Bug 909715 (CVE-2014-8109) - VUL-0: CVE-2014-8109: apache2: mod_lua: LuaAuthzProvider uses wrong arguments
Summary: VUL-0: CVE-2014-8109: apache2: mod_lua: LuaAuthzProvider uses wrong arguments
Status: RESOLVED FIXED
Alias: CVE-2014-8109
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/111431/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-12 13:59 UTC by Alexander Bergmann
Modified: 2020-09-23 15:36 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
proposed patch (3.17 KB, patch)
2014-12-12 17:24 UTC, Kristyna Streitova 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-12-12 13:59:32 UTC 
https://github.com/apache/httpd/commit/3f1693d558d0758f829c8b53993f1749ddf6ffcb

 Merge r1642499 from trunk:

  *) SECURITY: CVE-2014-8109 (cve.mitre.org)
     mod_lua: Fix handling of the Require line when a LuaAuthzProvider is
     used in multiple Require directives with different arguments.
     PR57204 [Edward Lu <Chaosed0 gmail.com>]

This does only affect apache 2.4
Comment 1 Kristyna Streitova 2014-12-12 17:24:16 UTC 
Created attachment 616944 [details]
proposed patch

SLE
|===============================================|
| Package                             | Version |
|=====================================|=========|
| SUSE:SLE-10-SP3:Update:Test/apache2 | 2.2.3   |
| SUSE:SLE-10-SP4:Update:Test/apache2 | 2.2.3   |
| SUSE:SLE-11-SP1:Update:Test/apache2 | 2.2.12  |
| SUSE:SLE-11:Update:Test/apache2     | 2.2.10  |
| SUSE:SLE-12:Update/apache2          | 2.4.10  |


openSUSE
|===============================================|
| Package                             | Version |
|=====================================|=========|
| openSUSE:12.3:Update/apache2        | 2.2.22  |
| openSUSE:13.1:Update/apache2        | 2.4.6   |
| openSUSE:13.2:Update/apache2        | 2.4.10  |
| openSUSE:Factory                    | 2.4.10  |

It means that affected packages are:
SUSE:SLE-12:Update/apache2
openSUSE:13.1
openSUSE:13.2
openSUSE:Factory

I'm attaching the patch that suits for all the 2.4.x versions. 
I also created a maintenance update requests for:
openSUSE 13.1 (mr#265024)
openSUSE 13.2 (mr#265026) 
Factory (sr#265022)

Waiting for SLE12 maintenance update call.
Comment 2 Bernhard Wiedemann 2014-12-12 18:00:20 UTC 
This is an autogenerated message for OBS integration:
This bug (909715) was mentioned in
https://build.opensuse.org/request/show/265024 13.1 / apache2
https://build.opensuse.org/request/show/265026 13.2 / apache2
Comment 3 Swamp Workflow Management 2014-12-12 23:00:34 UTC 
bugbot adjusting priority
Comment 4 Swamp Workflow Management 2014-12-29 16:06:20 UTC 
openSUSE-SU-2014:1726-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (moderate)
Bug References: 792309,842377,849445,864166,871310,909715
CVE References: CVE-2013-5704,CVE-2014-8109
Sources used:
openSUSE 13.2 (src):    apache2-2.4.10-4.1
openSUSE 13.1 (src):    apache2-2.4.6-6.37.1
openSUSE 12.3 (src):    apache2-2.2.29-10.20.1
Comment 5 Kristyna Streitova 2015-01-02 15:13:31 UTC 
As the update was released (and the patch for SLE is ready to submit), I'm closing this bug.
Comment 6 Kristyna Streitova 2015-04-02 16:54:42 UTC 
Submitted to SLE12: https://build.suse.de/request/show/54654
Comment 7 Swamp Workflow Management 2015-06-01 07:06:21 UTC 
SUSE-SU-2015:0974-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 792309,871310,899836,909715,918352,923090
CVE References: CVE-2013-5704,CVE-2014-3581,CVE-2014-8109,CVE-2015-0228
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    apache2-2.4.10-12.1
SUSE Linux Enterprise Server 12 (src):    apache2-2.4.10-12.1