Bug 1605052 (CVE-2018-8011)
| Summary: | CVE-2018-8011 httpd: mod_md: NULL pointer dereference causing httpd child process crash | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | abhgupta, anon.amish, bmaxwell, bmcclain, cdewolf, chazlett, cmacedo, csutherl, darran.lofthouse, dbaker, dblechte, dfediuck, dffrench, dimitris, dosoudil, drusso, eedri, fgavrilo, gzaronik, hhorak, jawilson, jclere, jdoyle, jkaluza, jmadigan, jokerman, jondruse, jorton, jshepherd, lgao, lgriffin, luhliari, mbabacek, mgoldboi, michal.skrivanek, mturk, myarboro, ngough, pahan, pgier, pjurak, ppalaga, psakar, pslavice, pwright, rnetuka, rstancel, rsvoboda, sbonazzo, sherold, sstavrev, sthangav, trankin, trepel, twalsh, vtunka, weli | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | httpd 2.4.34 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-06-10 10:33:44 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1605093, 1605094 | ||||||
| Bug Blocks: | 1605053 | ||||||
| Attachments: |
|
||||||
|
Description
Sam Fowler
2018-07-20 04:56:25 UTC
The affected mod_md module was only introduced upstream in version 2.4.30 as an experimental module:
*) mod_md: new experimental, module for managing domains across virtual hosts,
implementing the Let's Encrypt ACMEv1 protocol to signup and renew
certificates. Please read the modules documentation for further instructions
on how to use it. [Stefan Eissing]
http://archive.apache.org/dist/httpd/CHANGES_2.4.32
https://httpd.apache.org/docs/2.4/mod/mod_md.html
Note that versions 2.4.30 and 2.4.31 were not released, so the first released version with this functionality was 2.4.32.
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1605093] This should be the patch, as applied to the mod_md git repo: https://github.com/icing/mod_md/commit/e71001955809247b3aa4d269e1e0741b4fe0fc3d It notes the following fix for the mod_md 1.1.11: * fixes a Null Dereference when specially crafted requests are sent to the server. Reported by Daniel Caminada <daniel.caminada>. However, that commit includes additional unrelated changes (from mod_md 1.1.12). The relevant part should be the second and the third change to the mod_md.c file. The fix integrated to httpd trunk via this commit: http://svn.apache.org/viewvc?view=revision&revision=1832935 https://github.com/apache/httpd/commit/7bd724657c3b0a4a6016ca72f1be26ac9ebd8cd2 The fix to the 2.4 branch was even combined with lot of other changes, updating mod_md from version 1.0.8 to 1.1.15: https://github.com/apache/httpd/commit/acfdb68fb80618fe5af06dcfa1dd8ca7b0e6d76d Created attachment 1464893 [details] mod_md CVE-2018-8011 patch According to (previously private) discussion at security.org, the specific fix for the mod_md issue is as attached. I am making it public here for full disclosure. |