Bugzilla – Bug 938728
VUL-0: CVE-2015-3183: apache2: chunk header parsing defect
Last modified: 2016-01-28 15:36:21 UTC
rh#1243887 SECURITY: CVE-2015-3183 (cve.mitre.org) core: Fix chunk header parsing defect. Remove apr_brigade_flatten(), buffering and duplicated code from the HTTP_IN filter, parse chunks in a single pass with zero copy. Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext authorized characters. [Graham Leggett, Yann Ylavic] Fixes: http://svn.apache.org/viewvc?view=revision&revision=1684515 http://svn.apache.org/viewvc?view=revision&revision=1687338 (2.2.x) http://svn.apache.org/viewvc?view=revision&revision=1687339 (2.2.x) References: https://bugzilla.redhat.com/show_bug.cgi?id=1243887 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3183 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3183.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3183
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-08-07. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62232
Please review and accept rq#63430 first.
review open by autobuild, but I prepoared incident 863
@Marcus: also I would like to add all apache2 modules to this update with the change described in bug 915666 comment 11.
SLE12 fix submitted. See mr#64852 (https://build.suse.de/request/show/64852)
Just for the record: It seems that more revisions are needed in order to fix this issue properly (see http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3183.html). It's mostly "follow up" revisions to the first one. 2.4.x ===== http://svn.apache.org/viewvc?view=revision&revision=1684515 http://svn.apache.org/viewvc?view=revision&revision=1685904 http://svn.apache.org/viewvc?view=revision&revision=1685950 http://svn.apache.org/viewvc?view=revision&revision=1686271 http://svn.apache.org/viewvc?view=revision&revision=1688935 http://svn.apache.org/viewvc?view=revision&revision=1689821 2.2.x ===== http://svn.apache.org/viewvc?view=revision&revision=1687338 http://svn.apache.org/viewvc?view=revision&revision=1687339 http://svn.apache.org/viewvc?view=revision&revision=1688936 http://svn.apache.org/viewvc?view=revision&revision=1689522
What redhat thinks about this CVE: https://bugzilla.redhat.com/show_bug.cgi?id=1243887#c5
How is that connected to CVE-2013-5704?
(In reply to Petr Gajdos from comment #10) > How is that connected to CVE-2013-5704? The attack mechanics seem to be similar, but the flaw is different.
(In reply to Andreas Stieger from comment #13) > (In reply to Petr Gajdos from comment #10) > > How is that connected to CVE-2013-5704? > > The attack mechanics seem to be similar, but the flaw is different. I mean is CVE-2015-3183 implied by fix for CVE-2013-5704 or it is just independent?
(In reply to Petr Gajdos from comment #15) > (In reply to Andreas Stieger from comment #13) > > (In reply to Petr Gajdos from comment #10) > > > How is that connected to CVE-2013-5704? > > > > The attack mechanics seem to be similar, but the flaw is different. > > I mean is CVE-2015-3183 implied by fix for CVE-2013-5704 or it is just > independent? CVE-2015-3183 is a new differnet problem, on top of CVE-2013-5704 (also modifying read_chunked_trailer)
This is an autogenerated message for OBS integration: This bug (938728) was mentioned in https://build.opensuse.org/request/show/333177 13.2+13.1 / apache2
(In reply to Petr Gajdos from comment #25) > Created attachment 648551 [details] > attempted patch for 13.1 > > Kristyna, could you take over for openSUSE? > > Thank you! Thank you for the patch. Submitted to openSUSE 13.1 & 13.2: https://build.opensuse.org/request/show/333177 We are done here. Reassigning to security-team.
openSUSE-SU-2015:1684-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 931723,938723,938728 CVE References: CVE-2015-3183,CVE-2015-3185,CVE-2015-4000 Sources used: openSUSE 13.2 (src): apache2-2.4.10-28.1 openSUSE 13.1 (src): apache2-2.4.6-6.50.1
This fix broke one of our servers (openSUSE 13.1) after the patch got installed yesterday. The server serves as a reverse proxy to an internal GlassFish application server using mod_proxy and mod_proxy_http. The configuration (somewhat simplified) looks like: <VirtualHost _default_:443> # standard SSL configuration ... SSLProxyEngine on <Location /some-service/> ProxyPass https://appserv.example.com:8181/some-service/ Require ip 192.0.2.0/24 </Location> <Location /other-service/> ProxyPass https://appserv.example.com:8181/other-service/ Require all granted </Location> ProxyPassReverse / https://appserv.example.com:8181/ </VirtualHost> After applying patch openSUSE-2015-635, proxying stopped working: if the internal server replies with chunked transfer encoding, the Apache proxy truncates this reply to zero (but still sends this empty reply to the client with a 200 HTTP status code).
Rolf thank you, but we know this already, see bug 949218.
Thanks for the hint Petr! Indeed, the RPMs that you provided in bug 949218, comment 5 also fix the problem in my case. This confirms that this was also caused by the httpd-2.4.6-chunk_header_parsing_defect.patch.
Reassigning to bnc-team-apache because of wrong fix for openSUSE:13.1.
SUSE-SU-2015:1851-1: An update that solves four vulnerabilities and has 9 fixes is now available. Category: security (moderate) Bug References: 444878,869790,911159,915666,927845,930228,931002,931723,938723,938728,939516,949766,949771 CVE References: CVE-2014-8111,CVE-2015-3183,CVE-2015-3185,CVE-2015-4000 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): apache2-2.4.10-14.10.1 SUSE Linux Enterprise Server 12 (src): apache2-2.4.10-14.10.1, apache2-mod_auth_kerb-5.4-2.4.1, apache2-mod_jk-1.2.40-2.6.1, apache2-mod_security2-2.8.0-3.4.1 SUSE Enterprise Storage 1.0 (src): apache2-mod_fastcgi-2.4.7-3.4.1
SUSE-SU-2015:1885-1: An update that solves one vulnerability and has three fixes is now available. Category: security (moderate) Bug References: 444878,931002,938728,941676 CVE References: CVE-2015-3183 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): apache2-2.2.12-59.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): apache2-2.2.12-59.1 SUSE Linux Enterprise Server 11-SP4 (src): apache2-2.2.12-59.1 SUSE Linux Enterprise Server 11-SP3 (src): apache2-2.2.12-59.1
SUSE-SU-2015:1885-2: An update that solves one vulnerability and has three fixes is now available. Category: security (moderate) Bug References: 444878,931002,938728,941676 CVE References: CVE-2015-3183 Sources used: SUSE Studio Onsite 1.3 (src): apache2-2.2.12-59.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): apache2-2.2.12-59.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): apache2-2.2.12-59.1 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): apache2-2.2.12-59.1 SUSE Linux Enterprise Server 11-SP4 (src): apache2-2.2.12-59.1 SUSE Linux Enterprise Server 11-SP3 (src): apache2-2.2.12-59.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): apache2-2.2.12-59.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): apache2-2.2.12-59.1
13.1 is EOL now.