Your message dated Thu, 31 Jan 2008 07:52:14 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#453630: fixed in apache2 2.2.3-4+etch4 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: apache2 Version: 2.2.3-4+etch1 Severity: important Hi, I encoutered a weird error using mod_proxy_balancer and multiple <Proxy balancer://> section. Here is the config file: ---8<-------------------------------------------------------------------------- <Proxy balancer://back1> BalancerMember http://1.1.1.1 BalancerMember http://1.1.1.3 </Proxy> <Proxy balancer://back2> BalancerMember http://1.1.1.10 BalancerMember http://1.1.1.11 BalancerMember http://1.2.1.11 BalancerMember http://1.1.1.31 </Proxy> ---8<-------------------------------------------------------------------------- Here is the output of balancer-manager via html2text: ---8<-------------------------------------------------------------------------- ****** Load Balancer Manager for bd7 ****** Server Version: Apache/2.2.3 (Debian) Server Built: Jun 17 2007 20:16:04 =============================================================================== **** LoadBalancer Status for balancer://back1 **** StickySession Timeout FailoverAttempts Method 0 2 byrequests Worker URL Route RouteRedir Factor Status http://1.1.1.1 1 Ok http://1.1.1.3 1 Ok =============================================================================== **** LoadBalancer Status for balancer://back2 **** StickySession Timeout FailoverAttempts Method 0 3 byrequests Worker URL Route RouteRedir Factor Status http://1.1.1.1 1 Ok http://1.1.1.1 1 Ok http://1.2.1.11 1 Ok http://1.1.1.3 1 Ok =============================================================================== Apache/2.2.3 (Debian) Server at bd7 Port 80 ---8<-------------------------------------------------------------------------- Like you could see, there an abnormal shrink of the Worker URL in the second balancer status. It's kinda like when parsing the config file worker addresses are compared to previous worker but using the length() of the previous workers And the traffic isn't sent to the configured Urls. One way to workaround is reverse the definition of the balancer: ---8<-------------------------------------------------------------------------- <Proxy balancer://back2> BalancerMember http://1.1.1.10 BalancerMember http://1.1.1.11 BalancerMember http://1.2.1.11 BalancerMember http://1.1.1.31 </Proxy> <Proxy balancer://back1> BalancerMember http://1.1.1.1 BalancerMember http://1.1.1.3 </Proxy> ---8<-------------------------------------------------------------------------- But i fear that there is more implication than just this and than this could affect the entire mod_proxy module, since i've some weird result just using mod_rewrite and mod_proxy with same kind of destination URLs and traffic that flow where it shouldn't. Regards, benoit -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.22-3-686 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---Source: apache2 Source-Version: 2.2.3-4+etch4 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive: apache2-doc_2.2.3-4+etch4_all.deb to pool/main/a/apache2/apache2-doc_2.2.3-4+etch4_all.deb apache2-mpm-event_2.2.3-4+etch4_i386.deb to pool/main/a/apache2/apache2-mpm-event_2.2.3-4+etch4_i386.deb apache2-mpm-perchild_2.2.3-4+etch4_all.deb to pool/main/a/apache2/apache2-mpm-perchild_2.2.3-4+etch4_all.deb apache2-mpm-prefork_2.2.3-4+etch4_i386.deb to pool/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch4_i386.deb apache2-mpm-worker_2.2.3-4+etch4_i386.deb to pool/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch4_i386.deb apache2-prefork-dev_2.2.3-4+etch4_i386.deb to pool/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch4_i386.deb apache2-src_2.2.3-4+etch4_all.deb to pool/main/a/apache2/apache2-src_2.2.3-4+etch4_all.deb apache2-threaded-dev_2.2.3-4+etch4_i386.deb to pool/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch4_i386.deb apache2-utils_2.2.3-4+etch4_i386.deb to pool/main/a/apache2/apache2-utils_2.2.3-4+etch4_i386.deb apache2.2-common_2.2.3-4+etch4_i386.deb to pool/main/a/apache2/apache2.2-common_2.2.3-4+etch4_i386.deb apache2_2.2.3-4+etch4.diff.gz to pool/main/a/apache2/apache2_2.2.3-4+etch4.diff.gz apache2_2.2.3-4+etch4.dsc to pool/main/a/apache2/apache2_2.2.3-4+etch4.dsc apache2_2.2.3-4+etch4_all.deb to pool/main/a/apache2/apache2_2.2.3-4+etch4_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch <[EMAIL PROTECTED]> (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sun, 27 Jan 2008 19:05:30 +0100 Source: apache2 Binary: apache2-utils apache2-prefork-dev apache2 apache2-mpm-prefork apache2-doc apache2-mpm-event apache2.2-common apache2-mpm-worker apache2-src apache2-threaded-dev apache2-mpm-perchild Architecture: source all i386 Version: 2.2.3-4+etch4 Distribution: stable Urgency: low Maintainer: Debian Apache Maintainers <[EMAIL PROTECTED]> Changed-By: Stefan Fritsch <[EMAIL PROTECTED]> Description: apache2 - Next generation, scalable, extendable web server apache2-doc - documentation for apache2 apache2-mpm-event - Event driven model for Apache HTTPD 2.1 apache2-mpm-perchild - Transitional package - please remove apache2-mpm-prefork - Traditional model for Apache HTTPD 2.1 apache2-mpm-worker - High speed threaded model for Apache HTTPD 2.1 apache2-prefork-dev - development headers for apache2 apache2-src - Apache source code apache2-threaded-dev - development headers for apache2 apache2-utils - utility programs for webservers apache2.2-common - Next generation, scalable, extendable web server Closes: 399776 421557 453630 453783 Changes: apache2 (2.2.3-4+etch4) stable; urgency=low . * Fix various cross site scripting vulnerabilities with browsers that do not conform to RFC 2616: Apache now adds explicit ContentType and Charset headers to the output of various modules, even if AddDefaultCharset is commented out. This includes directory indexes generated by mod_autoindex and mod_proxy_ftp, which are now marked as iso-8859-1 by default. (CVE-2007-4465, CVE-2008-0005, closes: #453783) To allow to specify the character set for the directory indexes, the Charset and Type IndexOptions and the ProxyFtpDirCharset directive have been backported from 2.2.8. If you use mod_autoindex and use UTF-8 for your filenames, you should add Charset=UTF-8 to the IndexOptions line in /etc/apache2/apache2.conf . If you use mod_proxy_ftp, the default charset can be set with the ProxyFtpDirCharset directive in /etc/apache2/mods-available/proxy.conf . ProxyFtpDirCharset can also be used inside <Proxy ...> </Proxy> blocks to set the charset for specific servers. * Reduce memory usage of chunk filter and ap_rwrite/ap_rflush (Closes: #399776, #421557) * More minor security fixes: - XSS in mod_imagemap (CVE-2007-5000) - XSS in mod_proxy_balancer's balancer manager (CVE-2007-6421) - XSS in HTTP method in 413 error message (CVE-2007-6203) - possible crash in mod_proxy_balancer's balancer manager (CVE-2007-6422) * Fix mod_proxy_balancer configuration file parsing (closes: #453630). * Don't ship NEWS.Debian with apache2-utils as it affects only the server. Remove bogus reference to 2.2.3-5 from README.Debian, and add note about MSIE SSL workaround. Files: 7a9f7cae5c4368048798889955526454 1068 web optional apache2_2.2.3-4+etch4.dsc 968d61aa99c002e26f9716ba30668311 119551 web optional apache2_2.2.3-4+etch4.diff.gz c653dbf159be545ea5f4150349432702 963826 web optional apache2.2-common_2.2.3-4+etch4_i386.deb fcee959fa33420648a00c70127022974 423734 web optional apache2-mpm-worker_2.2.3-4+etch4_i386.deb ab752e1733e8d807ef6e6f070942e892 419912 web optional apache2-mpm-prefork_2.2.3-4+etch4_i386.deb 266d8e5f5f43d8ea1ed5eddd793e283a 424260 web optional apache2-mpm-event_2.2.3-4+etch4_i386.deb 02d5d921ff18d6f669baa75978cfaabb 341652 web optional apache2-utils_2.2.3-4+etch4_i386.deb d5505286937f678397f6c3e8cc734a43 408130 devel optional apache2-prefork-dev_2.2.3-4+etch4_i386.deb 83cd44960ce9e8fef3d205b81c25ed30 408814 devel optional apache2-threaded-dev_2.2.3-4+etch4_i386.deb e36c2d1d3f3672e737714b11a5b4267a 274740 web optional apache2-mpm-perchild_2.2.3-4+etch4_all.deb c751eb38da32683f6402cce6bf9c52be 41442 web optional apache2_2.2.3-4+etch4_all.deb a336153800f26c8875170b20de281fc7 2209280 doc optional apache2-doc_2.2.3-4+etch4_all.deb f84520523c20161149c508f00752767a 6615728 devel extra apache2-src_2.2.3-4+etch4_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHnMzMbxelr8HyTqQRAnz9AJ0fo83STQrPCTqt3uAhr6PTJ59xzgCgna8l 3VZD992mATegUXxekL6UmEw= =p49f -----END PGP SIGNATURE-----
--- End Message ---
