Summary: | <www-servers/apache-2.4.58: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tomáš Mózes <hydrapolic> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | minor | CC: | ajak, apache-bugs, hanno |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa?] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 916744 | ||
Bug Blocks: | 915553 |
Description
Tomáš Mózes
2023-10-19 10:45:10 UTC
Testing 2.4.58 on amd64, temporary solution (since the patch is included in the apache tarball): --- apache-2.4.57-r5.ebuild 2023-10-11 06:10:32.000000000 +0000 +++ apache-2.4.58.ebuild 2023-10-19 10:53:08.600838939 +0000 pkg_setup() { # dependent critical modules which are not allowed in global scope due @@ -156,6 +156,12 @@ apache-2_pkg_setup } +src_unpack() { + default + + rm "${WORKDIR}/gentoo-apache-2.4.57-r5/patches/06_rustls_ffi.patch" || die +} + src_configure() { # Brain dead check. tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no" Small nitpick regarding 00_default_ssl_vhost.conf, the formatting is broken: <VirtualHost _default_:443> ServerName localhost Include /etc/apache2/vhosts.d/default_vhost.include ErrorLog /var/log/apache2/ssl_error_log <IfModule log_config_module> TransferLog /var/log/apache2/ssl_access_log </IfModule> ## SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # TLS defaults are set according to the Mozilla intermediate # configuration: https://ssl-config.mozilla.org/ ## SSLProtocol: # Disable old protocol versions that have known flaws or are deprecated. SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 ## SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA -AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36495e104250a29939693900521c329b681dbb72 commit 36495e104250a29939693900521c329b681dbb72 Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2023-10-19 12:20:39 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-10-19 12:21:04 +0000 www-servers/apache: add 2.4.58 Bug: https://bugs.gentoo.org/915996 Signed-off-by: Hans de Graaff <graaff@gentoo.org> www-servers/apache/Manifest | 2 + www-servers/apache/apache-2.4.58.ebuild | 256 ++++++++++++++++++++++++++++++++ 2 files changed, 258 insertions(+) Thanks Hans Does CVE-2023-44487 actually affect Apache itself? It seems like CVE-2023-45802 is at least a very similar (if not the same) vulnerability, but that would make it uniquely tracked, separately of CVE-2023-44487? (ie for our tracking, we'd "see also" CVE-2023-4487 rather than block it) (In reply to John Helmert III from comment #4) > Does CVE-2023-44487 actually affect Apache itself? It seems like > CVE-2023-45802 is at least a very similar (if not the same) vulnerability, > but that would make it uniquely tracked, separately of CVE-2023-44487? (ie > for our tracking, we'd "see also" CVE-2023-4487 rather than block it) Initial reports were that it didn't, but in the end it did expose a number of smaller issues. The problem with CVE-2023-44487 is that it is a generic issue not specific to implementations, and the CVEs in this bug are specific issues in Apache triggered by CVE-2023-44487. So I feel this bug should block CVE-2023-44487. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e7cd64ace1b6cd339c47f94477ec03ccd94002b commit 6e7cd64ace1b6cd339c47f94477ec03ccd94002b Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2024-02-11 15:15:31 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-02-11 15:15:57 +0000 www-servers/apache: drop 2.4.57, 2.4.57-r6 Bug: https://bugs.gentoo.org/915996 Signed-off-by: Hans de Graaff <graaff@gentoo.org> www-servers/apache/Manifest | 3 - www-servers/apache/apache-2.4.57-r6.ebuild | 256 ---------------------------- www-servers/apache/apache-2.4.57.ebuild | 264 ----------------------------- 3 files changed, 523 deletions(-) |