Bug 1101688 (CVE-2018-8011)

Summary: VUL-1: CVE-2018-8011: apache2: mod_md DoS
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Petr Gajdos <pgajdos>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/211024/
Whiteboard: CVSSv3:SUSE:CVE-2018-8011:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2018-07-18 15:05:16 UTC
CVE-2018-8011

Description:
By specially crafting HTTP requests, the mod_md challenge
handler would dereference a NULL pointer and cause the child
process to segfault. This could be used to DoS the server

Mitigation:
All httpd users should upgrade to 2.4.34 or later.

Credit:
The issue was discovered by Daniel Caminada

Judging from our changes file SLE 15 only

References:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-8011
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8011
http://seclists.org/oss-sec/2018/q3/40
Comment 1 Petr Gajdos 2018-07-20 08:06:50 UTC
We do not enable mod_md build. For 15/apache2, I will add update-patch to 1.1.15 in case we will enable it later.
Comment 2 Petr Gajdos 2018-07-20 08:07:21 UTC
Nevertheless, we are not affected anywhere.
Comment 3 Johannes Segitz 2018-07-20 12:09:39 UTC
thanks
Comment 4 Petr Gajdos 2018-07-31 12:31:08 UTC
Package submitted: 15/apache2.
Comment 6 Swamp Workflow Management 2018-08-17 22:11:15 UTC
SUSE-SU-2018:2424-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1101688,1101689
CVE References: CVE-2018-1333,CVE-2018-8011
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    apache2-2.4.33-3.3.1
Comment 7 Swamp Workflow Management 2018-08-19 13:09:22 UTC
openSUSE-SU-2018:2433-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1101688,1101689
CVE References: CVE-2018-1333,CVE-2018-8011
Sources used:
openSUSE Leap 15.0 (src):    apache2-2.4.33-lp150.2.3.1