Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 682306 (CVE-2019-0211) - <www-servers/apache-2.4.39: privilege escalation and other vulnerabilities
Summary: <www-servers/apache-2.4.39: privilege escalation and other vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2019-0211
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://httpd.apache.org/security/vul...
Whiteboard: A2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-02 07:56 UTC by Hanno Böck
Modified: 2019-04-22 23:30 UTC (History)
3 users (show)

See Also:
Package list:
app-admin/apache-tools-2.4.39 www-servers/apache-2.4.39
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2019-04-02 07:56:08 UTC
This sounds really bad:

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-0211

"In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard."

Here's a warning from an Apache dev:
https://twitter.com/iamamoose/status/1112966189276389376

Also various other security fixes.

Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2019-04-02 08:54:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9ba34aa34c25d07f495ae56fc56a2bbaab5d4dd6

commit 9ba34aa34c25d07f495ae56fc56a2bbaab5d4dd6
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-04-02 08:50:44 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-04-02 08:54:13 +0000

    www-servers/apache: Security bump to version 2.4.39
    
    Attempt to make apache2ctl systemd compatible
    
    Bug: https://bugs.gentoo.org/673530
    Bug: https://bugs.gentoo.org/682306
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 www-servers/apache/Manifest             |   2 +
 www-servers/apache/apache-2.4.39.ebuild | 257 ++++++++++++++++++++++++++++++++
 2 files changed, 259 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b8813408caa94488b83fcbcce09e4d156c95285

commit 5b8813408caa94488b83fcbcce09e4d156c95285
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-04-02 08:49:10 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-04-02 08:54:12 +0000

    app-admin/apache-tools: Security bump to version 2.4.39
    
    Bug: https://bugs.gentoo.org/682306
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-admin/apache-tools/Manifest                   |   1 +
 app-admin/apache-tools/apache-tools-2.4.39.ebuild | 105 ++++++++++++++++++++++
 2 files changed, 106 insertions(+)
Comment 2 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-02 11:23:43 UTC
amd64 stable
Comment 3 Manfred Knick 2019-04-02 13:47:26 UTC
(In reply to Mikle Kolyada from comment #2)
> amd64 stable

...

Resolving dev.gentoo.org... failed: Temporary failure in name resolution.

wget: unable to resolve host address ‘dev.gentoo.org’

!!! Couldn't download 'gentoo-apache-2.4.39-20190402.tar.bz2'. Aborting.

...
Comment 4 Manfred Knick 2019-04-03 06:29:34 UTC
(In reply to Manfred Knick from comment #3)
> ... Resolving dev.gentoo.org... failed:  ...
After sync this morning:   WORKSFORME
Thanks.
Comment 5 Sergei Trofimovich gentoo-dev 2019-04-07 21:39:50 UTC
hppa stable
Comment 6 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-07 21:40:43 UTC
arm stable
Comment 7 Sergei Trofimovich gentoo-dev 2019-04-07 21:45:42 UTC
ia64 stable
Comment 8 Sergei Trofimovich gentoo-dev 2019-04-07 21:54:23 UTC
ppc64 stable
Comment 9 Thomas Deutschmann gentoo-dev Security 2019-04-08 02:19:03 UTC
x86 stable
Comment 10 Sergei Trofimovich gentoo-dev 2019-04-08 06:21:06 UTC
ppc stable
Comment 11 Rolf Eike Beer 2019-04-08 21:59:12 UTC
sparc stable
Comment 12 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-20 17:52:14 UTC
alpha stable
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-04-21 01:50:28 UTC
@maintainer(s), please drop vulnerable.
Comment 14 Larry the Git Cow gentoo-dev 2019-04-21 02:14:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a4fa77e074b321d4bf55c3eab587daed8227cac6

commit a4fa77e074b321d4bf55c3eab587daed8227cac6
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-04-21 02:13:51 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-04-21 02:13:51 +0000

    www-servers/apache: Security cleanup
    
    Bug: https://bugs.gentoo.org/682306
    Package-Manager: Portage-2.3.64, Repoman-2.3.12
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 www-servers/apache/Manifest                        |   4 -
 www-servers/apache/apache-2.4.34-r2.ebuild         | 262 ---------------------
 www-servers/apache/apache-2.4.38-r1.ebuild         | 257 --------------------
 .../apache/files/apache-2.4.34-PR62557.patch       | 216 -----------------
 .../apache-2.4.34-suexec_parallel_install.patch    |  19 --
 5 files changed, 758 deletions(-)
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2019-04-22 23:30:48 UTC
This issue was resolved and addressed in
 GLSA 201904-20 at https://security.gentoo.org/glsa/201904-20
by GLSA coordinator Aaron Bauman (b-man).