Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 715824 (CVE-2020-1927, CVE-2020-1934)

Summary: <www-servers/apache-2.4.43: Multiple vulnerabilities (CVE-2020-{1927,1934,1938})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: apache-bugs, djc, hydrapolic, mike, polynomial-c
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://httpd.apache.org/security/vulnerabilities_24.html
See Also: https://bugs.gentoo.org/show_bug.cgi?id=703468
Whiteboard: B3 [noglsa cve]
Package list:
=www-servers/apache-2.4.43 =app-admin/apache-tools-2.4.43
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-01 23:45:14 UTC
Description:
"In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-01 23:45:50 UTC
@maintainer(s), please advise if ready for stabilisation
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-02 00:52:44 UTC
B3 -> C3 because needs specific config (mod_ftp here).
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-02 01:40:46 UTC
* CVE-2020-1927

Description:
"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL."
Comment 4 Dirkjan Ochtman (RETIRED) gentoo-dev 2020-04-02 05:57:41 UTC
Note that -1927 does not need config. Also, the memory leak in mod_ssl seems bad too (although that also would have to be configured).
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-08 04:16:36 UTC
(In reply to Dirkjan Ochtman from comment #4)
> Note that -1927 does not need config. Also, the memory leak in mod_ssl seems
> bad too (although that also would have to be configured).

It needs mod_rewrite though, but I guess it is common enough.

@maintainer(s), please advise if ready for stabilisation.
Comment 6 Tomáš Mózes 2020-04-16 20:03:03 UTC
I've updated one of my testing machines to 2.4.43 (using latest openssl) with multiple wildcard certificates and vhosts and now ssllabs fails (instead of the vhost cert the expired localhost certificate is sent), also postman/newman fails, but firefox/chromium works fine.
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-21 14:48:56 UTC
* CVE-2020-1938
 mod_proxy_ajp: Add "secret" parameter to proxy workers to
    implement legacy AJP13 authentication (bsc#1169066).

This was fixed in 2.4.42, I think, based on this:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1865340/comments/1

(cannot set alias to it because bug 710656).
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-05 22:36:30 UTC
(In reply to Tomáš Mózes from comment #6)
> I've updated one of my testing machines to 2.4.43 (using latest openssl)
> with multiple wildcard certificates and vhosts and now ssllabs fails
> (instead of the vhost cert the expired localhost certificate is sent), also
> postman/newman fails, but firefox/chromium works fine.

Is this definitely related to the new version of apache? Can you reproduce it with stable?
Comment 9 Tomáš Mózes 2020-06-12 09:54:42 UTC
(In reply to Sam James (sec padawan) from comment #8)
> (In reply to Tomáš Mózes from comment #6)
> > I've updated one of my testing machines to 2.4.43 (using latest openssl)
> > with multiple wildcard certificates and vhosts and now ssllabs fails
> > (instead of the vhost cert the expired localhost certificate is sent), also
> > postman/newman fails, but firefox/chromium works fine.
> 
> Is this definitely related to the new version of apache? Can you reproduce
> it with stable?

Sorry, didn't get to it, going to test it again.
Comment 10 Tomáš Mózes 2020-06-12 15:39:44 UTC
After a bit of work it seem like 2.4.43 works fine (tested by testssl / ssllabs + postman tests).

What was changed:
- updated Sectigo cert (and ca-certificates)
- updated 00_default_ssl_vhost according to https://bugs.gentoo.org/728066
- updated per-vhost ssl settings according to https://ssl-config.mozilla.org

I'm putting it on my testing machines, hopefully it'll be ok.
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-13 11:53:21 UTC
(In reply to Tomáš Mózes from comment #10)
> After a bit of work it seem like 2.4.43 works fine (tested by testssl /
> ssllabs + postman tests).
> 
> What was changed:
> - updated Sectigo cert (and ca-certificates)
> - updated 00_default_ssl_vhost according to https://bugs.gentoo.org/728066
> - updated per-vhost ssl settings according to https://ssl-config.mozilla.org
> 
> I'm putting it on my testing machines, hopefully it'll be ok.

No worries. Let me know if any issues come up. If not (and no maintainer objection), we will stabilise soon, as it's had long enough in ~ anyway?
Comment 12 NATTkA bot gentoo-dev 2020-06-14 21:23:51 UTC
Sanity check failed:

> www-servers/apache-2.4.43
>   pdepend amd64 stable profile default/linux/amd64/17.0 (79 total)
>     ~app-admin/apache-tools-2.4.43
>   pdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (35 total)
>     ~app-admin/apache-tools-2.4.43
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2020-06-15 21:03:01 UTC
ppc/ppc64 stable
Comment 14 Rolf Eike Beer archtester 2020-06-16 16:44:02 UTC
sparc stable
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-17 14:25:40 UTC
arm64 stable
Comment 16 Rolf Eike Beer archtester 2020-06-19 14:17:18 UTC
hppa stable
Comment 17 Thomas Deutschmann (RETIRED) gentoo-dev 2020-06-20 13:49:19 UTC
x86 stable
Comment 18 Agostino Sarubbo gentoo-dev 2020-06-21 17:00:18 UTC
arm stable
Comment 19 Agostino Sarubbo gentoo-dev 2020-06-22 06:59:38 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 20 Larry the Git Cow gentoo-dev 2020-07-18 00:00:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=917627dcb58b1b8f6878dfd82fa3af008c908261

commit 917627dcb58b1b8f6878dfd82fa3af008c908261
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-17 21:25:43 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-17 23:59:53 +0000

    www-servers/apache: security cleanup
    
    Bug: https://bugs.gentoo.org/715824
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 www-servers/apache/Manifest             |   1 -
 www-servers/apache/apache-2.4.41.ebuild | 272 --------------------------------
 2 files changed, 273 deletions(-)
Comment 21 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-18 00:06:06 UTC
GLSA vote: no

Tree is clean, closing.