Bug#671204: marked as done (apache2: mod_cache caches 206 Partial Content responses)

Debian Bug Tracking System Wed, 12 Sep 2012 15:33:22 -0700

Your message dated Wed, 12 Sep 2012 22:32:16 +0000
with message-id <e1tbvtk-00083f...@franck.debian.org>
and subject line Bug#671204: fixed in apache2 2.2.16-6+squeeze8
has caused the Debian Bug report #671204,
regarding apache2: mod_cache caches 206 Partial Content responses
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
671204: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=671204
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: apache2.2-common
Version: 2.2.16-6+squeeze7
Severity: normal

Hello,

mod_cache suffered from a regression (from 2.2.12) causing it to cache
"206 partial content" responses, and then serving these partial responses
when replying to normal requests.
This is upstream bug #49113, which has been fixed in apache2's SVN trunk,
but not yet backported to the 2.2.x branch.

Attached is a debdiff which applies upstream patch to Debian's 2.2.16.

Thanks,
Colin

-- Package-specific info:
List of enabled modules from 'apache2 -M':
  alias auth_basic authn_file authz_default authz_groupfile
  authz_host authz_user autoindex cache cgi deflate dir disk_cache
  env headers info jk mem_cache mime negotiation php5 proxy_http
  proxy reqtimeout rewrite setenvif status
List of enabled php5 extensions:
  gd mysql mysqli pdo pdo_mysql suhosin

-- System Information:
Debian Release: 6.0.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork    2.2.16-6+squeeze7 Apache HTTP Server - traditional n
ii  apache2.2-common       2.2.16-6+squeeze7 Apache HTTP Server common files

apache2 recommends no packages.

apache2 suggests no packages.

Versions of packages apache2.2-common depends on:
ii  apache2-utils          2.2.16-6+squeeze7 utility programs for webservers
ii  apache2.2-bin          2.2.16-6+squeeze7 Apache HTTP Server common binary f
ii  libmagic1              5.04-5+squeeze1   File type determination library us
ii  lsb-base               3.2-23.2squeeze1  Linux Standard Base 3.2 init scrip
ii  mime-support           3.48-1            MIME files 'mime.types' & 'mailcap
ii  perl                   5.10.1-17squeeze3 Larry Wall's Practical Extraction 
ii  procps                 1:3.2.8-9         /proc file system utilities

-- no debconf information

diff -u apache2-2.2.16/debian/changelog apache2-2.2.16/debian/changelog
--- apache2-2.2.16/debian/changelog
+++ apache2-2.2.16/debian/changelog
@@ -1,3 +1,10 @@
+apache2 (2.2.16-6+squeeze8) squeeze; urgency=low
+
+  * Apply Apache provided fix for bug #49113 (mod_cache caches partial
+    content)
+
+ -- Colin Leroy <co...@colino.nte>  Wed, 02 May 2012 14:18:00 +0200
+
 apache2 (2.2.16-6+squeeze7) squeeze-security; urgency=high
 
   * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
diff -u apache2-2.2.16/debian/patches/00list apache2-2.2.16/debian/patches/00list
--- apache2-2.2.16/debian/patches/00list
+++ apache2-2.2.16/debian/patches/00list
@@ -42,0 +43 @@
+203_mod_cache-partial-content.dpatch
only in patch2:
unchanged:
--- apache2-2.2.16.orig/debian/patches/203_mod_cache-partial-content.dpatch
+++ apache2-2.2.16/debian/patches/203_mod_cache-partial-content.dpatch
@@ -0,0 +1,29 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 203_mod_cache-partial-content.dpatch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix caching of 206 partial content responses. Patch from 
+## DP: upstream r933919, fixes upstream bug #49113 
+
+--- trunk/modules/cache/mod_cache.c	2009/11/02 23:03:14	832177
++++ trunk/modules/cache/mod_cache.c	2010/04/14 12:00:11	933919
+@@ -734,7 +734,8 @@
+          * We include 304 Not Modified here too as this is the origin server
+          * telling us to serve the cached copy.
+          */
+-        if (exps != NULL || cc_out != NULL) {
++        if ((exps != NULL || cc_out != NULL)
++            && r->status != HTTP_PARTIAL_CONTENT) {
+             /* We are also allowed to cache any response given that it has a
+              * valid Expires or Cache Control header. If we find a either of
+              * those here,  we pass request through the rest of the tests. From
+@@ -747,6 +748,9 @@
+              * include the following: an Expires header (section 14.21); a
+              * "max-age", "s-maxage",  "must-revalidate", "proxy-revalidate",
+              * "public" or "private" cache-control directive (section 14.9).
++             *
++             * But do NOT store 206 responses in any case since we
++             * don't (yet) cache partial responses.
+              */
+         }
+         else {

