Bug 743744 (CVE-2012-0021)

Summary: VUL-1: CVE-2012-0021: apache2: crash in mod_log_config due to specially crafted cookies
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Weckbecker <mweckbecker>
Component: GeneralAssignee: Roman Drahtmueller <draht>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.mendes, meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:running:48395:moderate maint:running:50182:low
Found By: --- Services Priority: 300
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Matthias Weckbecker 2012-01-27 09:04:47 UTC
A flaw [1] was found in mod_log_config.  If an administrator configured the
"%{cookiename}C" log format string to be used, a remote attacker could send a
specific cookie which would cause a crash.  This crash would only be a denial
of service if using a threaded MPM (such as event or worker).  Note that Red
Hat Enterprise Linux and Fedora use the prefork MPM by default.

This will be fixed upstream [2] in 2.2.22 and affects versions 2.2.17 up to and
including 2.2.21.

[1] https://issues.apache.org/bugzilla/show_bug.cgi?id=52256
[2] http://svn.apache.org/viewvc?view=revision&revision=1227292
Comment 4 Marcus Meissner 2012-04-13 18:32:36 UTC
As the original description says, it only affects Apache2 between 2.2.17 and 2.2.21.

=> Statement:

This only affects Apache2 versions after 2.2.17. SUSE Linux Enterprise products currently ship 2.2.12 and older Apache2 versions and so are not affected by this problem.

openSUSE 11.4 and 12.1 will receive fixes.
Comment 5 Roman Drahtmueller 2012-04-15 03:09:08 UTC
This one was on the agenda for the February update already; the bug was known to me by xmas 2011. However, we have determined that the bug doesn't qualify for a fix due to the rather exotic circumstances under which it becomes evident.

I'll take the fix into the list for the next update, as it doesn't really expose a threat that justifies an own update.
If you agree, of course.

Comment 8 Marcus Meissner 2013-02-25 15:43:48 UTC
perl bin/addnote CVE-2012-0021 "This Apache2 security problem only existed in versions 2.2.17 up to 2.2.22. Earlier versions were not affected, so SUSE Linux Enterprise 11 and previous products are not affected by this problem."

Only openSUSE 12.1 is affected by this, as it has 2.1.21.
Comment 9 Marcus Meissner 2013-03-19 13:23:37 UTC
lets close as 12.1 is nearing EOL