Bug 869106 (CVE-2014-0098)

Summary: VUL-1: CVE-2014-0098: apache2: log_cookie mod_log_config.c remote denial of service
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Roman Drahtmueller <draht>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P2 - High CC: david.chenworth, jechristensen, meissner, security-team, smash_bz, stokos
Version: unspecifiedKeywords: DSLA_REQUIRED, DSLA_SOLUTION_PROVIDED
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/97118/
Whiteboard: maint:released:sle11-sp1:58333 wasL3:41331 maint:released:sle11-sp3:58335 maint:released:sle10-sp3:58334 CVSSv2:NVD:CVE-2014-0098:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2014-0098:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:UNK(Oracle):CVE-2014-0098:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: httpd-2.2.3-CVE-2014-0098.patch

Description Marcus Meissner 2014-03-19 09:53:47 UTC
CVE-2014-0098

The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0098
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/loggers/mod_log_config.c?r1=1575394&r2=1575400&diff_format=h
Comment 1 Marcus Meissner 2014-03-19 09:54:11 UTC
checked sle11 sp1 apache2 code, problem does not seem to be there..

so probably just opensuse affected.
Comment 2 Swamp Workflow Management 2014-03-19 23:00:28 UTC
bugbot adjusting priority
Comment 3 Marcus Meissner 2014-06-02 12:46:38 UTC
I take above comment back.

redhat has a fix for 2.2, so we probablys need one too.
Comment 4 Marcus Meissner 2014-06-02 12:47:05 UTC
Created attachment 592976 [details]
httpd-2.2.3-CVE-2014-0098.patch

patch from rh
Comment 5 SMASH SMASH 2014-06-02 12:50:24 UTC
Affected packages:

SLE-11-SP3: apache2
Comment 6 Roman Drahtmueller 2014-06-02 12:58:52 UTC
*** Bug 874043 has been marked as a duplicate of this bug. ***
Comment 7 Roman Drahtmueller 2014-06-13 12:53:02 UTC
SLES12 is unaffected (2.4.9).
Comment 9 Swamp Workflow Management 2014-07-02 09:11:50 UTC
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2014-07-30.
https://swamp.suse.de/webswamp/wf/58158
Comment 10 SMASH SMASH 2014-07-02 09:15:31 UTC
Affected packages:

SLE-11-SP3: apache2
Comment 15 Roman Drahtmueller 2014-07-18 13:54:55 UTC
package submit will be superseded (momentarily) by a package with further changes from other bugzillas.
Comment 16 Bernhard Wiedemann 2014-07-25 16:00:25 UTC
This is an autogenerated message for OBS integration:
This bug (869106) was mentioned in
https://build.opensuse.org/request/show/242399 Evergreen:11.4 / apache2.openSUSE_Evergreen_11.4
Comment 25 Swamp Workflow Management 2014-08-06 23:04:51 UTC
SUSE-SU-2014:0967-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 859916,869105,869106,887765,887768
CVE References: CVE-2013-6438,CVE-2014-0098,CVE-2014-0226,CVE-2014-0231
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    apache2-2.2.12-1.46.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    apache2-2.2.12-1.46.1
SUSE Linux Enterprise Server 11 SP3 (src):    apache2-2.2.12-1.46.1
Comment 26 Swamp Workflow Management 2014-08-07 21:04:46 UTC
openSUSE-SU-2014:0969-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 859916,869105,869106,871309,887765,887768
CVE References: CVE-2013-5705,CVE-2013-6438,CVE-2014-0098,CVE-2014-0226,CVE-2014-0231
Sources used:
openSUSE 11.4 (src):    apache2-2.2.17-80.1, apache2-mod_security2-2.7.5-16.1
Comment 29 Swamp Workflow Management 2014-08-19 14:12:11 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-08-26.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/58625
Comment 30 Swamp Workflow Management 2014-08-20 17:07:18 UTC
openSUSE-SU-2014:1044-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 869105,869106,887765,887767,887768,887771
CVE References: CVE-2013-4352,CVE-2013-6438,CVE-2014-0098,CVE-2014-0117,CVE-2014-0226,CVE-2014-0231
Sources used:
openSUSE 13.1 (src):    apache2-2.4.6-6.27.1
Comment 31 Swamp Workflow Management 2014-08-20 17:08:24 UTC
openSUSE-SU-2014:1045-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 869105,869106,887765,887768
CVE References: CVE-2013-6438,CVE-2014-0098,CVE-2014-0226,CVE-2014-0231
Sources used:
openSUSE 12.3 (src):    apache2-2.2.22-10.12.1