Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 186219 - www-servers/apache Multiple issues (CVE-2006-{5752}, CVE-2007-{1862,1863,3304,3847,4465})
Summary: www-servers/apache Multiple issues (CVE-2006-{5752}, CVE-2007-{1862,1863,3304...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL: http://httpd.apache.org/security/vuln...
Whiteboard: A3 [glsa]
Keywords:
: 187258 191603 (view as bug list)
Depends on:
Blocks: 187185
  Show dependency tree
 
Reported: 2007-07-22 12:38 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2020-04-02 21:47 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
sparc64 emerge --info (sparc64-emerge-info,2.50 KB, text/plain)
2007-09-09 13:45 UTC, Jorge Manuel B. S. Vicetto (RETIRED)
no flags Details
sparc64-emerge-info (sparc64-emerge-info,2.51 KB, text/plain)
2007-09-13 01:47 UTC, Jorge Manuel B. S. Vicetto (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-07-22 12:38:15 UTC
Not sure we're affected by these ones either.

CVE-2006-5752

Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_status module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public server-status page is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving charsets with browsers that perform "charset detection" when the content-type is not specified.

CVE-2007-1863

Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_status module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public server-status page is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving charsets with browsers that perform "charset detection" when the content-type is not specified.
Comment 1 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2007-09-05 04:11:42 UTC
moderate: mod_status cross-site scripting CVE-2006-5752
Affects: 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
Fixed in Apache httpd 2.0.61-dev
patched in apache-2.2.4-r12 or earlier


moderate: mod_cache proxy DoS CVE-2007-1863
Affects: 2.2.4, 2.2.3, 2.2.2, 2.2.0
Fixed in Apache httpd 2.2.6-dev
patched in apache-2.2.4-r12 or earlier


didn't check the 2.0.x branch.



however apache-2.2.4-r12 need a patch for

moderate: mod_proxy crash CVE-2007-3847
A flaw was found in the Apache HTTP Server mod_proxy module. On sites where a reverse proxy is configured, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. On sites where a forward proxy is configured, an attacker could cause a similar crash if a user could be persuaded to visit a malicious site using the proxy. This could lead to a denial of service if using a threaded Multi-Processing Module.

http://httpd.apache.org/security/vulnerabilities_22.html

Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-07 14:58:39 UTC
there's also bug 191603, and I have to admit I'm a bit lost with all this issues and versions. Apache, please advise on what needs to be done to fix this, and maybe close the other bug if it's not necessary.
Comment 3 Benedikt Böhm (RETIRED) gentoo-dev 2007-09-07 21:47:56 UTC
all CVEs have been backported to 2.0.59-r5/2.2.4-r12, except 2007-3847 is missing in 2.2.4-r12, but fixed with 2.2.6, which is now in cvs, see also #187258
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-08 11:37:16 UTC
*** Bug 191603 has been marked as a duplicate of this bug. ***
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-08 11:45:07 UTC
ok thanks for the info. So in the end, how do you want to proceed with stabilization? In any case seems that we'll have to call arches for 2.2.6 as a fix is missing with 2.2.4-r12, but should we call all arches for 2.0.61 or just the ones that don't have 2.0.59-r5? please advise.
Comment 6 Benedikt Böhm (RETIRED) gentoo-dev 2007-09-08 15:29:52 UTC
2.0.59-r5 is ok, but 2.2.6 should be stabilized asap for CVE-2007-3847
Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-08 15:39:15 UTC
ok.
Arches, please test and mark stable
net-www/apache-2.0.59-r5 and net-www/apache-2.2.6.
Target keywordsare "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
Comment 8 Steve Dibb (RETIRED) gentoo-dev 2007-09-08 17:56:53 UTC
(In reply to comment #7)
> ok.
> Arches, please test and mark stable
> net-www/apache-2.0.59-r5 and net-www/apache-2.2.6.
> Target keywordsare "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86
> ~x86-fbsd"
> 

That's www-servers/apache-2.0.59-r5 and www-servers/apache-2.2.6
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2007-09-08 18:59:41 UTC
Don't forget to mark app-admin/apache-tools-2.2.6 stable as well.

All stable for HPPA.
Comment 10 Benedikt Böhm (RETIRED) gentoo-dev 2007-09-08 20:07:41 UTC
*** Bug 187258 has been marked as a duplicate of this bug. ***
Comment 11 Markus Meier gentoo-dev 2007-09-09 12:44:07 UTC
x86 stable
Comment 12 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev 2007-09-09 13:43:23 UTC
apache-2.0.59-r5, apache-2.2.6 and apache-tools-2.2.6 all emerged fine here on my sparc64.

Got the following notice for apache-2.0.59-r5:
dodoc: etc/apache2/*-std.conf does not exist

and the following notices for apache-2.2.6:
install: cannot stat `/var/tmp/portage/www-servers/apache-2.2.6/work/gentoo-apache-2.2.6/scripts/apache2logserverstatus': No such file or directory
install: cannot stat `/var/tmp/portage/www-servers/apache-2.2.6/work/gentoo-apache-2.2.6/scripts/apache2splitlogfile': No such file or directory

Tested with:
www-servers/apache-2.0.59-r5 (apache2 mpm-prefork ssl)
www-servers/apache-2.0.59-r5 (apache2 mpm-worker ssl)
www-servers/apache-2.0.59-r5 (apache2 mpm-leader static-modules threads)

app-admin/apache-tools-2.2.6
www-servers/apache-2.2.6 (mpm-prefork ssl)
app-admin/apache-tools-2.2.6 (ssl)
www-servers/apache-2.2.6 (mpm-worker ssl)
app-admin/apache-tools-2.2.6 (ssl)
www-servers/apache-2.2.6 (static-modules threads)
Comment 13 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev 2007-09-09 13:45:45 UTC
Created attachment 130411 [details]
sparc64 emerge --info
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2007-09-09 15:11:22 UTC
alpha/ia64 stable
Comment 15 Markus Rothe (RETIRED) gentoo-dev 2007-09-09 16:16:06 UTC
ppc64 stable
Comment 16 Togge 2007-09-09 18:02:55 UTC
--- amd64 ---
 
www-servers/apache-2.2.6 - USE: -debug -doc -ldap -mpm-event -mpm-itk -mpm-peruser -mpm-prefork -mpm-worker -no-suexec -selinux ssl -static-modules threads

app-admin/apache-tools-2.2.6 - USE: ssl

1: emerges
2: passes collision-protect, (multilib-)strict, test
3: works (*) basic static web pages, php support tested

* app-admin/apache-tools-2.2.6 - log_server_status gives

Can't locate sys/socket.ph in @INC (did you run h2ph?) (@INC contains: /etc/perl /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux /usr/lib64/perl5/vendor_perl/5.8.8 /usr/lib64/perl5/vendor_perl /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux /usr/lib64/perl5/site_perl/5.8.8 /usr/lib64/perl5/site_perl /usr/lib64/perl5/5.8.8/x86_64-linux /usr/lib64/perl5/5.8.8 /usr/local/lib/site_perl .) at /usr/sbin/log_server_status line 28.

Portage 2.1.2.12 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.22-gentoo-r6 x86_64)
=================================================================
System uname: 2.6.22-gentoo-r6 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4200+
Gentoo Base System release 1.12.9
Timestamp of tree: Unknown
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.21
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -ggdb -march=athlon64 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/gentoo-release /etc/init.d /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -ggdb -march=athlon64 -pipe"
DISTDIR="/tmp/portage"
FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms splitdebug strict test"
GENTOO_MIRRORS="http://ds.thn.htu.se/linux/gentoo               http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/            http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/            http://mirror.switch.ch/mirror/gentoo/         http://trumpetti.atm.tut.fi/gentoo/"
LANG="en_US.utf-8"
LINGUAS="en sv"
MAKEOPTS="-j3"
PKGDIR="/tmp/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/private"
SYNC="rsync://dx/gentoo-portage"
USE="3dnow 3dnowext X a52 aac acpi aiglx alsa amd64 apache2 arts asf avi bash-completion berkdb bitmap-fonts branding browserplugin cairo ccache cdr cli cpudetection cracklib crypt cscope css cups cvs dbus divx divx4linux dlloader dri dvd dvdr dvdread eds emboss encode esd evo fam ffmpeg firefox flac foomaticdb fortran freetype gdbm geoip gif gimp gmedia gnokii gnome gpm gstreamer gtk hal http iconv ieee1394 imap imlib ipv6 isdnlog java javascript jfs jpeg kde kdeenablefinal kdehiddenvisibility kdepim kerberos logitech-mouse mad madwifi maildir midi mikmod mmx mmx2 mmxext mono mozbranding moznopango mozsvg mp3 mpeg mplayer msn mudflap mysql ncurses nls nptl nptlonly nsplugin ntfs nvidia obex ogg oggvorbis opengl openmp oss pam pcre pdf pdflib perl png pppd python qt qt3 qt3support qt4 quicktime readline realmedia reflection reiserfs samba scanner sdl session spell spl sse sse2 ssl subversion svg symlink tcpd test tetex theora threads tiff truetype truetype-fonts type1-fonts udev unicode usb v4l v4l2 vim-syntax vim-with-x visualization vorbis wifi wmf wmp wxwindows xcomposite xface xfs xine xinerama xml xorg xosd xpm xprint xv xvid zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en sv" USERLAND="GNU" VIDEO_CARDS="nv nvidia"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 17 Tobias Scherbaum (RETIRED) gentoo-dev 2007-09-10 18:13:30 UTC
ppc stable
Comment 18 Chris Gianelloni (RETIRED) gentoo-dev 2007-09-11 20:22:01 UTC
amd64 done... now to upgrade all my web servers... :P
Comment 19 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev 2007-09-13 01:47:59 UTC
Created attachment 130782 [details]
sparc64-emerge-info

emerge --info after updating system to gcc-4.1.2
Comment 20 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev 2007-09-13 01:50:11 UTC
Tested apache with the above use flags again after updating to gcc-4.1.2 got the same results.
Comment 21 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-15 17:55:23 UTC
2.2.6 also fixes an XSS in mod_autoindex.c:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465
Comment 22 Raúl Porcel (RETIRED) gentoo-dev 2007-09-25 14:31:22 UTC
sparc stable, thanks Jorge Manuel.

This is ready to go
Comment 23 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-25 14:34:27 UTC
A3 => no vote here :p
glsa request filed.
Comment 24 Robert Buchholz (RETIRED) gentoo-dev 2007-09-29 00:10:10 UTC
Correcting CVE in title.
Comment 25 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-07 19:45:00 UTC
finally closing with GLSA 200711-06,sorry for the delay :/