Bug#279753: marked as done (apache: execute arbitrary code via SSI issue (CAN-2004-0940))
Your message dated Fri, 05 Nov 2004 08:33:14 +0100 with message-id [EMAIL PROTECTED] and subject line Bug#279753: apache: execute arbitrary code via SSI issue (CAN-2004-0940) has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -- Received: (at submit) by bugs.debian.org; 5 Nov 2004 05:08:22 + From [EMAIL PROTECTED] Thu Nov 04 21:08:22 2004 Return-path: [EMAIL PROTECTED] Received: from 204.57.138.210.xn.2iij.net (mebius) [210.138.57.204] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1CPwKe-00085n-00; Thu, 04 Nov 2004 21:08:17 -0800 Received: by mebius (Postfix, from userid 1000) id 7C20E44B0; Fri, 5 Nov 2004 14:10:27 +0900 (JST) Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Hideki Yamane [EMAIL PROTECTED] To: Debian Bug Tracking System [EMAIL PROTECTED] Subject: apache: execute arbitrary code via SSI issue (CAN-2004-0940) X-Mailer: reportbug 3.1 Date: Fri, 05 Nov 2004 14:10:26 +0900 Message-Id: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.3 required=4.0 tests=BAYES_00,HAS_PACKAGE, NO_DNS_FOR_FROM autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: Package: apache Version: 1.3.27-0.1 Severity: important Tags: woody, security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear apache maintainer team, How is CAN-2004-0940 issue in woody coped with? I've checked Non-Vulnerability Security Information for woody page (http://www.debian.org/security/nonvulns-woody), but there is not CAN-2004-0940. Probably it affects woody. I saw it was discussed in debian-apache mailing list, but it is about package in sarge and sid (1.3.31 based), not woody (1.3.26 based). So, I want to know about state of woody's apache. - -- Regards, Hideki Yamane henrich @ samba.gr.jp/iijmio-mail.jp -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBiwtCIu0hy8THJksRAr6bAJ99PhH07nrrnOXzNkNfkXENg4L6sACcDbUC oUeIp1I/D+s4lIoHkRCbs/Q= =tYRw -END PGP SIGNATURE- --- Received: (at 279753-done) by bugs.debian.org; 5 Nov 2004 07:33:25 + From [EMAIL PROTECTED] Thu Nov 04 23:33:25 2004 Return-path: [EMAIL PROTECTED] Received: from port49.ds1-van.adsl.cybercity.dk (trider-g7.fabbione.net) [212.242.141.114] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1CPyb7-0002Zf-00; Thu, 04 Nov 2004 23:33:25 -0800 Received: from localhost (localhost [127.0.0.1]) by trider-g7.fabbione.net (Postfix) with ESMTP id B15C37A68; Fri, 5 Nov 2004 08:33:21 +0100 (CET) Received: from trider-g7.fabbione.net ([127.0.0.1]) by localhost (trider-g7 [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 18886-14-8; Fri, 5 Nov 2004 08:33:13 +0100 (CET) Received: from [192.168.1.6] (gordian.int.fabbione.net [192.168.1.6]) by trider-g7.fabbione.net (Postfix) with ESMTP id 2284C7A67; Fri, 5 Nov 2004 08:33:13 +0100 (CET) Message-ID: [EMAIL PROTECTED] Date: Fri, 05 Nov 2004 08:33:14 +0100 From: Fabio Massimo Di Nitto [EMAIL PROTECTED] User-Agent: Mozilla Thunderbird 0.8 (X11/20041102) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Hideki Yamane [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Bug#279753: apache: execute arbitrary code via SSI issue (CAN-2004-0940) References: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] X-Enigmail-Version: 0.86.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at fabbione.net Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-3.3 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER, SUBJ_HAS_UNIQ_ID autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Hideki Yamane wrote: | Package: apache | Version: 1.3.27-0.1 There is no such version in woody. | Severity: important | Tags: woody, security | | Dear apache maintainer team, | | How is CAN-2004-0940 issue in woody coped with? We are working on it. No need to panic. | I saw it was discussed in debian-apache mailing list, but it is about |
Bug#279753: apache: execute arbitrary code via SSI issue (CAN-2004-0940)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hideki Yamane wrote: | Hi, | | | Yes, stability is most important thing in stable release. | | I would ask you that it needs to be built on all woody arch means | it needs more time to be checked because changed source should be | able to be built on each arch or it needs more time to be built in | all arch machines? both? a combination of all of them :-) the source needs to build on all supported architectures and tested. Clearly you cannot do the latter without the former ;) Fabio - -- Self-Service law: The last available dish of the food you have decided to eat, will be inevitably taken from the person in front of you. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBizq4hCzbekR3nhgRAoTUAJ0ZrdOs3hlmugRSPz92haZUS53EdACePARU JA1rfSoNX2/x6G41OpvWzlU= =dLmU -END PGP SIGNATURE-
Re: Bug#279753: apache: execute arbitrary code via SSI issue (CAN-2004-0940)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is offtopic for the bug. Hideki Yamane wrote: | Hi, | | Fri, 05 Nov 2004 09:32:59 +0100, Fabio Massimo Di Nitto | Re: Bug#279753: apache: execute arbitrary code via SSI issue (CAN-2004-0940) | | Is that review process on public or closed? If it is on public, | where can we read about that? closed. | If some arch (not powerful architecture like arm or m68k, etc) | needs more time to build package than i386 and so it makes release | late, I think we should do KAIZEN about build system. No. this is specified in the security release process. All the archs will get the update at the same time. | (or use some emulation environment like Scratchbox as test. | It is 10 times faster than native env.) | http://linuxdevices.com/articles/AT6264230012.html It is not the same as running on the native arch and it might introduce unwanted side effects. Fabio - -- Self-Service law: The last available dish of the food you have decided to eat, will be inevitably taken from the person in front of you. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBi0lahCzbekR3nhgRAs5IAJ4segE2AF7Who1wyW2hmOrD1fsimwCfZ0BQ tlSUW/N9/m7s81SjlNfRBX8= =Lq1n -END PGP SIGNATURE-
Bug#279753: apache: execute arbitrary code via SSI issue (CAN-2004-0940)
Hi, Fri, 05 Nov 2004 09:32:59 +0100, Fabio Massimo Di Nitto Re: Bug#279753: apache: execute arbitrary code via SSI issue (CAN-2004-0940) Is that review process on public or closed? If it is on public, where can we read about that? a combination of all of them :-) the source needs to build on all supported architectures and tested. Clearly you cannot do the latter without the former ;) If some arch (not powerful architecture like arm or m68k, etc) needs more time to build package than i386 and so it makes release late, I think we should do KAIZEN about build system. (or use some emulation environment like Scratchbox as test. It is 10 times faster than native env.) http://linuxdevices.com/articles/AT6264230012.html -- Regards, Hideki Yamane henrich @ samba.gr.jp/iijmio-mail.jp Key fingerprint = 4555 82ED 38B6 C870 E099 388C 22ED 21CB C4C7 264B
Bug#237377: unsure if I am suffering the same tihng
I am not sure if what I am suffering is due to the same bug. Firstly, if this is a known problem, I have only been experiencing it since Oct 25. It is not intermittent for me and happens consistently at night. I believe this is due to logrotation, it appears at least that apache dies at roughly the time that logrotate runs. /etc/init.d/apache reload does *not* cause the problem if executed manually, however. I have changed reload to restart in the logrotate script, to see if that makes a difference. I will find out tomorrow morning :) The supplied patch is a no-go for my woody logrotate. Also see this thread: http://lists.debian.org/debian-user/2004/11/msg00028.html uname -r: 2.4.22-physmem-patch3-5um ii apache 1.3.26-0woody5 Versatile, high-performance HTTP server [Replies - please check your intended destination!]
bug in debian apache?
Hi! I just upgraded to the newest (-7) release. But now i can't start apache again, and i get this error in my error log: [Tue Nov 2 00:36:40 2004] [warn] make_sock: problem listening on port 80, filedescriptor (1069) larger than FD_SETSIZE (1024) found, you probably need to rebuild Apache with a larger FD_SETSIZE I have about 2000 virtual hosts with separate log files. I found that if i turned logging off then apache starts, but it would be nice to be able to turn it back on again. This worked before, so maybe something was changed in this release (FD_SETSIZE?). Can this be fixed somehow? Should i report it as a bug? Regards, Peter Bredlöv
Bug#279865: apache-common: CAN-2004-0940 Vulnerable?
Package: apache-common Version: 1.3.26-0woody5 Severity: grave Justification: user security hole Tags: woody, security According to http://www.apache.org/dist/httpd/Announcement.html the new apache fixes two vulnerabilities with CAN-numbers. While -492 was fixed in a previous security upload, there is no mention of 940 neither in the changelog, nor did I find a bug report, nor is it mentioned on http://www.debian.org/security/nonvulns-woody Please reassing if I submitted against the wrong package or add this CAN to the above mentioned nonvulns-list if woody is not affected. -- System Information Debian Release: 3.0 Architecture: alpha Kernel: Linux jari 2.4.26-grsec-hk04 #1 Fri Aug 6 12:23:40 CEST 2004 alpha Locale: LANG=C, LC_CTYPE=C Versions of packages apache-common depends on: ii libc6.1 2.2.5-11.5 GNU C Library: Shared libraries an ii libdb2 2:2.7.7.0-7 The Berkeley database routines (ru ii libexpat11.95.2-6XML parsing C library - runtime li ii perl 5.6.1-8.7 Larry Wall's Practical Extraction ii perl [perl5] 5.6.1-8.7 Larry Wall's Practical Extraction -- Helge Kreutzmann, Dipl.-Phys. [EMAIL PROTECTED] gpg signed mail preferred 64bit GNU powered http://www.itp.uni-hannover.de/~kreutzm Help keep free software libre: http://www.freepatents.org/ pgpXEQD8Mreoo.pgp Description: PGP signature
Bug#279865: marked as done (apache-common: CAN-2004-0940 Vulnerable?)
Your message dated Fri, 05 Nov 2004 15:03:33 +0100 with message-id [EMAIL PROTECTED] and subject line Bug#279865: apache-common: CAN-2004-0940 Vulnerable? has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -- Received: (at submit) by bugs.debian.org; 5 Nov 2004 13:38:09 + From [EMAIL PROTECTED] Fri Nov 05 05:38:09 2004 Return-path: [EMAIL PROTECTED] Received: from mrelay3.uni-hannover.de [130.75.2.41] (root) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1CQ4I5-0002wD-00; Fri, 05 Nov 2004 05:38:09 -0800 Received: from mail.itp.uni-hannover.de (mail.itp.uni-hannover.de [130.75.25.242]) by mrelay3.uni-hannover.de (8.12.10/8.12.10) with ESMTP id iA5Dc2lA018047 for [EMAIL PROTECTED]; Fri, 5 Nov 2004 14:38:02 +0100 (MET) Received: from pleione.itp.uni-hannover.de (pleione.itp.uni-hannover.de [130.75.25.99]) by mail.itp.uni-hannover.de (Postfix) with ESMTP id B4A3B2F087 for [EMAIL PROTECTED]; Fri, 5 Nov 2004 14:37:57 +0100 (CET) Received: by pleione.itp.uni-hannover.de (Postfix, from userid 237) id 80A8F5F42; Fri, 5 Nov 2004 14:37:57 +0100 (CET) Date: Fri, 5 Nov 2004 14:37:57 +0100 From: Helge Kreutzmann [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: apache-common: CAN-2004-0940 Vulnerable? Message-ID: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol=application/pgp-signature; boundary=jRHKVT23PllUwdXP Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Public-Key-URL: http://www.itp.uni-hannover.de/~kreutzm/data/kreutzm.gpg X-homepage: http://www.itp.uni-hannover.de/~kreutzm X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.2.2 (mrelay3.uni-hannover.de [130.75.2.41]); Fri, 05 Nov 2004 14:38:02 +0100 (MET) X-Scanned-By: MIMEDefang 2.42 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: --jRHKVT23PllUwdXP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Package: apache-common Version: 1.3.26-0woody5 Severity: grave Justification: user security hole Tags: woody, security According to=20 http://www.apache.org/dist/httpd/Announcement.html the new apache fixes two vulnerabilities with CAN-numbers. While -492 was fixed in a previous security upload, there is no mention of 940 neither in the changelog, nor did I find a bug report, nor is it mentioned on http://www.debian.org/security/nonvulns-woody Please reassing if I submitted against the wrong package or add this CAN to the above mentioned nonvulns-list if woody is not affected. -- System Information Debian Release: 3.0 Architecture: alpha Kernel: Linux jari 2.4.26-grsec-hk04 #1 Fri Aug 6 12:23:40 CEST 2004 alpha Locale: LANG=3DC, LC_CTYPE=3DC Versions of packages apache-common depends on: ii libc6.1 2.2.5-11.5 GNU C Library: Shared librarie= s an ii libdb2 2:2.7.7.0-7 The Berkeley database routines= (ru ii libexpat11.95.2-6XML parsing C library - runtim= e li ii perl 5.6.1-8.7 Larry Wall's Practical Extract= ion=20 ii perl [perl5] 5.6.1-8.7 Larry Wall's Practical Extract= ion=20 --=20 Helge Kreutzmann, Dipl.-Phys. [EMAIL PROTECTED] er.de gpg signed mail preferred=20 64bit GNU powered http://www.itp.uni-hannover.de/~kreu= tzm Help keep free software libre: http://www.freepatents.org/ --jRHKVT23PllUwdXP Content-Type: application/pgp-signature Content-Disposition: inline -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBi4I1RsxcY/MYpWoRAonIAKC5WU+2P+NVJ9fdc7LuamZoqRrQsgCgs12i 5WsfQt4jKNUlIRGkBokbFZM= =19ax -END PGP SIGNATURE- --jRHKVT23PllUwdXP-- --- Received: (at 279865-done) by bugs.debian.org; 5 Nov 2004 14:03:46 + From [EMAIL PROTECTED] Fri Nov 05 06:03:45 2004 Return-path: [EMAIL PROTECTED] Received: from port49.ds1-van.adsl.cybercity.dk (trider-g7.fabbione.net) [212.242.141.114] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1CQ4gp-0005bL-00; Fri, 05 Nov 2004 06:03:43 -0800 Received: from localhost (localhost [127.0.0.1])
Bug#237377: unsure if I am suffering the same tihng
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday, 05.11.2004 at 11:46 +, Jon Dowland wrote: I am not sure if what I am suffering is due to the same bug. Firstly, if this is a known problem, I have only been experiencing it since Oct 25. It is not intermittent for me and happens consistently at night. I believe this is due to logrotation, it appears at least that apache dies at roughly the time that logrotate runs. The above is undoubtedly correct. /etc/init.d/apache reload does *not* cause the problem if executed manually, however. I have changed reload to restart in the logrotate script, to see if that makes a difference. I will find out tomorrow morning :) FWIW, for me, a manual '/etc/init.d/apache reload' *does* cause the problem too. My difficulty therefore reduces completely to be /etc/init.d/apache reload makes Apache die. Apache is version 1.3.26-0woody5 and included PHP support (version 4.1.2-7.0.1) - on a Woody system. Problem started happening at the same date as Jon has indicated. Dave. - -- Dave Ewart - [EMAIL PROTECTED] - jabber: [EMAIL PROTECTED] All email from me is now digitally signed, key from http://www.sungate.co.uk/ Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBi4tNnhBnac0o2pIRAhvUAJ9FG3QUabyW32xgR54xiKI4k3bGvwCgvbZ8 3Gzyz3oNuTCTmHJkcLYYQr0= =V1SZ -END PGP SIGNATURE-
Bug#279875: removing apache2-mpm-worker fails
Package: apache2-mpm-worker Version: 2.0.52-1 Severity: important While trying to upgrade an older libapache2-mod-php4, apache2-mpm-worker should be removed. But the removal failed, because /etc/init.d/apache2 stop returned an error code (because apache2 was already stopped before). The pre-removal script shouldn't abort if this happens, because it makes things harder in case apache2 cannot be started due to some config problems. Output follows: # apt-get install libapache2-mod-php4 [...] The following extra packages will be installed: apache2-mpm-prefork The following packages will be REMOVED: apache2-mpm-worker The following NEW packages will be installed: apache2-mpm-prefork libapache2-mod-php4 0 upgraded, 2 newly installed, 1 to remove and 486 not upgraded. Need to get 0B/1811kB of archives. After unpacking 3178kB of additional disk space will be used. Do you want to continue? [Y/n] dpkg: apache2-mpm-worker: dependency problems, but removing anyway as you request: apache2 depends on apache2-mpm-worker (= 2.0.52-1) | apache2-mpm-prefork (= 2.0.52-1) | apache2-mpm-perchild (= 2.0.52-1); however: Package apache2-mpm-worker is to be removed. Package apache2-mpm-prefork is not installed. Package apache2-mpm-perchild is not installed. (Reading database ... 133594 files and directories currently installed.) Removing apache2-mpm-worker ... Stopping web server: Apache2invoke-rc.d: initscript apache2, action stop failed. dpkg: error processing apache2-mpm-worker (--remove): subprocess pre-removal script returned error exit status 1 Errors were encountered while processing: apache2-mpm-worker E: Sub-process /usr/bin/dpkg returned an error code (1) -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.4.23-1-686 Locale: LANG=C, LC_CTYPE=C Versions of packages apache2-mpm-worker depends on: ii apache2-common 2.0.52-1 Next generation, scalable, extenda ii libapr0 2.0.52-1 The Apache Portable Runtime ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries an ii libdb4.24.2.52-17Berkeley v4.2 Database Libraries [ ii libexpat1 1.95.8-1 XML parsing C library - runtime li ii libldap22.1.30-3 OpenLDAP libraries ii libssl0.9.7 0.9.7d-4 SSL shared libraries ii zlib1g 1:1.2.1.1-5 compression library - runtime -- no debconf information
Bug#279865: acknowledged by developer (Re: Bug#279865: apache-common: CAN-2004-0940 Vulnerable?)
Hello, On Fri, Nov 05, 2004 at 06:18:12AM -0800, Debian Bug Tracking System wrote: Thanks for reporting this twice already. Please before filing bugs you are welcome to check both debian-apache mailing lists and bugs.debian.org/src:apache. I *did* check the bts (though admitingly without using the src:-prefix). Sorry to miss #279753. But this one is closed, and I assumed to either find an open bug, or an entry in the non-vuln-list. Is there a reason #279753 is closed already? If you keep it open, then everyone can see that this is being activly worked on. And technically speaking, the bug is still open. Sorry for the double report and thanks for your work on apache. Greetings Helge -- Helge Kreutzmann, Dipl.-Phys. [EMAIL PROTECTED] gpg signed mail preferred 64bit GNU powered http://www.itp.uni-hannover.de/~kreutzm Help keep free software libre: http://www.freepatents.org/ pgpvR7cIx1cdo.pgp Description: PGP signature
Bug#279865: acknowledged by developer (Re: Bug#279865: apache-common: CAN-2004-0940 Vulnerable?)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Helge Kreutzmann wrote: | Hello, | On Fri, Nov 05, 2004 at 06:18:12AM -0800, Debian Bug Tracking System wrote: | |Thanks for reporting this twice already. Please before filing bugs you are welcome to check both |debian-apache mailing lists and bugs.debian.org/src:apache. | | | I *did* check the bts (though admitingly without using the | src:-prefix). Sorry to miss #279753. But this one is closed, and I | assumed to either find an open bug, or an entry in the non-vuln-list. | Is there a reason #279753 is closed already? If you keep it open, then | everyone can see that this is being activly worked on. And technically | speaking, the bug is still open. Because it has been openly discussed on the mailing list all the security teams are already working on it. Plus one of apache1.3 maintainer is upstream too and we follow the package closely and constantly. Also people should not panic everytime there is security bug. Sid has been fixed in less than a few hours. woody takes more time and it is always followed by the related DSA if the problem affect a stable release. Fabio - -- Self-Service law: The last available dish of the food you have decided to eat, will be inevitably taken from the person in front of you. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBi54PhCzbekR3nhgRArVKAKChFzlwir3v5nU6TUDjcPOu8c7DlwCgg8YY cmNVSkfCX8e1dNx785axfAk= =skKx -END PGP SIGNATURE-
Processed: RE: Bug#279875: removing apache2-mpm-worker fails
Processing commands for [EMAIL PROTECTED]: reassign 279875 apache-common Bug#279875: removing apache2-mpm-worker fails Bug reassigned from package `apache2-mpm-worker' to `apache-common'. severity 279875 normal Bug#279875: removing apache2-mpm-worker fails Severity set to `normal'. reassign 273759 apache-common Bug#273759: removing apache2.conf file renders apache 2 non removable Bug#263511: apache2-mpm-prefork.prerm needs to be robust Bug reassigned from package `apache2-mpm-prefork' to `apache-common'. merge 279875 273759 Bug#273759: removing apache2.conf file renders apache 2 non removable Bug#279875: removing apache2-mpm-worker fails Bug#263511: apache2-mpm-prefork.prerm needs to be robust Merged 263511 273759 279875. thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)
Bug#237377: unsure if I am suffering the same tihng
Dave Ewart wrote:
FWIW, for me, a manual '/etc/init.d/apache reload' *does* cause the
problem too. My difficulty therefore reduces completely to be
/etc/init.d/apache reload makes Apache die.
Apache is version 1.3.26-0woody5 and included PHP support (version
4.1.2-7.0.1) - on a Woody system. Problem started happening
at the same date as Jon has indicated.
Hrm. Looking back through DSAs, the only thing even remotely related
that was updated around that time was libpng{,3}. Do you have php4-gd
(or php4-gd2) loaded, by any chance, or perhaps some other apache module
that might be loading libpng? Does downgrading all relevant libpng
packages to the previous vulnerable versions help (or disabling
php4-gd)? If not, the date seems to be a bit of a red herring, as
nothing directly related to apache or PHP was updated in Woody around
October 25...
... Adam
