Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 535948 (CVE-2014-0118)

Summary: <www-servers/apache-2.2.29: multiple vulnerabilities (CVE-{2013-5704},2014-{0118,0226,0231})
Product: Gentoo Security Reporter: devnull
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: polynomial-c
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description devnull 2015-01-07 16:31:13 UTC
apache-2.2.29 fixes some bugs and known CVEs and should be stabilized asap. At least stable for me at amd64.

Reproducible: Always
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2015-01-07 16:40:42 UTC
Fixed in Apache httpd 2.2.29
important: mod_cgid denial of service CVE-2014-0231 

 A flaw was found in mod_cgid. If a server using mod_cgid hosted CGI scripts which did not consume standard input, a remote attacker could cause child processes to hang indefinitely, leading to denial of service. 

Acknowledgements: This issue was reported by Rainer Jung of the ASF 
 Reported to security team: 16th June 2014
 Issue public: 14th July 2014
 Update Released: 3rd September 2014
 Affects: 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

low: HTTP Trailers processing bypass CVE-2013-5704 

 HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier.

This fix adds the "MergeTrailers" directive to restore legacy behavior. 

Acknowledgements: This issue was reported by Martin Holst Swende. 
 Reported to security team: 6th September 2013
 Issue public: 19th October 2013
 Update Released: 3rd September 2014
 Affects: 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

moderate: mod_deflate denial of service CVE-2014-0118 

 A resource consumption flaw was found in mod_deflate. If request body decompression was configured (using the "DEFLATE" input filter), a remote attacker could cause the server to consume significant memory and/or CPU resources. The use of request body decompression is not a common configuration. 

Acknowledgements: This issue was reported by Giancarlo Pellegrino and Davide Balzarotti 
 Reported to security team: 19th February 2014
 Issue public: 14th July 2014
 Update Released: 3rd September 2014
 Affects: 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

moderate: mod_status buffer overflow CVE-2014-0226 

 A race condition was found in mod_status. An attacker able to access a public server status page on a server using a threaded MPM could send a carefully crafted request which could lead to a heap buffer overflow. Note that it is not a default or recommended configuration to have a public accessible server status page. 

Acknowledgements: This issue was reported by Marek Kroemeke, AKAT-1 and 22733db72ab3ed94b5f8a1ffcde850251fe6f466 via HP ZDI 
 Reported to security team: 30th May 2014
 Issue public: 14th July 2014
 Update Released: 3rd September 2014
 Affects: 2.2.27, 2.2.26, 2.2.25, 2.2.24, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2015-01-07 16:42:45 UTC
The 2.4 branch should be bumped as well.

Fixed in Apache httpd 2.4.11-dev
low: mod_proxy_fcgi out-of-bounds memory read CVE-2014-3583

 An out-of-bounds memory read was found in mod_proxy_fcgi. A malicious FastCGI server could send a carefully crafted response which could lead to a crash when reading past the end of a heap memory or stack buffer. This issue affects version 2.4.10 only. 

Acknowledgements: This issue was reported by Teguh P. Alko. 
 Reported to security team: 17th September 2014
 Issue public: 12th November 2014
 Affects: 2.4.10

low: mod_cache crash with empty Content-Type header CVE-2014-3581 

 A NULL pointer deference was found in mod_cache. A malicious HTTP server could cause a crash in a caching forward proxy configuration. This crash would only be a denial of service if using a threaded MPM. 
 Issue public: 8th September 2014
 Affects: 2.4.10, 2.4.9, 2.4.8, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1

low: HTTP Trailers processing bypass CVE-2013-5704 

 HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier.

This fix adds the "MergeTrailers" directive to restore legacy behavior. 

Acknowledgements: This issue was reported by Martin Holst Swende. 
 Reported to security team: 6th September 2013
 Issue public: 19th October 2013
 Affects: 2.4.10, 2.4.9, 2.4.8, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1
Comment 3 Dirkjan Ochtman (RETIRED) gentoo-dev 2015-02-04 21:31:39 UTC
Hey Lars, when do you have time for this? Do you need help here?
Comment 4 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-02-05 06:29:28 UTC
Sorry for the delay guys.

Arches please test and mark stable the following packages:

=app-admin/apache-tools-2.2.29
=www-servers/apache-2.2.29

with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-02-05 12:17:27 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2015-02-06 11:33:55 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-02-06 11:35:37 UTC
x86 stable
Comment 8 Markus Meier gentoo-dev 2015-02-08 21:10:40 UTC
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-02-16 10:22:24 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-02-18 08:50:56 UTC
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-02-18 09:17:39 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2015-02-23 11:38:00 UTC
ia64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2015-02-24 10:58:11 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2015-02-25 02:08:40 UTC
Arches, Thank you for your work.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2015-03-16 13:55:54 UTC
ping on cleanup.
Comment 16 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-03-16 21:53:07 UTC
+  16 Mar 2015; Lars Wendler <polynomial-c@gentoo.org>
+  -apache-tools-2.2.27.ebuild, -apache-tools-2.2.27-r1.ebuild,
+  -apache-tools-2.4.10.ebuild:
+  Removed vulnerable versions.
+

+  16 Mar 2015; Lars Wendler <polynomial-c@gentoo.org> -apache-2.2.27-r4.ebuild,
+  -apache-2.4.10-r1.ebuild:
+  Removed vulnerable versions.
+
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2015-04-11 20:04:33 UTC
This issue was resolved and addressed in
 GLSA 201504-03 at https://security.gentoo.org/glsa/201504-03
by GLSA coordinator Yury German (BlueKnight).