Your message dated Tue, 06 Sep 2005 07:47:04 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#322607: fixed in apache 1.3.33-8
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 28 Jun 2005 22:49:46 +0000
>From [EMAIL PROTECTED] Tue Jun 28 15:49:44 2005
Return-path: <[EMAIL PROTECTED]>
Received: from inutil.org (vserver151.vserver151.serverflex.de)
[193.22.164.111]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DnOtj-0005fj-00; Tue, 28 Jun 2005 15:49:43 -0700
Received: from dsl-082-082-137-197.arcor-ip.net ([82.82.137.197]
helo=localhost.localdomain)
by vserver151.vserver151.serverflex.de with esmtpsa
(TLS-1.0:RSA_AES_256_CBC_SHA:32)
(Exim 4.50)
id 1DnOo7-0006DV-N0
for [EMAIL PROTECTED]; Wed, 29 Jun 2005 00:43:55 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.51)
id 1DnOtX-0001i1-IX; Wed, 29 Jun 2005 00:49:31 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: apache2: Security issues in HTTP proxy responses with both
Transfer-Encoding
and Content-Length headers
X-Mailer: reportbug 3.15
Date: Wed, 29 Jun 2005 00:49:31 +0200
X-Debbugs-Cc: [EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: 82.82.137.197
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: apache2
Severity: grave
Tags: security
Justification: user security hole
Latest 2.1.6-alpha fixes a security in the proxy HTTP code:
| The 2.1.6-alpha release addresses a security vulnerability present
| in all previous 2.x versions. This fault did not affect Apache 1.3.x
| (which did not proxy keepalives or chunked transfer encoding);
| Proxy HTTP: If a response contains both Transfer-Encoding
| and a Content-Length, remove the Content-Length to eliminate
| an HTTP Request Smuggling vulnerability and don't reuse the
| connection, stopping some HTTP Request Spoofing attacks.
Cheers,
Moritz
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
---------------------------------------
Received: (at 322607-close) by bugs.debian.org; 6 Sep 2005 14:51:12 +0000
>From [EMAIL PROTECTED] Tue Sep 06 07:51:12 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1ECej2-0004mV-00; Tue, 06 Sep 2005 07:47:04 -0700
From: Adam Conrad <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#322607: fixed in apache 1.3.33-8
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Tue, 06 Sep 2005 07:47:04 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: apache
Source-Version: 1.3.33-8
We believe that the bug you reported is fixed in the latest version of
apache, which is due to be installed in the Debian FTP archive:
apache-common_1.3.33-8_powerpc.deb
to pool/main/a/apache/apache-common_1.3.33-8_powerpc.deb
apache-dbg_1.3.33-8_powerpc.deb
to pool/main/a/apache/apache-dbg_1.3.33-8_powerpc.deb
apache-dev_1.3.33-8_all.deb
to pool/main/a/apache/apache-dev_1.3.33-8_all.deb
apache-doc_1.3.33-8_all.deb
to pool/main/a/apache/apache-doc_1.3.33-8_all.deb
apache-perl_1.3.33-8_powerpc.deb
to pool/main/a/apache/apache-perl_1.3.33-8_powerpc.deb
apache-ssl_1.3.33-8_powerpc.deb
to pool/main/a/apache/apache-ssl_1.3.33-8_powerpc.deb
apache-utils_1.3.33-8_all.deb
to pool/main/a/apache/apache-utils_1.3.33-8_all.deb
apache_1.3.33-8.diff.gz
to pool/main/a/apache/apache_1.3.33-8.diff.gz
apache_1.3.33-8.dsc
to pool/main/a/apache/apache_1.3.33-8.dsc
apache_1.3.33-8_powerpc.deb
to pool/main/a/apache/apache_1.3.33-8_powerpc.deb
libapache-mod-perl_1.29.0.3-8_powerpc.deb
to pool/main/a/apache/libapache-mod-perl_1.29.0.3-8_powerpc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Conrad <[EMAIL PROTECTED]> (supplier of updated apache package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 06 Sep 2005 23:25:55 +1000
Source: apache
Binary: apache-dev apache-common apache-doc apache-utils apache apache-dbg
apache-perl libapache-mod-perl apache-ssl
Architecture: source powerpc all
Version: 1.3.33-8
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Adam Conrad <[EMAIL PROTECTED]>
Description:
apache - versatile, high-performance HTTP server
apache-common - support files for all Apache webservers
apache-dbg - debug versions of the Apache webservers
apache-dev - development kit for the Apache webserver
apache-doc - documentation for the Apache webserver
apache-perl - versatile, high-performance HTTP server with Perl support
apache-ssl - versatile, high-performance HTTP server with SSL support
apache-utils - utility programs for webservers (transitional package)
libapache-mod-perl - integration of perl with the Apache web server
Closes: 322607
Changes:
apache (1.3.33-8) unstable; urgency=medium
.
* Clean up debian/control, replacing hardcoded debconf dependencies with
${misc:Depends} and removing versioned dpkg dependencies, now that the
version we want is in all of oldstable, stable, testing and unstable.
* Add 906_content_length_CAN-2005-2088, resolving an issue in mod_proxy
where, when a response contains both Transfer-Encoding and Content-Length
headers, the connection can be used for HTTP request smuggling and HTTP
request spoofing attacks; see CAN-2005-2088 (closes: #322607)
Files:
2c621d1cbd3d3fa5628897586eac8f60 1095 web optional apache_1.3.33-8.dsc
fc381d48dae403c52633dd36ce19e5cf 369851 web optional apache_1.3.33-8.diff.gz
d3a0094e0aaaed16ffcdc1b1f9ab85f4 1189808 doc optional
apache-doc_1.3.33-8_all.deb
3ccac7b3837da33ce5789d9bb6f9af29 331724 devel extra apache-dev_1.3.33-8_all.deb
1d21498faed753ddb6a1fb1fb97e28b8 212432 web optional
apache-utils_1.3.33-8_all.deb
b7fc7e0732f38133a823170fb2491998 403266 web optional
apache_1.3.33-8_powerpc.deb
d9d472bd023d714807d433913696ecc6 514978 web optional
apache-ssl_1.3.33-8_powerpc.deb
394e0f96e418e5a25efa8b16bbe42888 522656 web optional
apache-perl_1.3.33-8_powerpc.deb
42e5a3f943b22ec7c07282f9df8f5e41 8727508 devel extra
apache-dbg_1.3.33-8_powerpc.deb
a0d02d64c84643d72f65d470900e92d1 915810 web optional
apache-common_1.3.33-8_powerpc.deb
98b38f86b954ba7ed28666a53010c4da 491188 perl optional
libapache-mod-perl_1.29.0.3-8_powerpc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDHaZmvjztR8bOoMkRAvfIAJ9XTUZIoIUWYpad/9qB/FKEmxsV6ACgrYip
wV1vM1SAiFNq4flou1eNXBM=
=Z0rk
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
