Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 715824 (CVE-2020-1927, CVE-2020-1934) - <www-servers/apache-2.4.43: Multiple vulnerabilities (CVE-2020-{1927,1934,1938})
Summary: <www-servers/apache-2.4.43: Multiple vulnerabilities (CVE-2020-{1927,1934,1938})
Status: IN_PROGRESS
Alias: CVE-2020-1927, CVE-2020-1934
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://httpd.apache.org/security/vul...
Whiteboard: B3 [stable? cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-01 23:45 UTC by Sam James (sec padawan)
Modified: 2020-05-13 22:09 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James (sec padawan) 2020-04-01 23:45:14 UTC
Description:
"In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server."
Comment 1 Sam James (sec padawan) 2020-04-01 23:45:50 UTC
@maintainer(s), please advise if ready for stabilisation
Comment 2 Sam James (sec padawan) 2020-04-02 00:52:44 UTC
B3 -> C3 because needs specific config (mod_ftp here).
Comment 3 Sam James (sec padawan) 2020-04-02 01:40:46 UTC
* CVE-2020-1927

Description:
"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL."
Comment 4 Dirkjan Ochtman gentoo-dev 2020-04-02 05:57:41 UTC
Note that -1927 does not need config. Also, the memory leak in mod_ssl seems bad too (although that also would have to be configured).
Comment 5 Sam James (sec padawan) 2020-04-08 04:16:36 UTC
(In reply to Dirkjan Ochtman from comment #4)
> Note that -1927 does not need config. Also, the memory leak in mod_ssl seems
> bad too (although that also would have to be configured).

It needs mod_rewrite though, but I guess it is common enough.

@maintainer(s), please advise if ready for stabilisation.
Comment 6 Tomáš Mózes 2020-04-16 20:03:03 UTC
I've updated one of my testing machines to 2.4.43 (using latest openssl) with multiple wildcard certificates and vhosts and now ssllabs fails (instead of the vhost cert the expired localhost certificate is sent), also postman/newman fails, but firefox/chromium works fine.
Comment 7 Sam James (sec padawan) 2020-04-21 14:48:56 UTC
* CVE-2020-1938
 mod_proxy_ajp: Add "secret" parameter to proxy workers to
    implement legacy AJP13 authentication (bsc#1169066).

This was fixed in 2.4.42, I think, based on this:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1865340/comments/1

(cannot set alias to it because bug 710656).
Comment 8 Sam James (sec padawan) 2020-05-05 22:36:30 UTC
(In reply to Tomáš Mózes from comment #6)
> I've updated one of my testing machines to 2.4.43 (using latest openssl)
> with multiple wildcard certificates and vhosts and now ssllabs fails
> (instead of the vhost cert the expired localhost certificate is sent), also
> postman/newman fails, but firefox/chromium works fine.

Is this definitely related to the new version of apache? Can you reproduce it with stable?