Friday, April 18, 2014

HEADS-UP: EPEL5 mod_security-2.6.8-5 security update is broken

While ago, I pushed a mod_security security update (one line patch for CVE-2013-5705) without testing it thoroughly on EL5, which turns out to be broken (httpd does not start) [1].

I usually test all packages before pushing updates, but at that time I didn't have access to my build box (which has all my test VMs)

If you're going to update mod_security on EL5 box, you should get the one from epel5-testing:
https://admin.fedoraproject.org/updates/mod_security-2.6.8-6.el5

Sorry for any inconvenience caused.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1089343

5 comments:

  1. Understood.
    In the meantime, how do I recover my Centos 5 server, which now has several broken sites because apache refuses to start? How do I connect to the epel5-testing repo so I can yum the fixed version?

    ReplyDelete
    Replies
    1. For anyone else with this issue (and not enough experience to work out how to fix it), download the update from the RPM section within the link below (select the right one for your server, e.g. src, i386, ppc or x86_64) and upload it via FTP/sFTP to your server. You can also wget it directly to the server. I used the Home directory for convenience, as shown in the command below.

      http://koji.fedoraproject.org/koji/buildinfo?buildID=511769

      Once uploaded, run the following to install it. The --nogpgcheck switch is needed to ignore the fact that the file is not yet signed (it's still in 'testing')

      yum localinstall /home/mod_security-2.6.8-6.el5.x86_64.rpm --nogpgcheck

      I hope this helps someone.

      Delete
    2. You can run as run: 'yum update --enablerepo=epel-testing mod_security-2.6.8-6.el5'
      This will enable epel-testing just for that transaction (update mod_security).

      Also please do provide positive karma so I can push the fix ASAP to stable:

      'yum update --enablerepo=epel-testing mod_security-2.6.8-6.el5'

      Delete
    3. How do I push positive Karma in a way that will help with that?
      I can say from direct experience that the testing update did allow me to restart apache on my CentOS 5 server.

      Delete
  2. You need to login in [1], and click add comment, please note that anonymous karma does not count as +1.

    [1] https://admin.fedoraproject.org/updates/mod_security-2.6.8-6.el5

    ReplyDelete