Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 651406 (CVE-2017-15710, CVE-2017-15715, CVE-2018-1283, CVE-2018-1301, CVE-2018-1302, CVE-2018-1303, CVE-2018-1312) - <www-servers/apache-2.4.33: multiple vulnerabilities
Summary: <www-servers/apache-2.4.33: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-15710, CVE-2017-15715, CVE-2018-1283, CVE-2018-1301, CVE-2018-1302, CVE-2018-1303, CVE-2018-1312
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2018/q1/271
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-25 08:22 UTC by Hanno Böck
Modified: 2019-03-12 06:44 UTC (History)
1 user (show)

See Also:
Package list:
=app-admin/apache-tools-2.4.33 =www-servers/apache-2.4.33-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments
ppc build.log (all USE-flags enabled) (apache-2.4.33-r1:20180802-192715.log,599.18 KB, text/plain)
2018-08-03 11:23 UTC, ernsteiswuerfel
no flags Details
ppc build.log (all USE-flags disabled) (apache-2.4.33-r1:20180803-093524.log,204.21 KB, text/plain)
2018-08-03 11:24 UTC, ernsteiswuerfel
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2018-03-25 08:22:31 UTC
See:
http://seclists.org/oss-sec/2018/q1/271
http://seclists.org/oss-sec/2018/q1/270
http://seclists.org/oss-sec/2018/q1/269
http://seclists.org/oss-sec/2018/q1/268
http://seclists.org/oss-sec/2018/q1/267
http://seclists.org/oss-sec/2018/q1/266
http://seclists.org/oss-sec/2018/q1/265

A large number of vulns have been fixed in the apache http server 2.4.30, CVEs:
CVE-2018-1301, CVE-2018-1303, CVE-2018-1283, CVE-2018-1302, CVE-2017-15715, CVE-2018-1312, CVE-2017-15710

They did a bunch of smaller subsequent releases, we already have 2.4.33 in the tree. Can this be stabilized yet?
Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev 2018-05-24 09:23:06 UTC
Hey Lars, this seems reasonably important, can you please sign off on whether stabilization for 2.4.33 can go ahead?
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2018-05-29 12:40:42 UTC
x86 stable
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-05-29 16:02:05 UTC
amd64 stable
Comment 4 Larry the Git Cow gentoo-dev 2018-05-31 07:50:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a2c236fc79a99de3f4a2898a0e1248996b6babb4

commit a2c236fc79a99de3f4a2898a0e1248996b6babb4
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-05-30 21:01:54 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-05-31 07:50:30 +0000

    app-admin/apache-tools: stable 2.4.33 for sparc
    
    Bug: https://bugs.gentoo.org/651406
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 app-admin/apache-tools/apache-tools-2.4.33.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22908c0e6c4ff955b67d225f62e45f7273811c8c

commit 22908c0e6c4ff955b67d225f62e45f7273811c8c
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-05-30 21:01:11 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-05-31 07:50:29 +0000

    www-servers/apache: stable 2.4.33-r1 for sparc
    
    Bug: https://bugs.gentoo.org/651406
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 www-servers/apache/apache-2.4.33-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 5 Larry the Git Cow gentoo-dev 2018-05-31 08:13:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a4f2297f0da0bbfb37c4f67f71a8cc8f87efa845

commit a4f2297f0da0bbfb37c4f67f71a8cc8f87efa845
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-05-31 08:11:54 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-05-31 08:11:54 +0000

    www-servers/apache: stable 2.4.33-r1 for ia64, bug #651406
    
    Bug: https://bugs.gentoo.org/651406
    Package-Manager: Portage-2.3.38, Repoman-2.3.9
    RepoMan-Options: --include-arches="ia64"

 www-servers/apache/apache-2.4.33-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f3d20cdf1acefff02007d4c930e1ffb1b22b8b16

commit f3d20cdf1acefff02007d4c930e1ffb1b22b8b16
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-05-31 08:11:49 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-05-31 08:11:49 +0000

    app-admin/apache-tools: stable 2.4.33 for ia64, bug #651406
    
    Bug: https://bugs.gentoo.org/651406
    Package-Manager: Portage-2.3.38, Repoman-2.3.9
    RepoMan-Options: --include-arches="ia64"

 app-admin/apache-tools/apache-tools-2.4.33.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 Markus Meier gentoo-dev 2018-06-11 17:56:50 UTC
arm stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2018-06-21 07:28:23 UTC
Stable on alpha.
Comment 8 Larry the Git Cow gentoo-dev 2018-06-24 20:23:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=832684b6aa6e490f9b59ae1531c623f804d1e792

commit 832684b6aa6e490f9b59ae1531c623f804d1e792
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-06-24 19:47:35 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-24 20:20:21 +0000

    www-servers/apache: stable 2.4.33-r1 for ppc64, bug #651406
    
    Bug: https://bugs.gentoo.org/651406
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="ppc64"

 www-servers/apache/apache-2.4.33-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6cd4839c508b08a217e95b46c5fd459a65f8af8

commit b6cd4839c508b08a217e95b46c5fd459a65f8af8
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-06-24 19:47:30 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-24 20:20:20 +0000

    app-admin/apache-tools: stable 2.4.33 for ppc64, bug #651406
    
    Bug: https://bugs.gentoo.org/651406
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="ppc64"

 app-admin/apache-tools/apache-tools-2.4.33.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 9 ernsteiswuerfel archtester 2018-08-03 11:23:43 UTC
Created attachment 542222 [details]
ppc build.log (all USE-flags enabled)

ppc

tatt was having a hard time with alle the USE-flag and modules combinations so I only built apache with all USE-flags enabled/disabled, tests were successful.

rdeps built fine, apart from www-apache/mod_perl (see bug #662692).

# cat apache-tools-651406.report 
revdep tests started on Fr 3. Aug 08:50:53 CEST 2018

FEATURES=' test' USE='' succeeded for www-apache/mod_ldap_userdir
FEATURES=' test' USE='' succeeded for www-apache/mod_wsgi
FEATURES=' test' USE='' succeeded for dev-perl/Apache-Test
FEATURES=' test' USE='apache2' succeeded for net-analyzer/pnp4nagios
FEATURES=' test' USE='' succeeded for www-apache/libapreq2
FEATURES=' test' USE='' succeeded for www-apache/mod_limitipconn
FEATURES=' test' USE='' succeeded for www-apache/mod_fcgid
merging test dependencies of www-apache/mod_perl failed
FEATURES=' test' USE='' succeeded for www-apache/mod_bw
FEATURES=' test' USE='' succeeded for www-apps/lxr
Comment 10 ernsteiswuerfel archtester 2018-08-03 11:24:13 UTC
Created attachment 542224 [details]
ppc build.log (all USE-flags disabled)
Comment 11 Matt Turner gentoo-dev 2018-09-16 19:53:05 UTC
ppc stable

all arches done
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2019-03-12 06:44:22 UTC
This was lost, it is no longer in tree.
Cleaning Up