Your message dated Fri, 17 Sep 2004 07:54:21 +0200 (CEST) with message-id <[EMAIL PROTECTED]> and subject line Bug#271945: apache in woody is missing security patches/updates has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 16 Sep 2004 11:11:11 +0000 >From [EMAIL PROTECTED] Thu Sep 16 04:11:11 2004 Return-path: <[EMAIL PROTECTED]> Received: from usergc137.dsl.pipex.com (smtp.e-tv-interactive.com) [62.190.170.137] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1C7uAQ-0000Jj-00; Thu, 16 Sep 2004 04:11:11 -0700 Received: from etvinteractive.com (unknown [192.168.1.194]) by smtp.e-tv-interactive.com (Postfix) with ESMTP id 5B4EA3366CC for <[EMAIL PROTECTED]>; Thu, 16 Sep 2004 12:10:28 +0100 (BST) Message-ID: <[EMAIL PROTECTED]> Date: Thu, 16 Sep 2004 13:10:17 +0100 From: Mark Bryars <[EMAIL PROTECTED]> User-Agent: Mozilla Thunderbird 0.5 (X11/20040306) X-Accept-Language: en-us, en MIME-Version: 1.0 To: [EMAIL PROTECTED] Subject: apache in woody is missing security patches/updates Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: Package: apache Version: 1.3.26-0woody5 Tags: woody, security In 1.3.28 there is a patch that prevents file descriptors leaking to child processes, this is not present. This causes processes spawned by php (in this case 4.1.2-6woody3, not tested 4.1.2-7.0.1 yet) to have full access to the apache logs, sockets etc. I suggest this patch could be backported. --------------------------------------- Received: (at 271945-done) by bugs.debian.org; 17 Sep 2004 05:54:33 +0000 >From [EMAIL PROTECTED] Thu Sep 16 22:54:33 2004 Return-path: <[EMAIL PROTECTED]> Received: from port1845.ds1-khk.adsl.cybercity.dk (trider-g7.fabbione.net) [212.242.190.82] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1C8BhY-0002Ql-00; Thu, 16 Sep 2004 22:54:33 -0700 Received: from localhost (localhost [127.0.0.1]) by trider-g7.fabbione.net (Postfix) with ESMTP id DB8F64C73; Fri, 17 Sep 2004 07:54:29 +0200 (CEST) Received: from trider-g7.fabbione.net ([127.0.0.1]) by localhost (trider-g7 [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 00516-10; Fri, 17 Sep 2004 07:54:22 +0200 (CEST) Received: from trider-g7.ext.fabbione.net (port1845.ds1-khk.adsl.cybercity.dk [212.242.190.82]) by trider-g7.fabbione.net (Postfix) with ESMTP id 0CB324C72; Fri, 17 Sep 2004 07:54:22 +0200 (CEST) Date: Fri, 17 Sep 2004 07:54:21 +0200 (CEST) From: Fabio Massimo Di Nitto <[EMAIL PROTECTED]> Sender: [EMAIL PROTECTED] To: Matt Zimmerman <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Cc: Debian Apache Maintainers <debian-apache@lists.debian.org> Subject: Re: Bug#271945: apache in woody is missing security patches/updates In-Reply-To: <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at fabbione.net Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_01,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: On Thu, 16 Sep 2004, Matt Zimmerman wrote: > On Thu, Sep 16, 2004 at 10:09:19PM +0200, Fabio Massimo Di Nitto wrote: > > > On Thu, 16 Sep 2004, Matt Zimmerman wrote: > > > > > Maintainers, please raise the severity of this bug and contact the > > > security > > > team if this is an urgent issue. > > > > Please can we have at least the CAN number and reference? Joey has been > > keeping track of this iirc. > > I thisk this refers to the follow upstream changelog entry: > > *) Certain 3rd party modules would bypass the Apache API and not > invoke ap_cleanup_for_exec() before creating sub-processes. > To such a child process, Apache's file descriptors (lock > fd's, log files, sockets) were accessible, allowing them > direct access to Apache log file etc. Where the OS allows, > we now add proactive close functions to prevent these file > descriptors from leaking to the child processes. > [Jim Jagielski, Martin Kraemer] > > This is a workaround for security bugs in third-party mobules (which ones?), > and not a security fix in itself. This problem is the one that has been discussed by Joey (iirc) together with upstream. The result of the discussion was that it is not worth to backport such a precaution since it includes an API change and possibly all external modules need to be ported to it (list is unknown). Also the benefits of this fix are minimal compared to the hundreds of many way a user can expose sensible data with a wrong config setup. Fabio -- <user> fajita: step one <fajita> Whatever the problem, step one is always to look in the error log. <user> fajita: step two <fajita> When in danger or in doubt, step two is to scream and shout.