Your message dated Tue, 06 Sep 2005 07:47:04 -0700 with message-id <[EMAIL PROTECTED]> and subject line Bug#322607: fixed in apache 1.3.33-8 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 28 Jun 2005 22:49:46 +0000 >From [EMAIL PROTECTED] Tue Jun 28 15:49:44 2005 Return-path: <[EMAIL PROTECTED]> Received: from inutil.org (vserver151.vserver151.serverflex.de) [193.22.164.111] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DnOtj-0005fj-00; Tue, 28 Jun 2005 15:49:43 -0700 Received: from dsl-082-082-137-197.arcor-ip.net ([82.82.137.197] helo=localhost.localdomain) by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32) (Exim 4.50) id 1DnOo7-0006DV-N0 for [EMAIL PROTECTED]; Wed, 29 Jun 2005 00:43:55 +0200 Received: from jmm by localhost.localdomain with local (Exim 4.51) id 1DnOtX-0001i1-IX; Wed, 29 Jun 2005 00:49:31 +0200 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Moritz Muehlenhoff <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: apache2: Security issues in HTTP proxy responses with both Transfer-Encoding and Content-Length headers X-Mailer: reportbug 3.15 Date: Wed, 29 Jun 2005 00:49:31 +0200 X-Debbugs-Cc: [EMAIL PROTECTED] Message-Id: <[EMAIL PROTECTED]> X-SA-Exim-Connect-IP: 82.82.137.197 X-SA-Exim-Mail-From: [EMAIL PROTECTED] X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE, X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: Package: apache2 Severity: grave Tags: security Justification: user security hole Latest 2.1.6-alpha fixes a security in the proxy HTTP code: | The 2.1.6-alpha release addresses a security vulnerability present | in all previous 2.x versions. This fault did not affect Apache 1.3.x | (which did not proxy keepalives or chunked transfer encoding); | Proxy HTTP: If a response contains both Transfer-Encoding | and a Content-Length, remove the Content-Length to eliminate | an HTTP Request Smuggling vulnerability and don't reuse the | connection, stopping some HTTP Request Spoofing attacks. Cheers, Moritz -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-rc5 Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) --------------------------------------- Received: (at 322607-close) by bugs.debian.org; 6 Sep 2005 14:51:12 +0000 >From [EMAIL PROTECTED] Tue Sep 06 07:51:12 2005 Return-path: <[EMAIL PROTECTED]> Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian)) id 1ECej2-0004mV-00; Tue, 06 Sep 2005 07:47:04 -0700 From: Adam Conrad <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.56 $ Subject: Bug#322607: fixed in apache 1.3.33-8 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Tue, 06 Sep 2005 07:47:04 -0700 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 Source: apache Source-Version: 1.3.33-8 We believe that the bug you reported is fixed in the latest version of apache, which is due to be installed in the Debian FTP archive: apache-common_1.3.33-8_powerpc.deb to pool/main/a/apache/apache-common_1.3.33-8_powerpc.deb apache-dbg_1.3.33-8_powerpc.deb to pool/main/a/apache/apache-dbg_1.3.33-8_powerpc.deb apache-dev_1.3.33-8_all.deb to pool/main/a/apache/apache-dev_1.3.33-8_all.deb apache-doc_1.3.33-8_all.deb to pool/main/a/apache/apache-doc_1.3.33-8_all.deb apache-perl_1.3.33-8_powerpc.deb to pool/main/a/apache/apache-perl_1.3.33-8_powerpc.deb apache-ssl_1.3.33-8_powerpc.deb to pool/main/a/apache/apache-ssl_1.3.33-8_powerpc.deb apache-utils_1.3.33-8_all.deb to pool/main/a/apache/apache-utils_1.3.33-8_all.deb apache_1.3.33-8.diff.gz to pool/main/a/apache/apache_1.3.33-8.diff.gz apache_1.3.33-8.dsc to pool/main/a/apache/apache_1.3.33-8.dsc apache_1.3.33-8_powerpc.deb to pool/main/a/apache/apache_1.3.33-8_powerpc.deb libapache-mod-perl_1.29.0.3-8_powerpc.deb to pool/main/a/apache/libapache-mod-perl_1.29.0.3-8_powerpc.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Adam Conrad <[EMAIL PROTECTED]> (supplier of updated apache package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Tue, 06 Sep 2005 23:25:55 +1000 Source: apache Binary: apache-dev apache-common apache-doc apache-utils apache apache-dbg apache-perl libapache-mod-perl apache-ssl Architecture: source powerpc all Version: 1.3.33-8 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> Changed-By: Adam Conrad <[EMAIL PROTECTED]> Description: apache - versatile, high-performance HTTP server apache-common - support files for all Apache webservers apache-dbg - debug versions of the Apache webservers apache-dev - development kit for the Apache webserver apache-doc - documentation for the Apache webserver apache-perl - versatile, high-performance HTTP server with Perl support apache-ssl - versatile, high-performance HTTP server with SSL support apache-utils - utility programs for webservers (transitional package) libapache-mod-perl - integration of perl with the Apache web server Closes: 322607 Changes: apache (1.3.33-8) unstable; urgency=medium . * Clean up debian/control, replacing hardcoded debconf dependencies with ${misc:Depends} and removing versioned dpkg dependencies, now that the version we want is in all of oldstable, stable, testing and unstable. * Add 906_content_length_CAN-2005-2088, resolving an issue in mod_proxy where, when a response contains both Transfer-Encoding and Content-Length headers, the connection can be used for HTTP request smuggling and HTTP request spoofing attacks; see CAN-2005-2088 (closes: #322607) Files: 2c621d1cbd3d3fa5628897586eac8f60 1095 web optional apache_1.3.33-8.dsc fc381d48dae403c52633dd36ce19e5cf 369851 web optional apache_1.3.33-8.diff.gz d3a0094e0aaaed16ffcdc1b1f9ab85f4 1189808 doc optional apache-doc_1.3.33-8_all.deb 3ccac7b3837da33ce5789d9bb6f9af29 331724 devel extra apache-dev_1.3.33-8_all.deb 1d21498faed753ddb6a1fb1fb97e28b8 212432 web optional apache-utils_1.3.33-8_all.deb b7fc7e0732f38133a823170fb2491998 403266 web optional apache_1.3.33-8_powerpc.deb d9d472bd023d714807d433913696ecc6 514978 web optional apache-ssl_1.3.33-8_powerpc.deb 394e0f96e418e5a25efa8b16bbe42888 522656 web optional apache-perl_1.3.33-8_powerpc.deb 42e5a3f943b22ec7c07282f9df8f5e41 8727508 devel extra apache-dbg_1.3.33-8_powerpc.deb a0d02d64c84643d72f65d470900e92d1 915810 web optional apache-common_1.3.33-8_powerpc.deb 98b38f86b954ba7ed28666a53010c4da 491188 perl optional libapache-mod-perl_1.29.0.3-8_powerpc.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDHaZmvjztR8bOoMkRAvfIAJ9XTUZIoIUWYpad/9qB/FKEmxsV6ACgrYip wV1vM1SAiFNq4flou1eNXBM= =Z0rk -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]