Summary: | <www-servers/apache-2.4.43: Multiple vulnerabilities (CVE-2020-{1927,1934,1938}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | apache-bugs, djc, hydrapolic, mike, polynomial-c |
Priority: | Normal | Flags: | nattka:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://httpd.apache.org/security/vulnerabilities_24.html | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=703468 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
=www-servers/apache-2.4.43
=app-admin/apache-tools-2.4.43
|
Runtime testing required: | --- |
Description
Sam James
2020-04-01 23:45:14 UTC
@maintainer(s), please advise if ready for stabilisation B3 -> C3 because needs specific config (mod_ftp here). * CVE-2020-1927 Description: "In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL." Note that -1927 does not need config. Also, the memory leak in mod_ssl seems bad too (although that also would have to be configured). (In reply to Dirkjan Ochtman from comment #4) > Note that -1927 does not need config. Also, the memory leak in mod_ssl seems > bad too (although that also would have to be configured). It needs mod_rewrite though, but I guess it is common enough. @maintainer(s), please advise if ready for stabilisation. I've updated one of my testing machines to 2.4.43 (using latest openssl) with multiple wildcard certificates and vhosts and now ssllabs fails (instead of the vhost cert the expired localhost certificate is sent), also postman/newman fails, but firefox/chromium works fine. * CVE-2020-1938 mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy AJP13 authentication (bsc#1169066). This was fixed in 2.4.42, I think, based on this: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1865340/comments/1 (cannot set alias to it because bug 710656). (In reply to Tomáš Mózes from comment #6) > I've updated one of my testing machines to 2.4.43 (using latest openssl) > with multiple wildcard certificates and vhosts and now ssllabs fails > (instead of the vhost cert the expired localhost certificate is sent), also > postman/newman fails, but firefox/chromium works fine. Is this definitely related to the new version of apache? Can you reproduce it with stable? (In reply to Sam James (sec padawan) from comment #8) > (In reply to Tomáš Mózes from comment #6) > > I've updated one of my testing machines to 2.4.43 (using latest openssl) > > with multiple wildcard certificates and vhosts and now ssllabs fails > > (instead of the vhost cert the expired localhost certificate is sent), also > > postman/newman fails, but firefox/chromium works fine. > > Is this definitely related to the new version of apache? Can you reproduce > it with stable? Sorry, didn't get to it, going to test it again. After a bit of work it seem like 2.4.43 works fine (tested by testssl / ssllabs + postman tests). What was changed: - updated Sectigo cert (and ca-certificates) - updated 00_default_ssl_vhost according to https://bugs.gentoo.org/728066 - updated per-vhost ssl settings according to https://ssl-config.mozilla.org I'm putting it on my testing machines, hopefully it'll be ok. (In reply to Tomáš Mózes from comment #10) > After a bit of work it seem like 2.4.43 works fine (tested by testssl / > ssllabs + postman tests). > > What was changed: > - updated Sectigo cert (and ca-certificates) > - updated 00_default_ssl_vhost according to https://bugs.gentoo.org/728066 > - updated per-vhost ssl settings according to https://ssl-config.mozilla.org > > I'm putting it on my testing machines, hopefully it'll be ok. No worries. Let me know if any issues come up. If not (and no maintainer objection), we will stabilise soon, as it's had long enough in ~ anyway? Sanity check failed:
> www-servers/apache-2.4.43
> pdepend amd64 stable profile default/linux/amd64/17.0 (79 total)
> ~app-admin/apache-tools-2.4.43
> pdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (35 total)
> ~app-admin/apache-tools-2.4.43
ppc/ppc64 stable sparc stable arm64 stable hppa stable x86 stable arm stable amd64 stable. Maintainer(s), please cleanup. Security, please vote. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=917627dcb58b1b8f6878dfd82fa3af008c908261 commit 917627dcb58b1b8f6878dfd82fa3af008c908261 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-07-17 21:25:43 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-07-17 23:59:53 +0000 www-servers/apache: security cleanup Bug: https://bugs.gentoo.org/715824 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Sam James <sam@gentoo.org> www-servers/apache/Manifest | 1 - www-servers/apache/apache-2.4.41.ebuild | 272 -------------------------------- 2 files changed, 273 deletions(-) GLSA vote: no Tree is clean, closing. |