Bug 706203 (CVE-2011-1928)
| Summary: | CVE-2011-1928 apr: DoS flaw in apr_fnmatch() due to fix for CVE-2011-0419 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | unspecified | CC: | jorton, mosvald, mvadkert, pcheung, security-response-team, tom.setliff | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-04-10 09:45:26 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 703519, 703521, 706350, 706351, 706352, 795917 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
Vincent Danen
2011-05-19 18:24:16 UTC
Created attachment 499921 [details]
upstream patch
Patch provided by upstream to correct this issue.
This is actually public already: http://mail-archives.apache.org/mod_mbox/httpd-announce/201105.mbox/%3C4DD55092.3030403@apache.org%3E Upstream bug and commit: https://issues.apache.org/bugzilla/show_bug.cgi?id=51219 http://svn.apache.org/viewvc?view=revision&revision=1124328 This is CVE-2011-1928. This problem is triggered when using APR_FNM_PATHNAME flag. This is not used by mod_autoindex, so this problem is not triggered in the same way as the original problem CVE-2011-0419 (bug #703390). In certain configurations, this can be triggered by an HTTP request that does not need to be purposefully malicious. Upstream bug mentions following example: <Location "/*/WEB-INF/"> This problem can be mitigated by wildcards ('*' or '(dir1|dir2|dir3)' alternatives specifications) in the <Location> URL specifications, or using regular expression specifications instead (using <Location ~ > or <LocationMatch>). If you're temporarily downgrading to older apr version, consider applying CVE-2011-0419 mitigation as mentioned in bug #703390, comment #7. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 6 Via RHSA-2011:0844 https://rhn.redhat.com/errata/RHSA-2011-0844.html I added some details at the related Fedora page at https://bugzilla.redhat.com/show_bug.cgi?id=714182 But the general idea is that nist.gov says that version 2.2.17 and 2.2.18 is affected by combining these CVE: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1928 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0419 So even if the exploit doesn't exist in a patched 2.2.17 or 2.2.18 at least one vulnerably scanner company is being a pain about it. Sorry, I don't know if it is possible for you to get NIST to change the text. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1928 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0419 https://bugzilla.redhat.com/show_bug.cgi?id=714182 https://bugzilla.redhat.com/show_bug.cgi?id=703390 It seems to me the only resolution is to move to 2.2.19 |