Bug#271945: marked as done (apache in woody is missing security patches/updates)
Your message dated Fri, 17 Sep 2004 07:54:21 +0200 (CEST) with message-id [EMAIL PROTECTED] and subject line Bug#271945: apache in woody is missing security patches/updates has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -- Received: (at submit) by bugs.debian.org; 16 Sep 2004 11:11:11 + From [EMAIL PROTECTED] Thu Sep 16 04:11:11 2004 Return-path: [EMAIL PROTECTED] Received: from usergc137.dsl.pipex.com (smtp.e-tv-interactive.com) [62.190.170.137] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1C7uAQ-Jj-00; Thu, 16 Sep 2004 04:11:11 -0700 Received: from etvinteractive.com (unknown [192.168.1.194]) by smtp.e-tv-interactive.com (Postfix) with ESMTP id 5B4EA3366CC for [EMAIL PROTECTED]; Thu, 16 Sep 2004 12:10:28 +0100 (BST) Message-ID: [EMAIL PROTECTED] Date: Thu, 16 Sep 2004 13:10:17 +0100 From: Mark Bryars [EMAIL PROTECTED] User-Agent: Mozilla Thunderbird 0.5 (X11/20040306) X-Accept-Language: en-us, en MIME-Version: 1.0 To: [EMAIL PROTECTED] Subject: apache in woody is missing security patches/updates Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: Package: apache Version: 1.3.26-0woody5 Tags: woody, security In 1.3.28 there is a patch that prevents file descriptors leaking to child processes, this is not present. This causes processes spawned by php (in this case 4.1.2-6woody3, not tested 4.1.2-7.0.1 yet) to have full access to the apache logs, sockets etc. I suggest this patch could be backported. --- Received: (at 271945-done) by bugs.debian.org; 17 Sep 2004 05:54:33 + From [EMAIL PROTECTED] Thu Sep 16 22:54:33 2004 Return-path: [EMAIL PROTECTED] Received: from port1845.ds1-khk.adsl.cybercity.dk (trider-g7.fabbione.net) [212.242.190.82] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1C8BhY-0002Ql-00; Thu, 16 Sep 2004 22:54:33 -0700 Received: from localhost (localhost [127.0.0.1]) by trider-g7.fabbione.net (Postfix) with ESMTP id DB8F64C73; Fri, 17 Sep 2004 07:54:29 +0200 (CEST) Received: from trider-g7.fabbione.net ([127.0.0.1]) by localhost (trider-g7 [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 00516-10; Fri, 17 Sep 2004 07:54:22 +0200 (CEST) Received: from trider-g7.ext.fabbione.net (port1845.ds1-khk.adsl.cybercity.dk [212.242.190.82]) by trider-g7.fabbione.net (Postfix) with ESMTP id 0CB324C72; Fri, 17 Sep 2004 07:54:22 +0200 (CEST) Date: Fri, 17 Sep 2004 07:54:21 +0200 (CEST) From: Fabio Massimo Di Nitto [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] To: Matt Zimmerman [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: Debian Apache Maintainers debian-apache@lists.debian.org Subject: Re: Bug#271945: apache in woody is missing security patches/updates In-Reply-To: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] References: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at fabbione.net Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_01,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: On Thu, 16 Sep 2004, Matt Zimmerman wrote: On Thu, Sep 16, 2004 at 10:09:19PM +0200, Fabio Massimo Di Nitto wrote: On Thu, 16 Sep 2004, Matt Zimmerman wrote: Maintainers, please raise the severity of this bug and contact the security team if this is an urgent issue. Please can we have at least the CAN number and reference? Joey has been keeping track of this iirc. I thisk this refers to the follow upstream changelog entry: *) Certain 3rd party modules would bypass the Apache API and not invoke ap_cleanup_for_exec() before creating sub-processes. To such a child process, Apache's file descriptors (lock fd's, log files, sockets) were accessible, allowing them direct access to Apache log file etc. Where the OS allows, we now add proactive
Processed: Re: Bug#272069: apache: fix for #269009 raised a new problem
Processing commands for [EMAIL PROTECTED]: tag 272069 wontfix Bug#272069: apache: fix for #269009 raised a new problem There were no tags set. Tags added: wontfix severity 272069 wishlist Bug#272069: apache: fix for #269009 raised a new problem Severity set to `wishlist'. stop Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)
apache-modconf and module ordering
hi *, i intend to package mod_chroot[1], an module which makes it possible to run Apache in a secure chroot environment without any aditional files. The `chroot' call is performed at the end of startup procedure, when all libraries are loaded and log files open. Well, the problem is, that mod_chroot has to be loaded as the last module during the apache startup. Now im wondering how to solve this, since apache-modconf doesn't provide the option to place modules in *whatever* order (at least, i didnt figure out how). I dont know if this situaion has been discussed at all, so im asking how to deal with such modules in general. Should the package resign to add the entry to modules.conf and leave this job to the administrator (by providing examples, README.Debian)? Is there a simple way to ensure that an module gets loaded as the last one all the time? [1] http://bugs.debian.org/272110 bye - michael
libapr0-dev: headers not found
This bug should probably be closed, as it seems to be a product of user confusion about what apxs -q INCLUDEDIR does. That option has historically (and always will, I suspect) output a single directory, showing the location of the apache header files, containing the prototypes for the ap_* functions. The fact that ap_* functions also reference apr_* and apu_* functions, and thus will need apr's headers present is irrelevant, much in the way that ap_* functions referencing openssl headers, or db4.2 headers shouldn't be something apxs -q INCLUDEDIR cares about. If you want a full list of -I/foo include directives to feed gcc which should fulfil apache's full list of required include search paths, you want apxs2 -q EXTRA_INCLUDES. If you find that apxs2 -q EXTRA_INCLUDES is also incomplete, please let us know and we'll fix it up to DTRT, but as far as I currently know, it should work. ... Adam
Re: Bug#272069: apache: fix for #269009 raised a new problem
tag 272069 wontfix severity 272069 wishlist stop On Fri, 17 Sep 2004, Gerfried Fuchs wrote: Package: apache Version: 1.3.31-6 Severity: important #269009's usage of www-browser instead of lynx raised a new problem: Not all www-browser alternatives do support -dump. This is a browser problem. Almost all the www-browsers support -dump. I fail to see why it is an apache problem to work around it. A package that offers an alternative should be capable to provide all the basic options as the others. netrik e.g. does need --dump. Switching to --dump on the other hand would make w3m getting problems. I don't know for other browsers that do the www-browser alternative like (e)links, lynx supports both. Well one of the 2 will have to switch. I am not dealing to implements 20 different exceptions because of this. This needs to be addressed soon and should IMHO definitely go into sarge. What a clean solution is I don't really now. It would be great if w3m supports GNU-style options, but I don't think that that is going to happen soon. I am leaving this bug open, but i don't believe it is our job to fix it so for me it's a wishlist that i wontfix. If you have valid arguments, I am wide open for discussion (that's why i am not closing it), but to me looks like an inconsistency between www-browsers that needs to be solved there. Fabio -- user fajita: step one fajita Whatever the problem, step one is always to look in the error log. user fajita: step two fajita When in danger or in doubt, step two is to scream and shout.
Re: Bug#271912: apache2 does not set request_rec-server-port
reassign 271912 apache2 tags 271912 + help retitle 271912 apache2 does not set request_rec-server-port thanks Thibaut VARENE [EMAIL PROTECTED] wrote: tags 271912 confirmed thanks On Fri, 17 Sep 2004 16:45:57 -0700 Andrew D. Clark [EMAIL PROTECTED] wrote: Sorry, I'll try to be more clear :-) Since the URI printed to the playlist.m3u file specifies port 0 for http transport, connections fail (since my http is listening on port 80, not on port 0). Replying to myself: I tried downgrade to 0.99.2, it didn't fix the problem. It looks like a bug in apache2, which no longer sets request_rec-server-port, making the following piece of code both fail and misbehave: /* add the port number if needed */ if (!ap_is_default_port(r-server-port, r)) { sprintf(str_port, :%u, r-server-port); strcat(prefix, str_port); } I'm therefore asking for help from the apache2 team and reassigning bug to apache2. HTH, Thibaut VARENE The PA/Linux ESIEE Team http://www.pateam.org/
Processed: Re: Bug#271912: apache2 does not set request_rec-server-port
Processing commands for [EMAIL PROTECTED]: reassign 271912 apache2 Bug#271912: libapache2-mod-musicindex: generates playlist.m3u files having URI like http://somehost:0/blah Bug reassigned from package `libapache2-mod-musicindex' to `apache2'. tags 271912 + help Bug#271912: libapache2-mod-musicindex: generates playlist.m3u files having URI like http://somehost:0/blah Tags were: confirmed Tags added: help retitle 271912 apache2 does not set request_rec-server-port Bug#271912: libapache2-mod-musicindex: generates playlist.m3u files having URI like http://somehost:0/blah Changed Bug title. thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)
Processed: reassign 272103 to apache2-common
Processing commands for [EMAIL PROTECTED]: # Automatically generated email from bts, devscripts version 2.8.4 reassign 272103 apache2-common Bug#272103: FTBFS: apache2-common problem Bug reassigned from package `subversion' to `apache2-common'. End of message, stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)
Processed: RE: Bug#271912: apache2 does not set request_rec-server-port
Processing commands for [EMAIL PROTECTED]: reassign 271912 libapache2-mod-musicindex Bug#271912: apache2 does not set request_rec-server-port Bug reassigned from package `apache2' to `libapache2-mod-musicindex'. thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)
Bug#272069: apache: fix for #269009 raised a new problem
