Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 385859 (CVE-2011-3368) - <www-servers/apache-2.2.21-r1 mod_proxy Reverse Proxy Mode Security Bypass (CVE-2011-3368)
Summary: <www-servers/apache-2.2.21-r1 mod_proxy Reverse Proxy Mode Security Bypass (C...
Status: RESOLVED FIXED
Alias: CVE-2011-3368
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/46288/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks: CVE-2011-1928
  Show dependency tree
 
Reported: 2011-10-06 12:49 UTC by Agostino Sarubbo
Modified: 2012-06-24 14:29 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-10-06 12:49:02 UTC
From secunia security advisory at $URL: 

Description:
The weakness is caused due to the mod_proxy module, when configured in reverse proxy mode, incorrectly processing certain web requests. This can be exploited to send requests to an unintended server behind the proxy via a specially crafted URL.

Successful exploitation requires the use of "ProxyPassMatch" and "RewriteRule" configuration directives with a certain pattern match.

The weakness is reported in all 2.x versions.


Solution:
Apply patch.
https://www.apache.org/dist/httpd/patches/apply_to_2.2.21/CVE-2011-3368.patch
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2011-10-07 22:49:57 UTC
CVE-2011-3368 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3368):
  The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x
  through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use
  of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration
  of a reverse proxy, which allows remote attackers to send requests to
  intranet servers via a malformed URI containing an initial @ (at sign)
  character.
Comment 2 Peter Volkov (RETIRED) gentoo-dev 2011-10-18 06:42:44 UTC
Patch was added in apache-2.2.21-r1. Also I've added dependency on >=apr-1.4.5 for moderate: apr_fnmatch flaw leads to mod_autoindex remote DoS CVE-2011-0419 (bug 368651). Also a number of bugs were fixed:

Use extra_{,started}commands, bug #385637 by Martin von Gagern.
Check config during restart, bug #384997 wrt Christian Ruppert (idl0r).
Don't use pidof to check for running instances to make it more ConTainer friendly, bug #384267 by Stef Simoens.
Updated defaults in 00_default_settings.conf to better match upstream intentions, bug #387157 by Steve Dibb.

Arch teams, please, stabilize:
www-servers/apache-2.2.21-r1
dev-libs/apr-1.4.5
dev-libs/apr-util-1.3.12
Comment 3 Agostino Sarubbo gentoo-dev 2011-10-18 09:01:06 UTC
looks ok on a server. amd64 ok
Comment 4 Ian Delaney (RETIRED) gentoo-dev 2011-10-18 11:30:17 UTC
looks ok on a desktop
Comment 5 Tony Vroon gentoo-dev 2011-10-19 11:23:38 UTC
+  19 Oct 2011; Tony Vroon <chainsaw@gentoo.org> apr-1.4.5.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian
+  "idella4" Delaney in security bug #385859.

+  19 Oct 2011; Tony Vroon <chainsaw@gentoo.org> apr-util-1.3.12.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian
+  "idella4" Delaney in security bug #385859.

+  19 Oct 2011; Tony Vroon <chainsaw@gentoo.org> apache-2.2.21-r1.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian
+  "idella4" Delaney in security bug #385859.
Comment 6 Jeroen Roovers gentoo-dev 2011-10-19 12:02:11 UTC
Stable for HPPA.
Comment 7 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-10-22 16:21:00 UTC
ppc/ppc64 stable
Comment 8 Markus Meier gentoo-dev 2011-10-23 11:45:23 UTC
arm stable
Comment 9 Markus Meier gentoo-dev 2011-10-24 19:54:46 UTC
x86 stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2011-10-29 18:46:49 UTC
alpha/ia64/s390/sh/sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2011-10-29 19:12:16 UTC
Thanks all. Added glsa vote request.
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-10-31 16:01:29 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2012-03-06 01:03:27 UTC
Vote: Yes. GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2012-06-24 14:29:06 UTC
This issue was resolved and addressed in
 GLSA 201206-25 at http://security.gentoo.org/glsa/glsa-201206-25.xml
by GLSA coordinator Tobias Heinlein (keytoaster).