilization. Unfortunately not yet. Patrick added the ebuilds without my permission omitting all the changes I wanted to incorporate in a new patchset. So please wait for apache-2.4.10-r1.
Comment 7 Yury German 2014-07-27 19:16:10 UTC
Please advise or call for stabilization when ready.
Comment 8 Lars Wendler (Polynomial-C) 2014-07-31 11:41:24 UTC
+*apache-2.4.10-r1 (31 Jul 2014) +*apache-2.2.27-r4 (31 Jul 2014) + + 31 Jul 2014; Lars Wendler <email@example.com> -apache-2.2.27-r3.ebuild, + +apache-2.2.27-r4.ebuild, -apache-2.4.10.ebuild, +apache-2.4.10-r1.ebuild: + Revbumps to fix security bugs (see #517298). Removed old. + I've added apache-2.2.27-r4 which fixes the following security bugs: CVE-2014-0118, CVE-2014-0226 and CVE-2014-0231 apache-2.4.x still isn't stable and I prefer to not stbilize it yet. Arches please test and mark stable =www-server/apache-2.2.27-r4 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
Comment 9 Tobias Klausmann (RETIRED) 2014-07-31 15:07:03 UTC
Stabilized www-servers/apache-2.2.27-r4 on alpha.
Comment 10 Yury German 2014-07-31 17:48:34 UTC
Stabilizing only: apache-2.2.27-r4 Please do not close bug at the end, we will wait for apache-2.4.x to stabilize.
Comment 11 Agostino Sarubbo 2014-08-02 13:44:31 UTC
Comment 12 Agostino Sarubbo 2014-08-02 13:48:10 UTC
Comment 13 Markus Meier 2014-08-03 18:28:54 UTC
Comment 14 Jeroen Roovers (RETIRED) 2014-08-06 09:20:51 UTC
Stable for HPPA.
Comment 15 Agostino Sarubbo 2014-08-08 21:42:35 UTC
Comment 16 Agostino Sarubbo 2014-08-09 10:49:36 UTC
Comment 17 Agostino Sarubbo 2014-08-10 09:14:27 UTC
Comment 18 Agostino Sarubbo 2014-08-10 17:27:22 UTC
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Comment 19 Lars Wendler (Polynomial-C) 2014-08-16 11:53:25 UTC
+ 16 Aug 2014; Lars Wendler <firstname.lastname@example.org> -apache-2.2.27.ebuild, + -apache-2.4.9-r3.ebuild, -files/00_systemd.conf, + -files/httpd-2.4.3-mod_systemd.patch, -files/2.2.22-envvars-std.in, + -files/apache2.4.service, -files/gentoo-apache-2.2.23-initd_fixups.patch: + Removed vulnerable versions. +
Comment 20 Yury German 2014-08-16 17:54:38 UTC
Arches and Mainter(s), Thank you for your work. Added to an existing GLSA request.
Comment 21 GLSAMaker/CVETool Bot 2014-08-31 11:18:37 UTC
This issue was resolved and addressed in GLSA 201408-12 at http://security.gentoo.org/glsa/glsa-201408-12.xml by GLSA coordinator Kristian Fiskerstrand (K_F).