• core: fix bypassing of mod_headers rules via chunked requests (CVE-2013-5704)
  • mod_cache: fix NULL pointer dereference on empty Content-Type (CVE-2014-3581)
  • mod_proxy_fcgi: fix a potential crash with long headers (CVE-2014-3583)
  • mod_lua: fix handling of the Require line when a LuaAuthzProvider is used in multiple Require directives with different arguments (CVE-2014-8109)

How to install

sudo dnf upgrade --advisory=FEDORA-2014-17195

This update has been submitted for testing by jkaluza.

6 years ago

Taskotron: depcheck test PASSED on i386. Result log: https://taskotron.fedoraproject.org/taskmaster//builders/x86_64/builds/21828/steps/runtask/logs/stdio (results are informative only)

Taskotron: depcheck test PASSED on x86_64. Result log: https://taskotron.fedoraproject.org/taskmaster//builders/x86_64/builds/21828/steps/runtask/logs/stdio (results are informative only)

This update is currently being pushed to the Fedora 21 testing updates repository.

6 years ago

This update has been pushed to testing

6 years ago
User Icon empateinfinito commented & provided feedback 6 years ago
karma

no issues :)

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

6 years ago
User Icon abbra commented & provided feedback 6 years ago
karma

This update breaks mod_wsgi.so: (gdb) bt full #0 apr_table_clear (t=0x0) at tables/apr_tables.c:467 No locals. #1 0x00007fafbd772e78 in read_chunked_trailers (b=b@entry=0x7faf880078d0, merge=0, f=0x7faf880077b0, f=0x7faf880077b0, ctx=0x7faf88007910, ctx=0x7faf88007910) at http_filters.c:245 rv = <optimized out> e = <optimized out> r = 0x7faf88004980 saved_headers_in = 0x7faf88004c78 saved_status = 401 #2 0x00007fafbd77409d in ap_http_filter (f=0x7faf880077b0, b=0x7faf880078d0, mode=AP_MODE_READBYTES, block=APR_BLOCK_READ, readbytes=8192) at http_filters.c:579 conf = <optimized out> e = <optimized out> ctx = 0x7faf88007910 rv = 0 totalread = 327 http_error = 413 bb = 0x7faf88007968 #3 0x00007fafbd775341 in ap_discard_request_body (r=r@entry=0x7faf88004980) at http_filters.c:1455 bucket = <optimized out> bb = 0x7faf880078d0 rv = <optimized out> seen_eos = 0 #4 0x00007fafbd7470b9 in ap_finalize_request_protocol (r=0x7faf88004980) at protocol.c:1242 No locals.

5 0x00007fafac4aa8ae in wsgi_hook_daemon_handler (c=<optimized out>) at

src/server/mod_wsgi.c:11818 rv = <optimized out> magic = 0x7faf8800634f "ddc57cae205bcebe790351d47fc98e18" e = <optimized out> bb = <optimized out> current = <optimized out> addr = <optimized out> queue_timeout_occurred = <optimized out> key = <optimized out> hash = <optimized out> csd = <optimized out> p = 0x7faf88004908 filename = <optimized out> script = <optimized out> ---Type <return> to continue, or q <return> to quit--- next = <optimized out> item = 0x7faf88006316 "0" #6 wsgi_process_socket (daemon=0x7fafbff7d2c0, bucket_alloc=<optimized out>, sock=<optimized out>, p=<optimized out>) at src/server/mod_wsgi.c:7793 rv = <optimized out> sbh = 0x0 net = <optimized out> #7 wsgi_daemon_worker (thread=<optimized out>, p=<optimized out>) at src/server/mod_wsgi.c:8122 rv = <optimized out> pfd = {p = 0x0, desc_type = APR_POLL_SOCKET, reqevents = 1, rtnevents = 0, desc = {f = 0x7fafbff7d8a8, s = 0x7fafbff7d8a8}, client_data = 0x7fafbff7d2c0} daemon = 0x7fafbff7d2c0 status = <optimized out> socket = 0x7faf88000a88 numdesc = 1 bucket_alloc = <optimized out> ptrans = 0x7faf880008e8 pollset = 0x7faf88000960 pdesc = 0x7faf88000a18 group = <optimized out> #8 wsgi_daemon_thread (thd=<optimized out>, data=<optimized out>) at src/server/mod_wsgi.c:8211 thread = <optimized out> p = <optimized out> #9 0x00007fafbc1d252a in start_thread (arg=0x7faf95c4d700) at pthread_create.c:310 __res = <optimized out> pd = 0x7faf95c4d700 now = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140392108709632, 8841336153390148798, 140392816695808, 0, 140392108709632, 140392108710336, -8796207462662050626, -8796158610326852418}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = <optimized out> pagesize_m1 = <optimized out> sp = <optimized out> freesize = <optimized out> #10 0x00007fafbbd0a77d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

User Icon abbra commented & provided feedback 6 years ago
karma

Just checked that downgrading to 2.4.10-9.fc21 solves the issue. Please fix the problem and check by, for example, deploying FreeIPA and connecting to FreeIPA's web interface, that mod_wsgi is actually working.

This is caused by mod_wsgi using httpd API in unsupported way. Fix to mod_wsgi has been pushed as https://admin.fedoraproject.org/updates/mod_wsgi-4.4.1-3.fc21 . I will push both packages (httpd and mod_wsgi) together in F21, so it should work for end-user.

User Icon hreindl commented & provided feedback 6 years ago
karma

works for me

User Icon evillagr commented & provided feedback 6 years ago
karma

Work fine on static http content and php content. Untested with mod_wsgi

Please see results here: [callowayj@localhost httpd]$ sudo ./runtests.sh

User Icon mstevens provided feedback 6 years ago
karma

This update has reached the stable karma threshold and will be pushed to the stable updates repository

6 years ago

Taskotron: upgradepath test PASSED on noarch. Result log: https://taskotron.fedoraproject.org/taskmaster//builders/x86_64/builds/47532/steps/runtask/logs/stdio (results are informative only)

This update is currently being pushed to the Fedora 21 stable updates repository.

6 years ago

This update has been pushed to stable

6 years ago

Please login to add feedback.

Metadata
Type
security
Karma
3
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
6 years ago
in testing
6 years ago
in stable
6 years ago
BZ#1082903 CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests
0
0
BZ#1082908 CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests [fedora-all]
0
0
BZ#1149709 CVE-2014-3581 httpd: NULL pointer dereference in mod_cache if Content-Type has empty value
0
0
BZ#1149712 CVE-2014-3581 httpd: NULL pointer dereference in mod_cache if Content-Type has empty value [fedora-all]
0
0
BZ#1163555 CVE-2014-3583 httpd: mod_proxy_fcgi handle_headers() buffer over read
0
0
BZ#1163556 CVE-2014-3583 httpd: mod_proxy_fcgi heap-based buffer overflow [fedora-all]
0
0

Automated Test Results

Test Cases

0 0 Test Case HTTPd