Bug#941202: marked as done (apache2: Fix for CVE-2019-10092 results in AH10187 when hitting balancer-manager)

2019-10-19 Thread Debian Bug Tracking System
Your message dated Sat, 19 Oct 2019 12:32:08 +
with message-id 
and subject line Bug#941202: fixed in apache2 2.4.38-3+deb10u2
has caused the Debian Bug report #941202,
regarding apache2: Fix for CVE-2019-10092 results in AH10187 when hitting 
balancer-manager
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
941202: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941202
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apache2
Version: 2.4.25-3+deb9u8
Severity: normal

Dear Maintainer,

The fix for CVE-2019-10092 results in the following error when attempting
to access details of a member in a mod_proxy_balancer http balancer via the
balancer-manager web page:

"[Thu Sep 26 09:51:08.228312 2019] [proxy_balancer:error] [pid 13106:tid
139942457935616] [client 127.0.0.1:54712] AH10187: ignoring params in
balancer-manager cross-site access, referer:
http://httpbalancer01/httpbalancer/__balancer-manager?b=http-balancer=http://192.168.13.71=193a3e00-9795-f9bb-6cc2-d7f3ac222b68
"

The net effect of this is an inability to dynamically change the status of
members in the balancer via the balancer-manager.

Raised in Apache httpd-2 bug report 63688:
https://bz.apache.org/bugzilla/show_bug.cgi?id=63688

Committed upstream in r1865749:
https://svn.apache.org/viewvc?view=revision=1865749

-- Package-specific info:

-- System Information:
Debian Release: 9.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-11-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apache2 depends on:
ii  apache2-bin  2.4.25-3+deb9u8
ii  apache2-data 2.4.25-3+deb9u8
ii  apache2-utils2.4.25-3+deb9u8
ii  dpkg 1.18.25
ii  init-system-helpers  1.48
ii  lsb-base 9.20161125
ii  mime-support 3.60
ii  perl 5.24.1-3+deb9u5
ii  procps   2:3.3.12-3+deb9u1

Versions of packages apache2 recommends:
pn  ssl-cert  

Versions of packages apache2 suggests:
pn  apache2-doc  
pn  apache2-suexec-pristine | apache2-suexec-custom  
pn  www-browser  

Versions of packages apache2-bin depends on:
ii  libapr1  1.5.2-5
ii  libaprutil1  1.5.4-3
ii  libaprutil1-dbd-sqlite3  1.5.4-3
ii  libaprutil1-ldap 1.5.4-3
ii  libc62.24-11+deb9u4
ii  libldap-2.4-22.4.44+dfsg-5+deb9u3
ii  liblua5.2-0  5.2.4-1.1+b2
ii  libnghttp2-141.18.1-1+deb9u1
ii  libpcre3 2:8.39-3
ii  libssl1.0.2  1.0.2s-1~deb9u1
ii  libxml2  2.9.4+dfsg1-2.2+deb9u2
ii  perl 5.24.1-3+deb9u5
ii  zlib1g   1:1.2.8.dfsg-5

Versions of packages apache2-bin suggests:
pn  apache2-doc  
pn  apache2-suexec-pristine | apache2-suexec-custom  
pn  www-browser  

Versions of packages apache2 is related to:
ii  apache2  2.4.25-3+deb9u8
ii  apache2-bin  2.4.25-3+deb9u8

-- no debconf information

-- 


--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.38-3+deb10u2

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 941...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Xavier Guimard  (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 13 Oct 2019 22:23:11 +0200
Source: apache2
Architecture: source
Version: 2.4.38-3+deb10u2
Distribution: buster-security
Urgency: medium
Maintainer: Debian Apache Maintainers 
Changed-By: Xavier Guimard 
Closes: 941202
Changes:
 apache2 (2.4.38-3+deb10u2) buster-security; urgency=medium
 .
   * Fix CVE-2019-10092 patch (Closes: #941202)
Checksums-Sha1: 
 

Bug#941202: marked as done (apache2: Fix for CVE-2019-10092 results in AH10187 when hitting balancer-manager)

2019-10-19 Thread Debian Bug Tracking System
Your message dated Sat, 19 Oct 2019 12:17:35 +
with message-id 
and subject line Bug#941202: fixed in apache2 2.4.25-3+deb9u9
has caused the Debian Bug report #941202,
regarding apache2: Fix for CVE-2019-10092 results in AH10187 when hitting 
balancer-manager
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
941202: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941202
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apache2
Version: 2.4.25-3+deb9u8
Severity: normal

Dear Maintainer,

The fix for CVE-2019-10092 results in the following error when attempting
to access details of a member in a mod_proxy_balancer http balancer via the
balancer-manager web page:

"[Thu Sep 26 09:51:08.228312 2019] [proxy_balancer:error] [pid 13106:tid
139942457935616] [client 127.0.0.1:54712] AH10187: ignoring params in
balancer-manager cross-site access, referer:
http://httpbalancer01/httpbalancer/__balancer-manager?b=http-balancer=http://192.168.13.71=193a3e00-9795-f9bb-6cc2-d7f3ac222b68
"

The net effect of this is an inability to dynamically change the status of
members in the balancer via the balancer-manager.

Raised in Apache httpd-2 bug report 63688:
https://bz.apache.org/bugzilla/show_bug.cgi?id=63688

Committed upstream in r1865749:
https://svn.apache.org/viewvc?view=revision=1865749

-- Package-specific info:

-- System Information:
Debian Release: 9.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-11-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apache2 depends on:
ii  apache2-bin  2.4.25-3+deb9u8
ii  apache2-data 2.4.25-3+deb9u8
ii  apache2-utils2.4.25-3+deb9u8
ii  dpkg 1.18.25
ii  init-system-helpers  1.48
ii  lsb-base 9.20161125
ii  mime-support 3.60
ii  perl 5.24.1-3+deb9u5
ii  procps   2:3.3.12-3+deb9u1

Versions of packages apache2 recommends:
pn  ssl-cert  

Versions of packages apache2 suggests:
pn  apache2-doc  
pn  apache2-suexec-pristine | apache2-suexec-custom  
pn  www-browser  

Versions of packages apache2-bin depends on:
ii  libapr1  1.5.2-5
ii  libaprutil1  1.5.4-3
ii  libaprutil1-dbd-sqlite3  1.5.4-3
ii  libaprutil1-ldap 1.5.4-3
ii  libc62.24-11+deb9u4
ii  libldap-2.4-22.4.44+dfsg-5+deb9u3
ii  liblua5.2-0  5.2.4-1.1+b2
ii  libnghttp2-141.18.1-1+deb9u1
ii  libpcre3 2:8.39-3
ii  libssl1.0.2  1.0.2s-1~deb9u1
ii  libxml2  2.9.4+dfsg1-2.2+deb9u2
ii  perl 5.24.1-3+deb9u5
ii  zlib1g   1:1.2.8.dfsg-5

Versions of packages apache2-bin suggests:
pn  apache2-doc  
pn  apache2-suexec-pristine | apache2-suexec-custom  
pn  www-browser  

Versions of packages apache2 is related to:
ii  apache2  2.4.25-3+deb9u8
ii  apache2-bin  2.4.25-3+deb9u8

-- no debconf information

-- 


--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.25-3+deb9u9

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 941...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch  (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 13 Oct 2019 17:43:54 +0200
Source: apache2
Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine 
apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg
Architecture: source amd64 all
Version: 2.4.25-3+deb9u9
Distribution: stretch-security
Urgency: medium
Maintainer: Debian Apache Maintainers 
Changed-By: Stefan Fritsch 
Description: