[Bug 392759] Re: [FFE] apache2 DoS attack using slowloris
This bug was fixed in the package apache2 - 2.2.14-5ubuntu7 --- apache2 (2.2.14-5ubuntu7) lucid; urgency=low * debian/patches/206-fix-potential-memory-leaks.dpatch: Fix potential memory leaks by making sure to not destroy bucket brigades that have been created by earlier filters. Backported from 2.2.15. * debian/patches/206-report-max-client-mpm-worker.dpatch: Don't report server has reached MaxClients until it has. Backported from 2.2.15 * debian/config-dir/apache2.conf: Make the Files ~ ^\.ht block in apache2.conf more secure by adding Satisfy all. (Debian bug: #572075) * debian/rules, debian/patches/209-backport-mod-reqtimeout.dpatch, debian/config2-dir/mods-available/reqtimeout.load, debian/config2-dir/mods-available/reqtimeout.conf debian/NEWS : Backport the mod-reqtimeout module from 2.2.15, this will mitigate apache slowloris bug in apache. Enable it by default. (LP: #392759) -- Chuck Short zul...@ubuntu.com Mon, 05 Apr 2010 09:53:35 -0400 ** Changed in: apache2 (Ubuntu Lucid) Status: Triaged = Fix Released -- [FFE] apache2 DoS attack using slowloris https://bugs.launchpad.net/bugs/392759 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 392759] Re: [FFE] apache2 DoS attack using slowloris
This bug was fixed in the package apache2 - 2.2.14-5ubuntu7 --- apache2 (2.2.14-5ubuntu7) lucid; urgency=low * debian/patches/206-fix-potential-memory-leaks.dpatch: Fix potential memory leaks by making sure to not destroy bucket brigades that have been created by earlier filters. Backported from 2.2.15. * debian/patches/206-report-max-client-mpm-worker.dpatch: Don't report server has reached MaxClients until it has. Backported from 2.2.15 * debian/config-dir/apache2.conf: Make the Files ~ ^\.ht block in apache2.conf more secure by adding Satisfy all. (Debian bug: #572075) * debian/rules, debian/patches/209-backport-mod-reqtimeout.dpatch, debian/config2-dir/mods-available/reqtimeout.load, debian/config2-dir/mods-available/reqtimeout.conf debian/NEWS : Backport the mod-reqtimeout module from 2.2.15, this will mitigate apache slowloris bug in apache. Enable it by default. (LP: #392759) -- Chuck Short zul...@ubuntu.com Mon, 05 Apr 2010 09:53:35 -0400 ** Changed in: apache2 (Ubuntu Lucid) Status: Triaged = Fix Released -- [FFE] apache2 DoS attack using slowloris https://bugs.launchpad.net/bugs/392759 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392759] Re: [FFE] apache2 DoS attack using slowloris
Please also grab the NEWS.Debian as Stefan suggests. FFe granted. -- [FFE] apache2 DoS attack using slowloris https://bugs.launchpad.net/bugs/392759 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 392759] Re: [FFE] apache2 DoS attack using slowloris
Please also grab the NEWS.Debian as Stefan suggests. FFe granted. -- [FFE] apache2 DoS attack using slowloris https://bugs.launchpad.net/bugs/392759 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392759] Re: [FFE] apache2 DoS attack using slowloris
** Changed in: apache2 (Ubuntu Lucid) Assignee: (unassigned) = Chuck Short (zulcss) -- [FFE] apache2 DoS attack using slowloris https://bugs.launchpad.net/bugs/392759 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 392759] Re: [FFE] apache2 DoS attack using slowloris
** Changed in: apache2 (Ubuntu Lucid) Assignee: (unassigned) = Chuck Short (zulcss) -- [FFE] apache2 DoS attack using slowloris https://bugs.launchpad.net/bugs/392759 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392759] Re: [FFE] apache2 DoS attack using slowloris
This has been fixed in 2.2.16 by enabling the module mod-reqtimeout. It has been enabled by default in the next release in Debian already. I think this is an important fix for lucid that should be necessary. I have attached the debdiff and build log. I have ran ab against it and it has not affected my server. If you have any questions please let me know. Regards chuck ** Summary changed: - apache2 DoS attack using slowloris + [FFE] apache2 DoS attack using slowloris -- [FFE] apache2 DoS attack using slowloris https://bugs.launchpad.net/bugs/392759 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 392759] Re: [FFE] apache2 DoS attack using slowloris
** Attachment added: apache2-mod-reqtimeout.debdiff http://launchpadlibrarian.net/43438704/apache2-mod-reqtimeout.debdiff -- [FFE] apache2 DoS attack using slowloris https://bugs.launchpad.net/bugs/392759 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 392759] Re: [FFE] apache2 DoS attack using slowloris
** Attachment added: apache2_2.2.14-5ubuntu7_amd64.build http://launchpadlibrarian.net/43439621/apache2_2.2.14-5ubuntu7_amd64.build -- [FFE] apache2 DoS attack using slowloris https://bugs.launchpad.net/bugs/392759 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 392759] Re: [FFE] apache2 DoS attack using slowloris
** Also affects: apache2 (Ubuntu Lucid) Importance: High Status: Triaged -- [FFE] apache2 DoS attack using slowloris https://bugs.launchpad.net/bugs/392759 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 392759] Re: [FFE] apache2 DoS attack using slowloris
You have written enable it by default in the changelog, but AFAICS, you have missed the postinst change that actually enables the module. You may want to merge the NEWS.Debian entry, too. -- [FFE] apache2 DoS attack using slowloris https://bugs.launchpad.net/bugs/392759 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 392759] Re: [FFE] apache2 DoS attack using slowloris
Stefan, Thanks Ill update my debdiff tonight then. Regards chuck -- [FFE] apache2 DoS attack using slowloris https://bugs.launchpad.net/bugs/392759 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 392759] Re: [FFE] apache2 DoS attack using slowloris
Updated debdiff ** Attachment added: debdiff http://launchpadlibrarian.net/43464037/debdiff -- [FFE] apache2 DoS attack using slowloris https://bugs.launchpad.net/bugs/392759 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 392759] Re: [FFE] apache2 DoS attack using slowloris
This has been fixed in 2.2.16 by enabling the module mod-reqtimeout. It has been enabled by default in the next release in Debian already. I think this is an important fix for lucid that should be necessary. I have attached the debdiff and build log. I have ran ab against it and it has not affected my server. If you have any questions please let me know. Regards chuck ** Summary changed: - apache2 DoS attack using slowloris + [FFE] apache2 DoS attack using slowloris -- [FFE] apache2 DoS attack using slowloris https://bugs.launchpad.net/bugs/392759 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392759] Re: [FFE] apache2 DoS attack using slowloris
** Attachment added: apache2-mod-reqtimeout.debdiff http://launchpadlibrarian.net/43438704/apache2-mod-reqtimeout.debdiff -- [FFE] apache2 DoS attack using slowloris https://bugs.launchpad.net/bugs/392759 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392759] Re: [FFE] apache2 DoS attack using slowloris
** Attachment added: apache2_2.2.14-5ubuntu7_amd64.build http://launchpadlibrarian.net/43439621/apache2_2.2.14-5ubuntu7_amd64.build -- [FFE] apache2 DoS attack using slowloris https://bugs.launchpad.net/bugs/392759 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392759] Re: [FFE] apache2 DoS attack using slowloris
** Also affects: apache2 (Ubuntu Lucid) Importance: High Status: Triaged -- [FFE] apache2 DoS attack using slowloris https://bugs.launchpad.net/bugs/392759 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392759] Re: [FFE] apache2 DoS attack using slowloris
You have written enable it by default in the changelog, but AFAICS, you have missed the postinst change that actually enables the module. You may want to merge the NEWS.Debian entry, too. -- [FFE] apache2 DoS attack using slowloris https://bugs.launchpad.net/bugs/392759 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392759] Re: [FFE] apache2 DoS attack using slowloris
Stefan, Thanks Ill update my debdiff tonight then. Regards chuck -- [FFE] apache2 DoS attack using slowloris https://bugs.launchpad.net/bugs/392759 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 392759] Re: [FFE] apache2 DoS attack using slowloris
Updated debdiff ** Attachment added: debdiff http://launchpadlibrarian.net/43464037/debdiff -- [FFE] apache2 DoS attack using slowloris https://bugs.launchpad.net/bugs/392759 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs