Mageia forum

[Will94]

I recently setup a Mageia 1 box with web forum software for my department's graduate students to use. I am trying to get port 80 opened in our campus firewall. The university has told me to upgrade Apache to version 2.2.21. I don't like using unstable software. Can I setup a "cauldron" site as a repository, upgrade Apache, and then remove that site? If so, what process should I follow? I have included the university's scan results below.

Thank you,

Will N.
Texas A&M University


------------------------------------------------------------

Code: Select all

 . Warning found on port http (80/tcp)



    Synopsis :

    The remote web server may be affected by a denial of service
    vulnerability.

    Description :

    According to its banner, the version of Apache 2.2 installed on the
    remote host is older than 2.2.18.  Such versions are affected by a
    denial of service vulnerability due to an error in the 'apr_fnmatch'
    match function of the bundled APR library.

    If mod_autoindex is enabled and has indexed a directory containing
    files whose filenames are long, an attacker can cause high CPU usage
    with a specially crafted request.

    Note that the remote web server may not actually be affected by this
    vulnerability.  Nessus did not try to determine whether the affected
    module is in use or to check for the issue itself.

    See also :

    http://www.apache.org/dist/httpd/CHANGES_2.2.18
    http://httpd.apache.org/security/vulnerabilities_22.html#2.2.18
    http://securityreason.com/achievement_securityalert/98

    Solution :

    Either ensure the 'IndexOptions' configuration option is set to
    'IgnoreClient' or upgrade to Apache version 2.2.18 or later.

    Risk factor :

    Medium / CVSS Base Score : 4.3
    (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
    CVSS Temporal Score : 3.6
    (CVSS2#E:F/RL:OF/RC:C)
    Public Exploit Available : true

    Plugin output :

    Version source    : Server: Apache/2.2.17
      Installed version : 2.2.17
      Fixed version     : 2.2.18

    CVE : CVE-2011-0419
    BID : 47820
    Other references : OSVDB:73388, Secunia:44574



 . Warning found on port http (80/tcp)



    Synopsis :

    The remote web server may be affected by a denial
    of service vulnerability.

    Description :

    According to its banner, the version of Apache 2.2 installed on the
    remote host is earlier than 2.2.21.  It therefore is potentially
    affected by a denial of service vulnerability.

    An error exists in the 'mod_proxy_ajp' module that can allow
    specially crafted HTTP requests to cause a backend server to
    temporarily enter an error state. This vulnerability only occurs
    when 'mod_proxy_ajp' is used along with 'mod_proxy_balancer'.

    Note that Nessus did not actually test for the flaws but instead has
    relied on the version in the server's banner.

    See also :

    http://www.apache.org/dist/httpd/CHANGES_2.2.21
    http://httpd.apache.org/security/vulnerabilities_22.html

    Solution :

    Upgrade to Apache version 2.2.21 or later.

    Risk factor :

    Medium / CVSS Base Score : 4.3
    (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
    CVSS Temporal Score : 3.6
    (CVSS2#E:F/RL:OF/RC:C)
    Public Exploit Available : true

    Plugin output :

    Version source    : Server: Apache/2.2.17
      Installed version : 2.2.17
      Fixed version     : 2.2.21

    CVE : CVE-2011-3348
    BID : 49616
    Other references : OSVDB:75647

[doktor5000]

You should report the last one as a security bug to our bugzilla: https://bugs.mageia.org
Some of the others are already fixed via an update: https://bugs.mageia.org/show_bug.cgi?id=1280
https://bugs.mageia.org/show_bug.cgi?id=2510

For productive use cauldron is not recommended.

BTW: Please next time use Code-tags for such output, improves on readability and clarity

[wilcal]

Can I setup a "cauldron" site as a repository, upgrade Apache, and then remove that site?....

I think doktor5000 answers that question at the
end of each of his messages:

Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!

[Will94]

Okay, I put the output in code tags.

I am a little confused as to why I should report the 2nd error to bugzilla. It sounded to me like an error from Apache that they have corrected in a later version of their software.

I downloaded and installed the file 'apache-mpm-prefork-2.2.21-5.mga2.i586'. It installed numerous dependencies, so I thought that everything was good. However, when I restarted Apache, I was still on version 2.2.17.

The only thing I can think to do is to try another distro which includes version 2.2.21.

[doktor5000]

I am a little confused as to why I should report the 2nd error to bugzilla. It sounded to me like an error from Apache that they have corrected in a later version of their software.

Well, take a look at our updates policy: https://wiki.mageia.org/en/Updates_policy specifically at version policy.
Updates should normally be the old version with an added patch for a given bug or security issue.
That's why you should report this, so a fix for this get's added to the mga1 version of apache, as no version update is allowed.

That we don't have version 2.2.21 for mga1 does not mean that we don't have any bugfixes or security fixes from even later versions of Apache.

EDIT:

I downloaded and installed the file 'apache-mpm-prefork-2.2.21-5.mga2.i586'. It installed numerous dependencies, so I thought that everything was good. However, when I restarted Apache, I was still on version 2.2.17.

You might have also updated many system libraries and other programs to development versions.
This is not something that should be encouraged on a production system, in addition to the fact
that you don't seem to apply to the advices you've been given.

[alien]

i've been contacted by doktor5000 to look at this, he says that CVE-2011-0419 seems already fixed.

about CVE-2011-3348 , it's a bug in proxy_ajp (almost noone uses this, in my experience), AND you need to have together with proxy_balancer to even be affected.

unless you're doing really funky things, just disable one or both of those modules; that way you're good to go.

in the main time, thanks for the mention. if you have any similar issues, you can look up in the bug reports (search on the CVE-XXXX-XXXX), and see what happened with it. if it's not mentioned, you're free to add this bug to the bugreports.

[Will94]

Thank you to everyone for all of the information. The report that I posted was way over my head. I did see that it mentioned that the scanning software hadn't even checked for the modules. Unfortunately, when you work at a university with 50,000 students, the security people tend to be inflexible. In other words, the fact that I wasn't using the vulnerable modules wouldn't matter to them.

As this is a brand new system, I wound up wiping it and installing Mandriva 2011 on it (which comes with Apache 2.2.21). As soon as the hole is open in the campus firewall, I will convert it to Mageia.

[alien]

converting mandriva 2011 to mageia will perhaps not be that easy.

in any case, the bugfix has already been submitted to BS, and will be tested and pushed shortly.

be advised, that nessus will likely still say it's vulnerable (due to versioning), but you can undoubtedly show that it's been patched for these CVE's

[Will94]

converting mandriva 2011 to mageia will perhaps not be that easy.

Back in September, I converted a Mandriva 2010.2 system to Mageia 1, using process 'b' from this page. It went very smoothly.
http://www.mageia.org/en/1/migrate/

I've got my message board up and running on Mandriva 2011. Port 80 has already been opened in the campus firewall. I had planned on waiting until Mandriva 2 was released and trying the same conversion process. I will make sure that I have a good backup before proceeding.

[doktor5000]

As alien already wrote, converting Mandriva 2011 to any mageia release will likely be really difficult,
mainly due to RPM5 and the only supported upgrade path currently is Mandriva 2010.2 -> Mageia 1.
Even Mandriva 2010.2 -> Mageia 2 should work in theory, but from 2011 due to bigger differences.

[alien]

yes, Mandriva 2011 is notably very different from Mandriva 2010.{1,2}.

They are using a different RPM implementation, which means the rpm database is completely different. (rpm.org makes RPM v4; while there is a second org called RPM5.org which makes a completely different and incompatible RPM v5). It is almost singlehandedly the reason Mandriva 2011 was so late, as it normally should have been released instead of Mandriva 2010.2, which is just an updated copy of 2010.1 ...