Package: apache Version: 1.3.31-6 Severity: important #269009's usage of www-browser instead of lynx raised a new problem: Not all www-browser alternatives do support -dump. netrik e.g. does need --dump. Switching to --dump on the other hand would make w3m getting problems. I don't know for other browsers that do the www-browser alternative like (e)links, lynx supports both. This needs to be addressed soon and should IMHO definitely go into sarge. What a clean solution is I don't really now. It would be great if w3m supports GNU-style options, but I don't think that that is going to happen soon. Thanks for working on it in advance. Alfie -- Aber der Aufwand Linux zu installieren und vim zu lernen ist *IMMER* geringer, als Outlook das Schreiben von vernünftigen Mails beizubringen. ;) -- Jens Benecke [2001-06-02]
Re: apache-modconf and module ordering
On Fri, Sep 17, 2004 at 04:12:50PM +0200, Michael Ablassmeier wrote: module during the apache startup. Now im wondering how to solve this, since apache-modconf doesn't provide the option to place modules in *whatever* order (at least, i didnt figure out how). darn. 500mod_x.info 500 is the priority of the module. If for example your module needs to be loaded before another one, you will have to set this number to be lower than the other module. shame on me. bye, - michael
Bug#253775: marked as done (libapache2-svn: logs incorrect data when faced with IIS WebDAV SEARCH attack)
Your message dated Fri, 17 Sep 2004 08:40:55 -0600 with message-id [EMAIL PROTECTED] and subject line logs incorrect data when faced with IIS WebDAV SEARCH attack has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -- Received: (at submit) by bugs.debian.org; 11 Jun 2004 01:50:53 + From [EMAIL PROTECTED] Thu Jun 10 18:50:53 2004 Return-path: [EMAIL PROTECTED] Received: from bdsl.66.12.153.218.gte.net (scottstuff.net) [66.12.153.218] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1BYbC1-0001Nx-00; Thu, 10 Jun 2004 18:50:53 -0700 Received: from localhost (localhost [127.0.0.1]) (uid 1000) by scottstuff.net with local; Thu, 10 Jun 2004 18:50:49 -0700 Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Scott Laird [EMAIL PROTECTED] To: Debian Bug Tracking System [EMAIL PROTECTED] Subject: libapache2-svn: logs incorrect data when faced with IIS WebDAV SEARCH attack X-Mailer: reportbug 2.61 Date: Thu, 10 Jun 2004 18:50:49 -0700 Message-ID: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: Package: libapache2-svn Version: 1.0.3-1 Severity: important Tags: security sid I get hit with at least one exploit attempt per day that consists of an HTTP 'SEARCH' command followed by approximately 32k of overflow data. Google suggests that this is an attempt to exploit a known IIS WebDAV bug. Under normal circumstances, this wouldn't bother me, since I wouldn't touch IIS with a ten-foot pole (and wouldn't submit Debian bugs about it, even if I had a longer pole). However, about half of the access log entries for exploit attempts contain strings from my personal Subversion repository as part of the logged HTTP SEARCH string. An example is available at http://scottstuff.net/misc/apache-log.txt. The final 4k of the logged string belongs to a file that is maintained via WebDAV and Subversion. It contains personal details and clearly wasn't submitted as part of the exploit. Therefore, there's probably an overflow somewhere in Subversion or Apache 2, and this IIS exploit is causing Apache/Subversion to misbehave, appending something from somewhere else in memory onto the logged string. Alternately, Apache could be truncating the logged string around 32k but forgetting to append the trailing '\0', but I haven't seen any evidence of this in a quick survey of the code. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.4.25 Locale: LANG=C, LC_CTYPE=C Versions of packages libapache2-svn depends on: ii apache2-mpm-prefork [apache 2.0.49-1 Traditional model for Apache2 ii db4.2-util 4.2.52-10Berkeley v4.2 Database Utilities ii libc6 2.3.2.ds1-11 GNU C Library: Shared libraries an ii libsvn0 1.0.3-1 Shared libraries used by Subversio -- no debconf information --- Received: (at 253775-done) by bugs.debian.org; 17 Sep 2004 14:40:56 + From [EMAIL PROTECTED] Fri Sep 17 07:40:56 2004 Return-path: [EMAIL PROTECTED] Received: from s010600e029962405.cg.shawcable.net (lucifer.0c3.net) [68.147.203.152] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1C8Juy-FZ-00; Fri, 17 Sep 2004 07:40:56 -0700 Received: from adconrad by lucifer.0c3.net with local (Exim 3.36 #1 (Debian)) id 1C8Jux-0002ps-00 for [EMAIL PROTECTED]; Fri, 17 Sep 2004 08:40:55 -0600 To: [EMAIL PROTECTED] Subject: logs incorrect data when faced with IIS WebDAV SEARCH attack Message-Id: [EMAIL PROTECTED] From: Adam Conrad [EMAIL PROTECTED] Date: Fri, 17 Sep 2004 08:40:55 -0600 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-2.0 required=4.0 tests=BAYES_01 autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: This bug was fixed several upstream revisions back, and the off-by-one error introduced by the bugfix was fixed in 2.0.51, allowing this bug to finally be closed.