--- End Message ---

--- Begin Message ---

Source: apache2
Source-Version: 2.2.16-6+squeeze8

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 671...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <s...@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 09 Sep 2012 23:08:04 +0200
Source: apache2
Binary: apache2.2-common apache2.2-bin apache2-mpm-worker apache2-mpm-prefork 
apache2-mpm-event apache2-mpm-itk apache2-utils apache2-suexec 
apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev 
apache2-threaded-dev apache2-dbg
Architecture: source all i386
Version: 2.2.16-6+squeeze8
Distribution: squeeze
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <s...@debian.org>
Description: 
 apache2    - Apache HTTP Server metapackage
 apache2-dbg - Apache debugging symbols
 apache2-doc - Apache HTTP Server documentation
 apache2-mpm-event - Apache HTTP Server - event driven model
 apache2-mpm-itk - multiuser MPM for Apache 2.2
 apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
 apache2-mpm-worker - Apache HTTP Server - high speed threaded model
 apache2-prefork-dev - Apache development headers - non-threaded MPM
 apache2-suexec - Standard suexec program for Apache 2 mod_suexec
 apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
 apache2-threaded-dev - Apache development headers - threaded MPM
 apache2-utils - utility programs for webservers
 apache2.2-bin - Apache HTTP Server common binary files
 apache2.2-common - Apache HTTP Server common files
Closes: 671204 672333 677086
Changes: 
 apache2 (2.2.16-6+squeeze8) squeeze; urgency=low
 .
   * CVE-2012-2687: mod_negotiation: Escape filenames in variant list to
     prevent a possible XSS vulnerability for a site where untrusted users
     can upload files to a location with MultiViews enabled.
   * Send 408 status instead of 400 if reading of a request fails with a
     timeout. This allows browsers to retry. Closes: #677086
   * mod_cache: Prevent Partial Content responses from being cached and served
     as normal response. Closes: #671204
   * mpm_itk: Fix an issue where users can sometimes get spurious 403s on
     persistent connections. Closes: #672333
Checksums-Sha1: 
 b308be271ebd4ef9870ca1bba32c38c0658290fe 1832 apache2_2.2.16-6+squeeze8.dsc
 c535230f6f8c32020a2446e73cbe46092f17fa9c 225359 
apache2_2.2.16-6+squeeze8.diff.gz
 f9482cd65b5dccd1535033f338ce003bd20f3b92 2305160 
apache2-doc_2.2.16-6+squeeze8_all.deb
 d42c1a654dbfcdf023116458ee430514e6526f93 308732 
apache2.2-common_2.2.16-6+squeeze8_i386.deb
 68ede4f69e4cd0747c9fc6bb11ee823fc326306d 1354090 
apache2.2-bin_2.2.16-6+squeeze8_i386.deb
 7d0b49997613fce06d3ab2d781664dc43573cf61 2230 
apache2-mpm-worker_2.2.16-6+squeeze8_i386.deb
 0c665c009ff5f08687be97a527fb862f680e3548 2286 
apache2-mpm-prefork_2.2.16-6+squeeze8_i386.deb
 299de8890de38d0fb1474a624df4154a80b29151 2258 
apache2-mpm-event_2.2.16-6+squeeze8_i386.deb
 927f0935367d3525790defe597c68b2d8f6dc4a9 2292 
apache2-mpm-itk_2.2.16-6+squeeze8_i386.deb
 2a768453fd7afd59430c8290b0d7a4dc4d67b665 165530 
apache2-utils_2.2.16-6+squeeze8_i386.deb
 631e90da177de473e73caa1deadcc4e12471d9fd 100062 
apache2-suexec_2.2.16-6+squeeze8_i386.deb
 042142d042131e3e3a6df65515bd3f966e89ccfe 101624 
apache2-suexec-custom_2.2.16-6+squeeze8_i386.deb
 98a3b7a875b82bedd552615713aa8c6ff55d3ab5 1392 
apache2_2.2.16-6+squeeze8_i386.deb
 4979d8a8b3a141475f789e5e24911e46cd8f18e8 137238 
apache2-prefork-dev_2.2.16-6+squeeze8_i386.deb
 89f7e866e00ba25d7e4e6ef5589b0fae75dbedb3 138374 
apache2-threaded-dev_2.2.16-6+squeeze8_i386.deb
 abb7ace72b437b5a19d07592dbc9c141c9b5a071 2681686 
apache2-dbg_2.2.16-6+squeeze8_i386.deb
Checksums-Sha256: 
 97ecd4ae85440968b15fdb529989c8e31b24767dd1f9846110364b1f04bf3a58 1832 
apache2_2.2.16-6+squeeze8.dsc
 6f45f0c0ca30b27bbe12696166b47be0318ead3d4bdac046369679dd15e19475 225359 
apache2_2.2.16-6+squeeze8.diff.gz
 018f452f7d08fe01ad3a6ae4c9258b22c0d8a89ccaef41fff438180099ecc97e 2305160 
apache2-doc_2.2.16-6+squeeze8_all.deb
 e4ae68774cd678361849afd593c913a3138b3e1860e951ca5c66ace16a655b84 308732 
apache2.2-common_2.2.16-6+squeeze8_i386.deb
 39d92447b38a40220fb0587b124649977600565b7772462f8433558f549efcff 1354090 
apache2.2-bin_2.2.16-6+squeeze8_i386.deb
 348a65bb43ecbfaa28368846db93617b5c3590f08cb5056469db339175a3b987 2230 
apache2-mpm-worker_2.2.16-6+squeeze8_i386.deb
 54ce34b4f629a2e0c099333aa0b876f1a52edf1cc922aed9de97713b50d045e8 2286 
apache2-mpm-prefork_2.2.16-6+squeeze8_i386.deb
 73405540e305e5820b72a59ac1540fa4b2308419e4ae33478dfd106badffeaf5 2258 
apache2-mpm-event_2.2.16-6+squeeze8_i386.deb
 0dac2b1dcf18a234c2f94f024e056aac2fc57d1b8edbd55358ff73ed4b4b14c6 2292 
apache2-mpm-itk_2.2.16-6+squeeze8_i386.deb
 172afc24e9b6193cb48d115586a53761977004b8d7fe8124efe5745607f68880 165530 
apache2-utils_2.2.16-6+squeeze8_i386.deb
 2faa3349cce0a332f67100f85c0e8b3da3760537b1ac2834ff7762e4d0e4b26c 100062 
apache2-suexec_2.2.16-6+squeeze8_i386.deb
 10ca1c9421364915c5c633c52ec74b80bc0cc968e419b86e680c4ac6349a0e96 101624 
apache2-suexec-custom_2.2.16-6+squeeze8_i386.deb
 4651804047fb92be73fef24cbea443cec46e206779666bbf08815a70fbbeadd4 1392 
apache2_2.2.16-6+squeeze8_i386.deb
 4e86b56a730226d1226b72457e49dc19b173b33ea54062ad3d1ce09d606da0c5 137238 
apache2-prefork-dev_2.2.16-6+squeeze8_i386.deb
 5c8fdd3c51bd114d54025383720640dd3e46aba9f4559ff355e79f9a64b647f9 138374 
apache2-threaded-dev_2.2.16-6+squeeze8_i386.deb
 7d641e125b469acf14523600070badb71c17fd7d1d3b244f7b4bf4094bd8b7cd 2681686 
apache2-dbg_2.2.16-6+squeeze8_i386.deb
Files: 
 93dedf30664000765e6e9c48ca9eb81a 1832 httpd optional 
apache2_2.2.16-6+squeeze8.dsc
 3f0e7dec82adfe5802023b07c8bc97aa 225359 httpd optional 
apache2_2.2.16-6+squeeze8.diff.gz
 413976ec79dcc824d148761c7a3037e8 2305160 doc optional 
apache2-doc_2.2.16-6+squeeze8_all.deb
 51cbacc577e2ac6038630abe9081949a 308732 httpd optional 
apache2.2-common_2.2.16-6+squeeze8_i386.deb
 9cdecaf5c62a2bfec99a91767707ae76 1354090 httpd optional 
apache2.2-bin_2.2.16-6+squeeze8_i386.deb
 a9876c92f9b4a9893b45f069bd82138e 2230 httpd optional 
apache2-mpm-worker_2.2.16-6+squeeze8_i386.deb
 3ecd0e355098555c5095469ea2782815 2286 httpd optional 
apache2-mpm-prefork_2.2.16-6+squeeze8_i386.deb
 9f43aff5c8b2cc6a478272b107cb6083 2258 httpd optional 
apache2-mpm-event_2.2.16-6+squeeze8_i386.deb
 725e6637966a2c6da7af5efb05857627 2292 httpd extra 
apache2-mpm-itk_2.2.16-6+squeeze8_i386.deb
 905ac52c11c8c177f5aab6217900ac47 165530 httpd optional 
apache2-utils_2.2.16-6+squeeze8_i386.deb
 4bc2081e3215c535da427d027d840758 100062 httpd optional 
apache2-suexec_2.2.16-6+squeeze8_i386.deb
 f1a87bfa633fab355ef8dcb5f78265a9 101624 httpd extra 
apache2-suexec-custom_2.2.16-6+squeeze8_i386.deb
 706e39696e6442dbd88acf9ec6bf00b6 1392 httpd optional 
apache2_2.2.16-6+squeeze8_i386.deb
 a10fe5ac68c48376f429c1e0af8b3257 137238 httpd extra 
apache2-prefork-dev_2.2.16-6+squeeze8_i386.deb
 308d86aec4e498e91c527b5178490011 138374 httpd extra 
apache2-threaded-dev_2.2.16-6+squeeze8_i386.deb
 70f27aff5fd224478b7732873ef7a42e 2681686 debug extra 
apache2-dbg_2.2.16-6+squeeze8_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFQUOqWbxelr8HyTqQRAgzVAKDfRiukFJLYL9GGepsGdFyk4Ya29ACeM0Jh
N8QjAfoNUDD/tb9hGI9jHwc=
=YdMu
-----END PGP SIGNATURE-----

--- End Message ---

Bug#671204: marked as done (apache2: mod_cache caches 206 Partial Content responses)

Reply via email to