Your message dated Wed, 07 Sep 2005 23:02:12 -0700 with message-id <[EMAIL PROTECTED]> and subject line Bug#322607: fixed in apache 1.3.33-6sarge1 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 28 Jun 2005 22:49:46 +0000 >From [EMAIL PROTECTED] Tue Jun 28 15:49:44 2005 Return-path: <[EMAIL PROTECTED]> Received: from inutil.org (vserver151.vserver151.serverflex.de) [193.22.164.111] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DnOtj-0005fj-00; Tue, 28 Jun 2005 15:49:43 -0700 Received: from dsl-082-082-137-197.arcor-ip.net ([82.82.137.197] helo=localhost.localdomain) by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32) (Exim 4.50) id 1DnOo7-0006DV-N0 for [EMAIL PROTECTED]; Wed, 29 Jun 2005 00:43:55 +0200 Received: from jmm by localhost.localdomain with local (Exim 4.51) id 1DnOtX-0001i1-IX; Wed, 29 Jun 2005 00:49:31 +0200 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Moritz Muehlenhoff <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: apache2: Security issues in HTTP proxy responses with both Transfer-Encoding and Content-Length headers X-Mailer: reportbug 3.15 Date: Wed, 29 Jun 2005 00:49:31 +0200 X-Debbugs-Cc: [EMAIL PROTECTED] Message-Id: <[EMAIL PROTECTED]> X-SA-Exim-Connect-IP: 82.82.137.197 X-SA-Exim-Mail-From: [EMAIL PROTECTED] X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE, X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: Package: apache2 Severity: grave Tags: security Justification: user security hole Latest 2.1.6-alpha fixes a security in the proxy HTTP code: | The 2.1.6-alpha release addresses a security vulnerability present | in all previous 2.x versions. This fault did not affect Apache 1.3.x | (which did not proxy keepalives or chunked transfer encoding); | Proxy HTTP: If a response contains both Transfer-Encoding | and a Content-Length, remove the Content-Length to eliminate | an HTTP Request Smuggling vulnerability and don't reuse the | connection, stopping some HTTP Request Spoofing attacks. Cheers, Moritz -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-rc5 Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) --------------------------------------- Received: (at 322607-close) by bugs.debian.org; 8 Sep 2005 06:12:24 +0000 >From [EMAIL PROTECTED] Wed Sep 07 23:12:24 2005 Return-path: <[EMAIL PROTECTED]> Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian)) id 1EDFUC-0005Fn-00; Wed, 07 Sep 2005 23:02:12 -0700 From: Adam Conrad <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.56 $ Subject: Bug#322607: fixed in apache 1.3.33-6sarge1 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Wed, 07 Sep 2005 23:02:12 -0700 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 Source: apache Source-Version: 1.3.33-6sarge1 We believe that the bug you reported is fixed in the latest version of apache, which is due to be installed in the Debian FTP archive: apache-common_1.3.33-6sarge1_i386.deb to pool/main/a/apache/apache-common_1.3.33-6sarge1_i386.deb apache-dbg_1.3.33-6sarge1_i386.deb to pool/main/a/apache/apache-dbg_1.3.33-6sarge1_i386.deb apache-dev_1.3.33-6sarge1_all.deb to pool/main/a/apache/apache-dev_1.3.33-6sarge1_all.deb apache-doc_1.3.33-6sarge1_all.deb to pool/main/a/apache/apache-doc_1.3.33-6sarge1_all.deb apache-perl_1.3.33-6sarge1_i386.deb to pool/main/a/apache/apache-perl_1.3.33-6sarge1_i386.deb apache-ssl_1.3.33-6sarge1_i386.deb to pool/main/a/apache/apache-ssl_1.3.33-6sarge1_i386.deb apache-utils_1.3.33-6sarge1_all.deb to pool/main/a/apache/apache-utils_1.3.33-6sarge1_all.deb apache_1.3.33-6sarge1.diff.gz to pool/main/a/apache/apache_1.3.33-6sarge1.diff.gz apache_1.3.33-6sarge1.dsc to pool/main/a/apache/apache_1.3.33-6sarge1.dsc apache_1.3.33-6sarge1_i386.deb to pool/main/a/apache/apache_1.3.33-6sarge1_i386.deb libapache-mod-perl_1.29.0.3-6sarge1_i386.deb to pool/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge1_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Adam Conrad <[EMAIL PROTECTED]> (supplier of updated apache package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Tue, 6 Sep 2005 23:02:02 +1000 Source: apache Binary: apache-dev apache-common apache-doc apache-utils apache apache-dbg apache-perl libapache-mod-perl apache-ssl Architecture: source i386 all Version: 1.3.33-6sarge1 Distribution: stable-security Urgency: high Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> Changed-By: Adam Conrad <[EMAIL PROTECTED]> Description: apache - versatile, high-performance HTTP server apache-common - support files for all Apache webservers apache-dbg - debug versions of the Apache webservers apache-dev - development kit for the Apache webserver apache-doc - documentation for the Apache webserver apache-perl - versatile, high-performance HTTP server with Perl support apache-ssl - versatile, high-performance HTTP server with SSL support apache-utils - utility programs for webservers (transitional package) libapache-mod-perl - integration of perl with the Apache web server Closes: 322607 Changes: apache (1.3.33-6sarge1) stable-security; urgency=high . * Add 906_content_length_CAN-2005-2088, resolving an issue in mod_proxy where, when a response contains both Transfer-Encoding and Content-Length headers, the connection can be used for HTTP request smuggling and HTTP request spoofing attacks; see CAN-2005-2088 (closes: #322607) Files: 1fd30bda6f8ced16f68a75b42062e719 1119 web optional apache_1.3.33-6sarge1.dsc 1a34f13302878a8713a2ac760d9b6da8 3105683 web optional apache_1.3.33.orig.tar.gz 9b04027dc8af9fc5c19bef5304d6d1a6 369073 web optional apache_1.3.33-6sarge1.diff.gz 53df3e1f7e47375c957673ff49649ee2 1189326 doc optional apache-doc_1.3.33-6sarge1_all.deb 2690e824569ca7d3b20c22697fff83ac 331258 devel extra apache-dev_1.3.33-6sarge1_all.deb 1a9af803b7bb9ee718c8d2463157c73d 212030 web optional apache-utils_1.3.33-6sarge1_all.deb d1fb460ac66b9c279bb973962c6b37a6 385394 web optional apache_1.3.33-6sarge1_i386.deb fa4e8d3d4c725d0145c78b3f782566d3 492748 web optional apache-ssl_1.3.33-6sarge1_i386.deb 49cff4c1bc76b51806afe487c0a93fd5 504894 web optional apache-perl_1.3.33-6sarge1_i386.deb d39bd56c23b083feeb2d30c1582ac091 9128930 devel extra apache-dbg_1.3.33-6sarge1_i386.deb ad852939fd0e97aa35f731e506888eca 844800 web optional apache-common_1.3.33-6sarge1_i386.deb 0ad21611cc1f3e24e4b51b0b0a76b1bf 485896 web optional libapache-mod-perl_1.29.0.3-6sarge1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDHZeyvjztR8bOoMkRAvOjAJwJ3f0mL7AvhBpJ6ShyhUNVimqFYACgwMVT FgcWRyATk4+fBtNgnFNPQfE= =I7uU -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]