Bug#941202: marked as done (apache2: Fix for CVE-2019-10092 results in AH10187 when hitting balancer-manager)
Your message dated Sat, 19 Oct 2019 12:32:08 + with message-id and subject line Bug#941202: fixed in apache2 2.4.38-3+deb10u2 has caused the Debian Bug report #941202, regarding apache2: Fix for CVE-2019-10092 results in AH10187 when hitting balancer-manager to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 941202: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941202 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apache2 Version: 2.4.25-3+deb9u8 Severity: normal Dear Maintainer, The fix for CVE-2019-10092 results in the following error when attempting to access details of a member in a mod_proxy_balancer http balancer via the balancer-manager web page: "[Thu Sep 26 09:51:08.228312 2019] [proxy_balancer:error] [pid 13106:tid 139942457935616] [client 127.0.0.1:54712] AH10187: ignoring params in balancer-manager cross-site access, referer: http://httpbalancer01/httpbalancer/__balancer-manager?b=http-balancer=http://192.168.13.71=193a3e00-9795-f9bb-6cc2-d7f3ac222b68 " The net effect of this is an inability to dynamically change the status of members in the balancer via the balancer-manager. Raised in Apache httpd-2 bug report 63688: https://bz.apache.org/bugzilla/show_bug.cgi?id=63688 Committed upstream in r1865749: https://svn.apache.org/viewvc?view=revision=1865749 -- Package-specific info: -- System Information: Debian Release: 9.11 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-11-amd64 (SMP w/1 CPU core) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apache2 depends on: ii apache2-bin 2.4.25-3+deb9u8 ii apache2-data 2.4.25-3+deb9u8 ii apache2-utils2.4.25-3+deb9u8 ii dpkg 1.18.25 ii init-system-helpers 1.48 ii lsb-base 9.20161125 ii mime-support 3.60 ii perl 5.24.1-3+deb9u5 ii procps 2:3.3.12-3+deb9u1 Versions of packages apache2 recommends: pn ssl-cert Versions of packages apache2 suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom pn www-browser Versions of packages apache2-bin depends on: ii libapr1 1.5.2-5 ii libaprutil1 1.5.4-3 ii libaprutil1-dbd-sqlite3 1.5.4-3 ii libaprutil1-ldap 1.5.4-3 ii libc62.24-11+deb9u4 ii libldap-2.4-22.4.44+dfsg-5+deb9u3 ii liblua5.2-0 5.2.4-1.1+b2 ii libnghttp2-141.18.1-1+deb9u1 ii libpcre3 2:8.39-3 ii libssl1.0.2 1.0.2s-1~deb9u1 ii libxml2 2.9.4+dfsg1-2.2+deb9u2 ii perl 5.24.1-3+deb9u5 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages apache2-bin suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom pn www-browser Versions of packages apache2 is related to: ii apache2 2.4.25-3+deb9u8 ii apache2-bin 2.4.25-3+deb9u8 -- no debconf information -- --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.38-3+deb10u2 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 941...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 13 Oct 2019 22:23:11 +0200 Source: apache2 Architecture: source Version: 2.4.38-3+deb10u2 Distribution: buster-security Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Xavier Guimard Closes: 941202 Changes: apache2 (2.4.38-3+deb10u2) buster-security; urgency=medium . * Fix CVE-2019-10092 patch (Closes: #941202) Checksums-Sha1:
Bug#941202: marked as done (apache2: Fix for CVE-2019-10092 results in AH10187 when hitting balancer-manager)
Your message dated Sat, 19 Oct 2019 12:17:35 + with message-id and subject line Bug#941202: fixed in apache2 2.4.25-3+deb9u9 has caused the Debian Bug report #941202, regarding apache2: Fix for CVE-2019-10092 results in AH10187 when hitting balancer-manager to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 941202: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941202 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: apache2 Version: 2.4.25-3+deb9u8 Severity: normal Dear Maintainer, The fix for CVE-2019-10092 results in the following error when attempting to access details of a member in a mod_proxy_balancer http balancer via the balancer-manager web page: "[Thu Sep 26 09:51:08.228312 2019] [proxy_balancer:error] [pid 13106:tid 139942457935616] [client 127.0.0.1:54712] AH10187: ignoring params in balancer-manager cross-site access, referer: http://httpbalancer01/httpbalancer/__balancer-manager?b=http-balancer=http://192.168.13.71=193a3e00-9795-f9bb-6cc2-d7f3ac222b68 " The net effect of this is an inability to dynamically change the status of members in the balancer via the balancer-manager. Raised in Apache httpd-2 bug report 63688: https://bz.apache.org/bugzilla/show_bug.cgi?id=63688 Committed upstream in r1865749: https://svn.apache.org/viewvc?view=revision=1865749 -- Package-specific info: -- System Information: Debian Release: 9.11 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-11-amd64 (SMP w/1 CPU core) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apache2 depends on: ii apache2-bin 2.4.25-3+deb9u8 ii apache2-data 2.4.25-3+deb9u8 ii apache2-utils2.4.25-3+deb9u8 ii dpkg 1.18.25 ii init-system-helpers 1.48 ii lsb-base 9.20161125 ii mime-support 3.60 ii perl 5.24.1-3+deb9u5 ii procps 2:3.3.12-3+deb9u1 Versions of packages apache2 recommends: pn ssl-cert Versions of packages apache2 suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom pn www-browser Versions of packages apache2-bin depends on: ii libapr1 1.5.2-5 ii libaprutil1 1.5.4-3 ii libaprutil1-dbd-sqlite3 1.5.4-3 ii libaprutil1-ldap 1.5.4-3 ii libc62.24-11+deb9u4 ii libldap-2.4-22.4.44+dfsg-5+deb9u3 ii liblua5.2-0 5.2.4-1.1+b2 ii libnghttp2-141.18.1-1+deb9u1 ii libpcre3 2:8.39-3 ii libssl1.0.2 1.0.2s-1~deb9u1 ii libxml2 2.9.4+dfsg1-2.2+deb9u2 ii perl 5.24.1-3+deb9u5 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages apache2-bin suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom pn www-browser Versions of packages apache2 is related to: ii apache2 2.4.25-3+deb9u8 ii apache2-bin 2.4.25-3+deb9u8 -- no debconf information -- --- End Message --- --- Begin Message --- Source: apache2 Source-Version: 2.4.25-3+deb9u9 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 941...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 13 Oct 2019 17:43:54 +0200 Source: apache2 Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg Architecture: source amd64 all Version: 2.4.25-3+deb9u9 Distribution: stretch-security Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Stefan Fritsch Description: