Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Hi Xavier, On Wed, Jan 23, 2019 at 09:54:29PM +0100, Xavier wrote: > Le 23/01/2019 à 21:50, Salvatore Bonaccorso a écrit : > > Hi Xavier, > > > > On Wed, Jan 23, 2019 at 09:46:44PM +0100, Xavier wrote: > >> Le 23/01/2019 à 20:57, Salvatore Bonaccorso a écrit : > >>> Control: tags -1 + fixed-upstream > >>> Control: tags -1 - patch > >>> > >>> Hi Xavier, > >>> > >>> On Wed, Jan 23, 2019 at 09:18:36AM +0100, Xavier wrote: > Hello, > > Debian bug is tagged as "patch", but I didn't find any patch in the > related documents. Can you give me the link to patch ? > >>> > >>> Well you are right, not a patch per se, maybe fixed-upstream and > >>> "there is a patch" would have been better. Let me fix that. > >>> > >>> If feasible possibly updating to the new upstream version fixing this > >>> CVE (and two other) would be better if still feasible so short before > >>> the soft freeze. > >>> > >>> Regards, > >>> Salvatore > >> > >> Hello, > >> > >> looking at last release changelog, bug seems not fixed > > > > Cf. https://www.openwall.com/lists/oss-security/2019/01/22/4, where it > > is fixed in 2.4.38 upstream. > > > > HTH, > > > > Regards, > > Salvatore > > I see that but the provided link [1] doesn't mention it, neither apache2 > changelog. I'm almost sure this is just because the respective vulnerabilities_24 page has just not yet been updated accordingly. The fixes are mentioned already in the upstream changelog at https://www.apache.org/dist/httpd/CHANGES_2.4.38 . Regards, Salvatore
Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Le 23/01/2019 à 21:50, Salvatore Bonaccorso a écrit : > Hi Xavier, > > On Wed, Jan 23, 2019 at 09:46:44PM +0100, Xavier wrote: >> Le 23/01/2019 à 20:57, Salvatore Bonaccorso a écrit : >>> Control: tags -1 + fixed-upstream >>> Control: tags -1 - patch >>> >>> Hi Xavier, >>> >>> On Wed, Jan 23, 2019 at 09:18:36AM +0100, Xavier wrote: Hello, Debian bug is tagged as "patch", but I didn't find any patch in the related documents. Can you give me the link to patch ? >>> >>> Well you are right, not a patch per se, maybe fixed-upstream and >>> "there is a patch" would have been better. Let me fix that. >>> >>> If feasible possibly updating to the new upstream version fixing this >>> CVE (and two other) would be better if still feasible so short before >>> the soft freeze. >>> >>> Regards, >>> Salvatore >> >> Hello, >> >> looking at last release changelog, bug seems not fixed > > Cf. https://www.openwall.com/lists/oss-security/2019/01/22/4, where it > is fixed in 2.4.38 upstream. > > HTH, > > Regards, > Salvatore I see that but the provided link [1] doesn't mention it, neither apache2 changelog. [1] https://httpd.apache.org/security/vulnerabilities_24.html
Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Hi Xavier, On Wed, Jan 23, 2019 at 09:46:44PM +0100, Xavier wrote: > Le 23/01/2019 à 20:57, Salvatore Bonaccorso a écrit : > > Control: tags -1 + fixed-upstream > > Control: tags -1 - patch > > > > Hi Xavier, > > > > On Wed, Jan 23, 2019 at 09:18:36AM +0100, Xavier wrote: > >> Hello, > >> > >> Debian bug is tagged as "patch", but I didn't find any patch in the > >> related documents. Can you give me the link to patch ? > > > > Well you are right, not a patch per se, maybe fixed-upstream and > > "there is a patch" would have been better. Let me fix that. > > > > If feasible possibly updating to the new upstream version fixing this > > CVE (and two other) would be better if still feasible so short before > > the soft freeze. > > > > Regards, > > Salvatore > > Hello, > > looking at last release changelog, bug seems not fixed Cf. https://www.openwall.com/lists/oss-security/2019/01/22/4, where it is fixed in 2.4.38 upstream. HTH, Regards, Salvatore
Bug#920303: apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time
Source: apache2 Version: 2.4.37-1 Severity: important Tags: security upstream fixed-upstream Control: found -1 2.4.25-3+deb9u6 Control: found -1 2.4.25-3 Hi, The following vulnerability was published for apache2. CVE-2018-17199[0]: mod_session_cookie does not respect expiry time If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-17199 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17199 [1] https://www.openwall.com/lists/oss-security/2019/01/22/3 Regards, Salvatore
Processed: apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time
Processing control commands: > found -1 2.4.25-3+deb9u6 Bug #920303 [src:apache2] apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time Marked as found in versions apache2/2.4.25-3+deb9u6. > found -1 2.4.25-3 Bug #920303 [src:apache2] apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time Marked as found in versions apache2/2.4.25-3. -- 920303: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920303 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: apache2: CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies
Processing control commands: > found -1 2.4.25-3+deb9u6 Bug #920302 [src:apache2] apache2: CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies Marked as found in versions apache2/2.4.25-3+deb9u6. > found -1 2.4.25-3 Bug #920302 [src:apache2] apache2: CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies Marked as found in versions apache2/2.4.25-3. -- 920302: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920302 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#920302: apache2: CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies
Source: apache2 Version: 2.4.37-1 Severity: important Tags: security upstream fixed-upstream Control: found -1 2.4.25-3+deb9u6 Control: found -1 2.4.25-3 Hi, The following vulnerability was published for apache2. CVE-2018-17189[0]: mod_http2, DoS via slow, unneeded request bodies If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-17189 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17189 [1] https://www.openwall.com/lists/oss-security/2019/01/22/2 Regards, Salvatore
Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Control: tags -1 + fixed-upstream Control: tags -1 - patch Hi Xavier, On Wed, Jan 23, 2019 at 09:18:36AM +0100, Xavier wrote: > Hello, > > Debian bug is tagged as "patch", but I didn't find any patch in the > related documents. Can you give me the link to patch ? Well you are right, not a patch per se, maybe fixed-upstream and "there is a patch" would have been better. Let me fix that. If feasible possibly updating to the new upstream version fixing this CVE (and two other) would be better if still feasible so short before the soft freeze. Regards, Salvatore
Bug#902493: apache2-bin: Event MPM listener thread may get blocked by SSL shutdowns
I've had seemingly the same issue. After several weeks of running a backported apache2 2.4.37-1 the issues are gone. Previously it was happening several times every day, with the outage lasting sometimes 10 minutes or so. This was very difficult to troubleshoot, as nothing is logged, and it was relatively hard to find this bug report and find my way towards a solution. Applying the fix to stretch might help others who are struggling to understand the issue they are facing and are therefore not being heard.
Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Hello, Debian bug is tagged as "patch", but I didn't find any patch in the related documents. Can you give me the link to patch ? Cheers, Xavier Le 22/01/2019 à 21:18, Salvatore Bonaccorso a écrit : > Source: apache2 > Version: 2.4.37-1 > Severity: grave > Tags: patch security upstream > > Hi (Stefan), > > I agree the severity is not the best choosen one for this issue, it is > more to ensure we could release buster with an appropriate fix already > before the release. If you disagree, please do downgrade. > > The following vulnerability was published for apache2. > > CVE-2019-0190[0]: > mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1 > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2019-0190 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0190 > [1] https://marc.info/?l=oss-security=154817901921421=2 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore >