Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 676064 (CVE-2018-17189, CVE-2018-17199, CVE-2019-0190)

Summary: <www-servers/apache-2.4.38-r1: Multiple Vulnerabilities
Product: Gentoo Security Reporter: Craig Andrews <candrews>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: apache-bugs, candrews, djc, hanno, hydrapolic, polynomial-c, sokan
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www-eu.apache.org/dist//httpd/CHANGES_2.4.38
Whiteboard: B3 [glsa+ cve]
Package list:
app-admin/apache-tools-2.4.38 www-servers/apache-2.4.38-r1
Runtime testing required: ---

Comment 1 Hanno Böck gentoo-dev 2019-01-22 20:18:30 UTC
This fixes multiple security bugs, seems the advisories aren't yet on the apache page, but on oss-security:
https://www.openwall.com/lists/oss-security/2019/01/22/2
https://www.openwall.com/lists/oss-security/2019/01/22/3
https://www.openwall.com/lists/oss-security/2019/01/22/4
Comment 2 Tomáš Mózes 2019-01-23 08:44:07 UTC
Deployed on a few machines and so far so good (simple copy from 2.4.37).
Comment 3 Larry the Git Cow gentoo-dev 2019-01-23 12:05:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=83d835b33bf278c1f6bdcd8dfb22d9772a5ad4a1

commit 83d835b33bf278c1f6bdcd8dfb22d9772a5ad4a1
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-01-23 11:54:42 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-01-23 12:05:32 +0000

    www-servers/apache: Security bump to version 2.4.38
    
    Bug: https://bugs.gentoo.org/676064
    Package-Manager: Portage-2.3.58, Repoman-2.3.12
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 www-servers/apache/Manifest             |   1 +
 www-servers/apache/apache-2.4.38.ebuild | 257 ++++++++++++++++++++++++++++++++
 2 files changed, 258 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dfbfdecee0d3bf160779211d2d7fed5a0ade8787

commit dfbfdecee0d3bf160779211d2d7fed5a0ade8787
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-01-23 11:53:52 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-01-23 12:05:32 +0000

    app-admin/apache-tools: Security bump to version 2.4.38
    
    Bug: https://bugs.gentoo.org/676064
    Package-Manager: Portage-2.3.58, Repoman-2.3.12
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-admin/apache-tools/Manifest                   |   1 +
 app-admin/apache-tools/apache-tools-2.4.38.ebuild | 105 ++++++++++++++++++++++
 2 files changed, 106 insertions(+)
Comment 4 Tomáš Mózes 2019-02-01 04:22:22 UTC
*** Bug 677000 has been marked as a duplicate of this bug. ***
Comment 5 Dirkjan Ochtman (RETIRED) gentoo-dev 2019-03-20 15:03:57 UTC
So, err, should we perhaps stabilize this thing? I'm surprised that this has been sitting here this long, with one vulnerability classified as Important.
Comment 6 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2019-03-20 15:09:00 UTC
(In reply to Dirkjan Ochtman from comment #5)
> So, err, should we perhaps stabilize this thing? I'm surprised that this has
> been sitting here this long, with one vulnerability classified as Important.

Definitely. Sorry I lost track of this one.
Comment 7 Agostino Sarubbo gentoo-dev 2019-03-20 20:59:30 UTC
amd64 stable
Comment 8 Markus Meier gentoo-dev 2019-03-21 20:37:45 UTC
arm stable
Comment 9 Rolf Eike Beer archtester 2019-03-23 11:54:19 UTC
sparc stable
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2019-03-24 13:31:04 UTC
CVE Information:

CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies
Versions Affected:
httpd 2.4.17 to 2.4.37

Description:
By sending request bodies in a slow loris way to plain 
resources, the h2 stream for that request unnecessarily
occupied a server thread cleaning up that incoming data.
This affects only HTTP/2 (mod_http2) connections in 
Apache HTTP Server versions 2.4.37 and prior.

--
CVE-2018-17199: mod_session_cookie does not respect expiry time
Versions Affected:
httpd 2.4.0 to 2.4.37

Description:
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session
checks the session expiry time before decoding the session.
This causes session expiry time to be ignored for
mod_session_cookie sessions since the expiry time is loaded
when the session is decoded.

--
CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Versions Affected:
httpd 2.4.37

Description:
A bug exists in the way mod_ssl handled client renegotiations.
A remote attacker could send a carefully crafted request that
would cause mod_ssl to enter a loop leading to a denial of
service.  This bug can be only triggered with Apache HTTP Server
version 2.4.37 when using OpenSSL version 1.1.1 or later, due to
an interaction in changes to handling of renegotiation attempts.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2019-03-24 13:34:04 UTC
GLSA Vote: Yes
New GLSA Request filed.
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2019-03-24 19:55:53 UTC
ia64 stable
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2019-03-24 20:33:01 UTC
ppc stable
Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev 2019-03-24 20:36:25 UTC
ppc64 stable
Comment 15 Sergei Trofimovich (RETIRED) gentoo-dev 2019-03-25 23:13:34 UTC
hppa stable
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-27 23:20:43 UTC
x86 stable
Comment 17 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-27 23:45:38 UTC
x86 stable
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2019-03-28 02:18:46 UTC
This issue was resolved and addressed in
 GLSA 201903-21 at https://security.gentoo.org/glsa/201903-21
by GLSA coordinator Aaron Bauman (b-man).
Comment 19 Aaron Bauman (RETIRED) gentoo-dev 2019-03-28 02:19:25 UTC
re-opened for final arches and cleanup
Comment 20 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-06 13:36:34 UTC
alpha stable