Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Source: apache2 Version: 2.4.37-1 Severity: grave Tags: patch security upstream Hi (Stefan), I agree the severity is not the best choosen one for this issue, it is more to ensure we could release buster with an appropriate fix already before the release. If you disagree, please do downgrade. The following vulnerability was published for apache2. CVE-2019-0190[0]: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-0190 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0190 [1] https://marc.info/?l=oss-security&m=154817901921421&w=2 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Hello, Debian bug is tagged as "patch", but I didn't find any patch in the related documents. Can you give me the link to patch ? Cheers, Xavier Le 22/01/2019 à 21:18, Salvatore Bonaccorso a écrit : > Source: apache2 > Version: 2.4.37-1 > Severity: grave > Tags: patch security upstream > > Hi (Stefan), > > I agree the severity is not the best choosen one for this issue, it is > more to ensure we could release buster with an appropriate fix already > before the release. If you disagree, please do downgrade. > > The following vulnerability was published for apache2. > > CVE-2019-0190[0]: > mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1 > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2019-0190 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0190 > [1] https://marc.info/?l=oss-security&m=154817901921421&w=2 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore >
Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Control: tags -1 + fixed-upstream Control: tags -1 - patch Hi Xavier, On Wed, Jan 23, 2019 at 09:18:36AM +0100, Xavier wrote: > Hello, > > Debian bug is tagged as "patch", but I didn't find any patch in the > related documents. Can you give me the link to patch ? Well you are right, not a patch per se, maybe fixed-upstream and "there is a patch" would have been better. Let me fix that. If feasible possibly updating to the new upstream version fixing this CVE (and two other) would be better if still feasible so short before the soft freeze. Regards, Salvatore
Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Le 23/01/2019 à 20:57, Salvatore Bonaccorso a écrit : > Control: tags -1 + fixed-upstream > Control: tags -1 - patch > > Hi Xavier, > > On Wed, Jan 23, 2019 at 09:18:36AM +0100, Xavier wrote: >> Hello, >> >> Debian bug is tagged as "patch", but I didn't find any patch in the >> related documents. Can you give me the link to patch ? > > Well you are right, not a patch per se, maybe fixed-upstream and > "there is a patch" would have been better. Let me fix that. > > If feasible possibly updating to the new upstream version fixing this > CVE (and two other) would be better if still feasible so short before > the soft freeze. > > Regards, > Salvatore Hello, looking at last release changelog, bug seems not fixed
Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Hi Xavier, On Wed, Jan 23, 2019 at 09:46:44PM +0100, Xavier wrote: > Le 23/01/2019 à 20:57, Salvatore Bonaccorso a écrit : > > Control: tags -1 + fixed-upstream > > Control: tags -1 - patch > > > > Hi Xavier, > > > > On Wed, Jan 23, 2019 at 09:18:36AM +0100, Xavier wrote: > >> Hello, > >> > >> Debian bug is tagged as "patch", but I didn't find any patch in the > >> related documents. Can you give me the link to patch ? > > > > Well you are right, not a patch per se, maybe fixed-upstream and > > "there is a patch" would have been better. Let me fix that. > > > > If feasible possibly updating to the new upstream version fixing this > > CVE (and two other) would be better if still feasible so short before > > the soft freeze. > > > > Regards, > > Salvatore > > Hello, > > looking at last release changelog, bug seems not fixed Cf. https://www.openwall.com/lists/oss-security/2019/01/22/4, where it is fixed in 2.4.38 upstream. HTH, Regards, Salvatore
Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Le 23/01/2019 à 21:50, Salvatore Bonaccorso a écrit : > Hi Xavier, > > On Wed, Jan 23, 2019 at 09:46:44PM +0100, Xavier wrote: >> Le 23/01/2019 à 20:57, Salvatore Bonaccorso a écrit : >>> Control: tags -1 + fixed-upstream >>> Control: tags -1 - patch >>> >>> Hi Xavier, >>> >>> On Wed, Jan 23, 2019 at 09:18:36AM +0100, Xavier wrote: Hello, Debian bug is tagged as "patch", but I didn't find any patch in the related documents. Can you give me the link to patch ? >>> >>> Well you are right, not a patch per se, maybe fixed-upstream and >>> "there is a patch" would have been better. Let me fix that. >>> >>> If feasible possibly updating to the new upstream version fixing this >>> CVE (and two other) would be better if still feasible so short before >>> the soft freeze. >>> >>> Regards, >>> Salvatore >> >> Hello, >> >> looking at last release changelog, bug seems not fixed > > Cf. https://www.openwall.com/lists/oss-security/2019/01/22/4, where it > is fixed in 2.4.38 upstream. > > HTH, > > Regards, > Salvatore I see that but the provided link [1] doesn't mention it, neither apache2 changelog. [1] https://httpd.apache.org/security/vulnerabilities_24.html
Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Hi Xavier, On Wed, Jan 23, 2019 at 09:54:29PM +0100, Xavier wrote: > Le 23/01/2019 à 21:50, Salvatore Bonaccorso a écrit : > > Hi Xavier, > > > > On Wed, Jan 23, 2019 at 09:46:44PM +0100, Xavier wrote: > >> Le 23/01/2019 à 20:57, Salvatore Bonaccorso a écrit : > >>> Control: tags -1 + fixed-upstream > >>> Control: tags -1 - patch > >>> > >>> Hi Xavier, > >>> > >>> On Wed, Jan 23, 2019 at 09:18:36AM +0100, Xavier wrote: > Hello, > > Debian bug is tagged as "patch", but I didn't find any patch in the > related documents. Can you give me the link to patch ? > >>> > >>> Well you are right, not a patch per se, maybe fixed-upstream and > >>> "there is a patch" would have been better. Let me fix that. > >>> > >>> If feasible possibly updating to the new upstream version fixing this > >>> CVE (and two other) would be better if still feasible so short before > >>> the soft freeze. > >>> > >>> Regards, > >>> Salvatore > >> > >> Hello, > >> > >> looking at last release changelog, bug seems not fixed > > > > Cf. https://www.openwall.com/lists/oss-security/2019/01/22/4, where it > > is fixed in 2.4.38 upstream. > > > > HTH, > > > > Regards, > > Salvatore > > I see that but the provided link [1] doesn't mention it, neither apache2 > changelog. I'm almost sure this is just because the respective vulnerabilities_24 page has just not yet been updated accordingly. The fixes are mentioned already in the upstream changelog at https://www.apache.org/dist/httpd/CHANGES_2.4.38 . Regards, Salvatore
Processed: Re: Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Processing control commands: > tags -1 + fixed-upstream Bug #920220 [src:apache2] apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1 Added tag(s) fixed-upstream. > tags -1 - patch Bug #920220 [src:apache2] apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1 Removed tag(s) patch. -- 920220: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920220 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems