Bug#322607: marked as done (SECURITY: HTTP proxy responses with both Transfer-Encoding and Content-Length headers (CAN-2005-2088))
Your message dated Wed, 07 Sep 2005 23:02:12 -0700 with message-id [EMAIL PROTECTED] and subject line Bug#322607: fixed in apache 1.3.33-6sarge1 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -- Received: (at submit) by bugs.debian.org; 28 Jun 2005 22:49:46 + From [EMAIL PROTECTED] Tue Jun 28 15:49:44 2005 Return-path: [EMAIL PROTECTED] Received: from inutil.org (vserver151.vserver151.serverflex.de) [193.22.164.111] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DnOtj-0005fj-00; Tue, 28 Jun 2005 15:49:43 -0700 Received: from dsl-082-082-137-197.arcor-ip.net ([82.82.137.197] helo=localhost.localdomain) by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32) (Exim 4.50) id 1DnOo7-0006DV-N0 for [EMAIL PROTECTED]; Wed, 29 Jun 2005 00:43:55 +0200 Received: from jmm by localhost.localdomain with local (Exim 4.51) id 1DnOtX-0001i1-IX; Wed, 29 Jun 2005 00:49:31 +0200 Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Moritz Muehlenhoff [EMAIL PROTECTED] To: Debian Bug Tracking System [EMAIL PROTECTED] Subject: apache2: Security issues in HTTP proxy responses with both Transfer-Encoding and Content-Length headers X-Mailer: reportbug 3.15 Date: Wed, 29 Jun 2005 00:49:31 +0200 X-Debbugs-Cc: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] X-SA-Exim-Connect-IP: 82.82.137.197 X-SA-Exim-Mail-From: [EMAIL PROTECTED] X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE, X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: Package: apache2 Severity: grave Tags: security Justification: user security hole Latest 2.1.6-alpha fixes a security in the proxy HTTP code: | The 2.1.6-alpha release addresses a security vulnerability present | in all previous 2.x versions. This fault did not affect Apache 1.3.x | (which did not proxy keepalives or chunked transfer encoding); |Proxy HTTP: If a response contains both Transfer-Encoding |and a Content-Length, remove the Content-Length to eliminate |an HTTP Request Smuggling vulnerability and don't reuse the |connection, stopping some HTTP Request Spoofing attacks. Cheers, Moritz -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-rc5 Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) --- Received: (at 322607-close) by bugs.debian.org; 8 Sep 2005 06:12:24 + From [EMAIL PROTECTED] Wed Sep 07 23:12:24 2005 Return-path: [EMAIL PROTECTED] Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian)) id 1EDFUC-0005Fn-00; Wed, 07 Sep 2005 23:02:12 -0700 From: Adam Conrad [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-Katie: $Revision: 1.56 $ Subject: Bug#322607: fixed in apache 1.3.33-6sarge1 Message-Id: [EMAIL PROTECTED] Sender: Archive Administrator [EMAIL PROTECTED] Date: Wed, 07 Sep 2005 23:02:12 -0700 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 Source: apache Source-Version: 1.3.33-6sarge1 We believe that the bug you reported is fixed in the latest version of apache, which is due to be installed in the Debian FTP archive: apache-common_1.3.33-6sarge1_i386.deb to pool/main/a/apache/apache-common_1.3.33-6sarge1_i386.deb apache-dbg_1.3.33-6sarge1_i386.deb to pool/main/a/apache/apache-dbg_1.3.33-6sarge1_i386.deb apache-dev_1.3.33-6sarge1_all.deb to pool/main/a/apache/apache-dev_1.3.33-6sarge1_all.deb apache-doc_1.3.33-6sarge1_all.deb to pool/main/a/apache/apache-doc_1.3.33-6sarge1_all.deb apache-perl_1.3.33-6sarge1_i386.deb to pool/main/a/apache/apache-perl_1.3.33-6sarge1_i386.deb apache-ssl_1.3.33-6sarge1_i386.deb to pool/main/a/apache/apache-ssl_1.3.33-6sarge1_i386.deb apache-utils_1.3.33-6sarge1_all.deb to
Processing of apache_1.3.33-6sarge1_i386.changes
apache_1.3.33-6sarge1_i386.changes uploaded successfully to localhost along with the files: apache_1.3.33-6sarge1.dsc apache_1.3.33.orig.tar.gz apache_1.3.33-6sarge1.diff.gz apache-doc_1.3.33-6sarge1_all.deb apache-dev_1.3.33-6sarge1_all.deb apache-utils_1.3.33-6sarge1_all.deb apache_1.3.33-6sarge1_i386.deb apache-ssl_1.3.33-6sarge1_i386.deb apache-perl_1.3.33-6sarge1_i386.deb apache-dbg_1.3.33-6sarge1_i386.deb apache-common_1.3.33-6sarge1_i386.deb libapache-mod-perl_1.29.0.3-6sarge1_i386.deb Greetings, Your Debian queue daemon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
apache_1.3.33-6sarge1_i386.changes ACCEPTED
Mapping stable-security to proposed-updates. Warning: ignoring apache_1.3.33.orig.tar.gz, since it's already in the archive. Accepted: apache-common_1.3.33-6sarge1_i386.deb to pool/main/a/apache/apache-common_1.3.33-6sarge1_i386.deb apache-dbg_1.3.33-6sarge1_i386.deb to pool/main/a/apache/apache-dbg_1.3.33-6sarge1_i386.deb apache-dev_1.3.33-6sarge1_all.deb to pool/main/a/apache/apache-dev_1.3.33-6sarge1_all.deb apache-doc_1.3.33-6sarge1_all.deb to pool/main/a/apache/apache-doc_1.3.33-6sarge1_all.deb apache-perl_1.3.33-6sarge1_i386.deb to pool/main/a/apache/apache-perl_1.3.33-6sarge1_i386.deb apache-ssl_1.3.33-6sarge1_i386.deb to pool/main/a/apache/apache-ssl_1.3.33-6sarge1_i386.deb apache-utils_1.3.33-6sarge1_all.deb to pool/main/a/apache/apache-utils_1.3.33-6sarge1_all.deb apache_1.3.33-6sarge1.diff.gz to pool/main/a/apache/apache_1.3.33-6sarge1.diff.gz apache_1.3.33-6sarge1.dsc to pool/main/a/apache/apache_1.3.33-6sarge1.dsc apache_1.3.33-6sarge1_i386.deb to pool/main/a/apache/apache_1.3.33-6sarge1_i386.deb libapache-mod-perl_1.29.0.3-6sarge1_i386.deb to pool/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge1_i386.deb Announcing to debian-changes@lists.debian.org Closing bugs: 322607 Thank you for your contribution to Debian. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
apache override disparity
There are disparities between your recently accepted upload and the override file for the following file(s): libapache-mod-perl_1.29.0.3-6sarge1_i386.deb: package says section is web, override says perl. Either the package or the override file is incorrect. If you think the override is correct and the package wrong please fix the package so that this disparity is fixed in the next upload. If you feel the override is incorrect then please reply to this mail and explain why. [NB: this is an automatically generated mail; if you replied to one like it before and have not received a response yet, please ignore this mail. Your reply needs to be processed by a human and will be in due course, but until then the installer will send these automated mails; sorry.] -- Debian distribution maintenance software (This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#327235: Client hangs when connecting to Apache server
Package: apache Version: 1.3.26-0woody6 Weird one this. I realise Woody is no longer stable, we plan an upgrade, however this bug is biting us. A form submission to a Apache will hang it on the sixth submission. To reproduce, take some html such as: body form action=./formtest.php method=POST name=form input type=hidden name=anything value=alsoanything input type=submit /form /body /html save in a .php script, and load the page. Click the submit button six times. On the sixth time, your connection will hang. Same for perl. Save as a .pl script, wrap it in some print statements, add a header, and voila - breakage on the sixth click. I can reproduce this on three servers.
Processing of apache2_2.0.54-5_i386.changes
apache2_2.0.54-5_i386.changes uploaded successfully to localhost along with the files: apache2_2.0.54-5.dsc apache2_2.0.54.orig.tar.gz apache2_2.0.54-5.diff.gz apache2-mpm-threadpool_2.0.54-5_all.deb apache2-doc_2.0.54-5_all.deb apache2-common_2.0.54-5_i386.deb apache2-utils_2.0.54-5_i386.deb apache2-mpm-worker_2.0.54-5_i386.deb apache2-mpm-perchild_2.0.54-5_i386.deb apache2-mpm-prefork_2.0.54-5_i386.deb apache2-prefork-dev_2.0.54-5_i386.deb apache2-threaded-dev_2.0.54-5_i386.deb libapr0_2.0.54-5_i386.deb libapr0-dev_2.0.54-5_i386.deb apache2_2.0.54-5_i386.deb Greetings, Your Debian queue daemon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
apache2_2.0.54-5_i386.changes ACCEPTED
Mapping stable-security to proposed-updates. Warning: Propogating upload to unstable Warning: Propogating upload to testing-proposed-updates Warning: Propogating upload to unstable Warning: Propogating upload to unstable Warning: Propogating upload to testing-proposed-updates Warning: Propogating upload to unstable Warning: Propogating upload to unstable Warning: Propogating upload to testing-proposed-updates Warning: Propogating upload to unstable Warning: Propogating upload to unstable Warning: Propogating upload to testing-proposed-updates Warning: Propogating upload to unstable Warning: Propogating upload to unstable Warning: Propogating upload to testing-proposed-updates Warning: Propogating upload to unstable Warning: Propogating upload to unstable Warning: Propogating upload to testing-proposed-updates Warning: Propogating upload to unstable Warning: Propogating upload to unstable Warning: Propogating upload to testing-proposed-updates Warning: Propogating upload to unstable Warning: Propogating upload to unstable Warning: Propogating upload to testing-proposed-updates Warning: Propogating upload to unstable Warning: Propogating upload to unstable Warning: Propogating upload to testing-proposed-updates Warning: Propogating upload to unstable Warning: Propogating upload to unstable Warning: Propogating upload to testing-proposed-updates Warning: Propogating upload to unstable Warning: Propogating upload to unstable Warning: Propogating upload to testing-proposed-updates Warning: Propogating upload to unstable Warning: Propogating upload to unstable Warning: Propogating upload to testing-proposed-updates Warning: Propogating upload to unstable Warning: Propogating upload to unstable Warning: Propogating upload to testing-proposed-updates Warning: ignoring apache2_2.0.54.orig.tar.gz, since it's already in the archive. Accepted: apache2-common_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-common_2.0.54-5_i386.deb apache2-doc_2.0.54-5_all.deb to pool/main/a/apache2/apache2-doc_2.0.54-5_all.deb apache2-mpm-perchild_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-mpm-perchild_2.0.54-5_i386.deb apache2-mpm-prefork_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-mpm-prefork_2.0.54-5_i386.deb apache2-mpm-threadpool_2.0.54-5_all.deb to pool/main/a/apache2/apache2-mpm-threadpool_2.0.54-5_all.deb apache2-mpm-worker_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-mpm-worker_2.0.54-5_i386.deb apache2-prefork-dev_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-prefork-dev_2.0.54-5_i386.deb apache2-threaded-dev_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-threaded-dev_2.0.54-5_i386.deb apache2-utils_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-utils_2.0.54-5_i386.deb apache2_2.0.54-5.diff.gz to pool/main/a/apache2/apache2_2.0.54-5.diff.gz apache2_2.0.54-5.dsc to pool/main/a/apache2/apache2_2.0.54-5.dsc apache2_2.0.54-5_i386.deb to pool/main/a/apache2/apache2_2.0.54-5_i386.deb libapr0-dev_2.0.54-5_i386.deb to pool/main/a/apache2/libapr0-dev_2.0.54-5_i386.deb libapr0_2.0.54-5_i386.deb to pool/main/a/apache2/libapr0_2.0.54-5_i386.deb Announcing to debian-devel-changes@lists.debian.org Announcing to [EMAIL PROTECTED] Announcing to debian-changes@lists.debian.org Closing bugs: 316173 320048 320063 326435 Thank you for your contribution to Debian. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#326435: marked as done (CAN-2005-2728: DoS through overly long Range values passed to the byte-range filter)
Your message dated Thu, 08 Sep 2005 11:17:06 -0700 with message-id [EMAIL PROTECTED] and subject line Bug#326435: fixed in apache2 2.0.54-5 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -- Received: (at submit) by bugs.debian.org; 3 Sep 2005 09:52:21 + From [EMAIL PROTECTED] Sat Sep 03 02:52:21 2005 Return-path: [EMAIL PROTECTED] Received: from (vserver151.vserver151.serverflex.de) [193.22.164.111] by spohr.debian.org with esmtp (Exim 3.36 1 (Debian)) id 1EBUhA-000690-00; Sat, 03 Sep 2005 02:52:21 -0700 Received: from dsl-082-082-147-113.arcor-ip.net ([82.82.147.113] helo=localhost.localdomain) by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32) (Exim 4.50) id 1EBUh5-0007MF-M0 for [EMAIL PROTECTED]; Sat, 03 Sep 2005 11:52:15 +0200 Received: from jmm by localhost.localdomain with local (Exim 4.52) id 1EBUhm-0001WK-DA; Sat, 03 Sep 2005 11:52:58 +0200 Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Moritz Muehlenhoff [EMAIL PROTECTED] To: Debian Bug Tracking System [EMAIL PROTECTED] Subject: CAN-2005-2728: DoS through overly long Range values passed to the byte-range filter X-Mailer: reportbug 3.17 Date: Sat, 03 Sep 2005 11:52:58 +0200 X-Debbugs-Cc: Debian Security Team [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] X-SA-Exim-Connect-IP: 82.82.147.113 X-SA-Exim-Mail-From: [EMAIL PROTECTED] X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE, X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02 Package: apache2 Severity: important Tags: security CAN-2005-2728 describes a DoS vulnerability through overly long values in the Range field. Please see http://issues.apache.org/bugzilla/show_bug.cgi?id=29962 for a more complete description and a patch. Cheers, Moritz -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.13 Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) --- Received: (at 326435-close) by bugs.debian.org; 8 Sep 2005 18:22:56 + From [EMAIL PROTECTED] Thu Sep 08 11:22:56 2005 Return-path: [EMAIL PROTECTED] Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian)) id 1EDQxO-00065m-00; Thu, 08 Sep 2005 11:17:06 -0700 From: Adam Conrad [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-Katie: $Revision: 1.56 $ Subject: Bug#326435: fixed in apache2 2.0.54-5 Message-Id: [EMAIL PROTECTED] Sender: Archive Administrator [EMAIL PROTECTED] Date: Thu, 08 Sep 2005 11:17:06 -0700 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-CrossAssassin-Score: 4 Source: apache2 Source-Version: 2.0.54-5 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive: apache2-common_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-common_2.0.54-5_i386.deb apache2-doc_2.0.54-5_all.deb to pool/main/a/apache2/apache2-doc_2.0.54-5_all.deb apache2-mpm-perchild_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-mpm-perchild_2.0.54-5_i386.deb apache2-mpm-prefork_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-mpm-prefork_2.0.54-5_i386.deb apache2-mpm-threadpool_2.0.54-5_all.deb to pool/main/a/apache2/apache2-mpm-threadpool_2.0.54-5_all.deb apache2-mpm-worker_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-mpm-worker_2.0.54-5_i386.deb apache2-prefork-dev_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-prefork-dev_2.0.54-5_i386.deb apache2-threaded-dev_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-threaded-dev_2.0.54-5_i386.deb apache2-utils_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-utils_2.0.54-5_i386.deb apache2_2.0.54-5.diff.gz to pool/main/a/apache2/apache2_2.0.54-5.diff.gz apache2_2.0.54-5.dsc to
Bug#320063: marked as done (Security: buffer-overrun in apache2-ssl)
Your message dated Thu, 08 Sep 2005 11:17:06 -0700 with message-id [EMAIL PROTECTED] and subject line Bug#320063: fixed in apache2 2.0.54-5 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -- Received: (at submit) by bugs.debian.org; 26 Jul 2005 18:45:58 + From [EMAIL PROTECTED] Tue Jul 26 11:45:58 2005 Return-path: [EMAIL PROTECTED] Received: from svr.bitshelter.net (mx0.bitshelter.net) [85.10.193.115] by spohr.debian.org with esmtp (Exim 3.36 1 (Debian)) id 1DxURC-0002H7-00; Tue, 26 Jul 2005 11:45:58 -0700 Received: from localhost (localhost [127.0.0.1]) by mx0.bitshelter.net (Postfix) with ESMTP id 2AC873FFEC for [EMAIL PROTECTED]; Tue, 26 Jul 2005 20:45:54 +0200 (CEST) Received: from mx0.bitshelter.net ([127.0.0.1]) by localhost (svr.bitshelter.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 29705-01-2 for [EMAIL PROTECTED]; Tue, 26 Jul 2005 20:45:39 +0200 (CEST) Received: from nz (J1afb.j.pppool.de [85.74.26.251]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mx0.bitshelter.net (Postfix) with ESMTP id 6A0BD3FF4A for [EMAIL PROTECTED]; Tue, 26 Jul 2005 20:45:39 +0200 (CEST) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Security: buffer-overrun in apache2-ssl Date: Tue, 26 Jul 2005 20:45:35 +0200 User-Agent: KMail/1.8.1 X-Fingerprint: BBF9 60C6 892A A542 0006 B208 63F8 974C 8DC6 9FB4 X-PGP: 8DC69FB4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-6.4 required=4.0 tests=BAYES_00,HAS_PACKAGE, NO_REAL_NAME autolearn=no version=2.60-bugs.debian.org_2005_01_02 Package: apache2 Version: 2.0.54-4 Severity:critical Tags: security, fixed-upstream There is a possible remote-exploitable buffer overrun in the Apache2 ssl implementation. A patch is available. See http://issues.apache.org/bugzilla/show_bug.cgi?id=35081 and http://svn.apache.org/viewcvs?rev=189562view=rev --- Received: (at 320063-close) by bugs.debian.org; 8 Sep 2005 18:22:55 + From [EMAIL PROTECTED] Thu Sep 08 11:22:55 2005 Return-path: [EMAIL PROTECTED] Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian)) id 1EDQxO-00065g-00; Thu, 08 Sep 2005 11:17:06 -0700 From: Adam Conrad [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-Katie: $Revision: 1.56 $ Subject: Bug#320063: fixed in apache2 2.0.54-5 Message-Id: [EMAIL PROTECTED] Sender: Archive Administrator [EMAIL PROTECTED] Date: Thu, 08 Sep 2005 11:17:06 -0700 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-CrossAssassin-Score: 3 Source: apache2 Source-Version: 2.0.54-5 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive: apache2-common_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-common_2.0.54-5_i386.deb apache2-doc_2.0.54-5_all.deb to pool/main/a/apache2/apache2-doc_2.0.54-5_all.deb apache2-mpm-perchild_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-mpm-perchild_2.0.54-5_i386.deb apache2-mpm-prefork_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-mpm-prefork_2.0.54-5_i386.deb apache2-mpm-threadpool_2.0.54-5_all.deb to pool/main/a/apache2/apache2-mpm-threadpool_2.0.54-5_all.deb apache2-mpm-worker_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-mpm-worker_2.0.54-5_i386.deb apache2-prefork-dev_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-prefork-dev_2.0.54-5_i386.deb apache2-threaded-dev_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-threaded-dev_2.0.54-5_i386.deb apache2-utils_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-utils_2.0.54-5_i386.deb apache2_2.0.54-5.diff.gz to pool/main/a/apache2/apache2_2.0.54-5.diff.gz apache2_2.0.54-5.dsc to pool/main/a/apache2/apache2_2.0.54-5.dsc apache2_2.0.54-5_i386.deb to pool/main/a/apache2/apache2_2.0.54-5_i386.deb libapr0-dev_2.0.54-5_i386.deb to
Bug#316173: marked as done (SECURITY: HTTP proxy responses with both Transfer-Encoding and Content-Length headers (CAN-2005-2088))
Your message dated Thu, 08 Sep 2005 11:17:06 -0700 with message-id [EMAIL PROTECTED] and subject line Bug#316173: fixed in apache2 2.0.54-5 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -- Received: (at submit) by bugs.debian.org; 28 Jun 2005 22:49:46 + From [EMAIL PROTECTED] Tue Jun 28 15:49:44 2005 Return-path: [EMAIL PROTECTED] Received: from inutil.org (vserver151.vserver151.serverflex.de) [193.22.164.111] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DnOtj-0005fj-00; Tue, 28 Jun 2005 15:49:43 -0700 Received: from dsl-082-082-137-197.arcor-ip.net ([82.82.137.197] helo=localhost.localdomain) by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32) (Exim 4.50) id 1DnOo7-0006DV-N0 for [EMAIL PROTECTED]; Wed, 29 Jun 2005 00:43:55 +0200 Received: from jmm by localhost.localdomain with local (Exim 4.51) id 1DnOtX-0001i1-IX; Wed, 29 Jun 2005 00:49:31 +0200 Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Moritz Muehlenhoff [EMAIL PROTECTED] To: Debian Bug Tracking System [EMAIL PROTECTED] Subject: apache2: Security issues in HTTP proxy responses with both Transfer-Encoding and Content-Length headers X-Mailer: reportbug 3.15 Date: Wed, 29 Jun 2005 00:49:31 +0200 X-Debbugs-Cc: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] X-SA-Exim-Connect-IP: 82.82.137.197 X-SA-Exim-Mail-From: [EMAIL PROTECTED] X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE, X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: Package: apache2 Severity: grave Tags: security Justification: user security hole Latest 2.1.6-alpha fixes a security in the proxy HTTP code: | The 2.1.6-alpha release addresses a security vulnerability present | in all previous 2.x versions. This fault did not affect Apache 1.3.x | (which did not proxy keepalives or chunked transfer encoding); |Proxy HTTP: If a response contains both Transfer-Encoding |and a Content-Length, remove the Content-Length to eliminate |an HTTP Request Smuggling vulnerability and don't reuse the |connection, stopping some HTTP Request Spoofing attacks. Cheers, Moritz -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-rc5 Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) --- Received: (at 316173-close) by bugs.debian.org; 8 Sep 2005 18:21:34 + From [EMAIL PROTECTED] Thu Sep 08 11:21:33 2005 Return-path: [EMAIL PROTECTED] Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian)) id 1EDQxO-00065c-00; Thu, 08 Sep 2005 11:17:06 -0700 From: Adam Conrad [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-Katie: $Revision: 1.56 $ Subject: Bug#316173: fixed in apache2 2.0.54-5 Message-Id: [EMAIL PROTECTED] Sender: Archive Administrator [EMAIL PROTECTED] Date: Thu, 08 Sep 2005 11:17:06 -0700 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 Source: apache2 Source-Version: 2.0.54-5 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive: apache2-common_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-common_2.0.54-5_i386.deb apache2-doc_2.0.54-5_all.deb to pool/main/a/apache2/apache2-doc_2.0.54-5_all.deb apache2-mpm-perchild_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-mpm-perchild_2.0.54-5_i386.deb apache2-mpm-prefork_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-mpm-prefork_2.0.54-5_i386.deb apache2-mpm-threadpool_2.0.54-5_all.deb to pool/main/a/apache2/apache2-mpm-threadpool_2.0.54-5_all.deb apache2-mpm-worker_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-mpm-worker_2.0.54-5_i386.deb apache2-prefork-dev_2.0.54-5_i386.deb to
Bug#320048: marked as done (SECURITY: buffer-overrun in apache2-ssl (CAN-2005-1268))
Your message dated Thu, 08 Sep 2005 11:17:06 -0700 with message-id [EMAIL PROTECTED] and subject line Bug#320048: fixed in apache2 2.0.54-5 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -- Received: (at submit) by bugs.debian.org; 26 Jul 2005 17:11:21 + From [EMAIL PROTECTED] Tue Jul 26 10:11:21 2005 Return-path: [EMAIL PROTECTED] Received: from mail.incase.de [85.10.192.47] by spohr.debian.org with esmtp (Exim 3.36 1 (Debian)) id 1DxSxd-0007O9-00; Tue, 26 Jul 2005 10:11:21 -0700 Received: from localhost (localhost [127.0.0.1]) by mail1_1.incase.de (Postfix) with ESMTP id 0C19B251B18 for [EMAIL PROTECTED]; Tue, 26 Jul 2005 19:10:46 +0200 (CEST) Received: from mail.incase.de ([127.0.0.1]) by localhost (mail1.incase.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28020-01 for [EMAIL PROTECTED]; Tue, 26 Jul 2005 19:10:44 +0200 (CEST) Received: from mail2.incase.de (mail.incase.de [85.10.192.47]) by mail.incase.de (Postfix) with SMTP id B17F6251B17 for [EMAIL PROTECTED]; Tue, 26 Jul 2005 19:10:44 +0200 (CEST) Received: by mail2.incase.de (sSMTP sendmail emulation); Tue, 26 Jul 2005 19:10:44 +0200 Content-Type: multipart/mixed; boundary1719839988== MIME-Version: 1.0 From: Sven Mueller [EMAIL PROTECTED] To: Debian Bug Tracking System [EMAIL PROTECTED] Subject: security: Buffer overflow in ssl_engine_kernel.c X-Mailer: reportbug 3.8 Date: Tue, 26 Jul 2005 19:10:44 +0200 Message-Id: [EMAIL PROTECTED] X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at incase.de X-Spam-Bayes: Score: 0. Tokensummary: Tokens: new, 47; hammy, 98; neutral, 61; spammy, 0. Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 This is a multi-part MIME message sent by reportbug. --===1719839988== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline Package: apache2 Version: 2.0.54-4 Severity: grave Tags: security, patch Justification: possible DoS There is a buffer overflow (off-by-one in buffer size checks) in ssl_engine_kernel.c which could be exploited to DoS the server. Upstream bug report at http://issues.apache.org/bugzilla/show_bug.cgi?id=35081 Upstream patch at http://svn.apache.org/viewcvs.cgi/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=179781view=diffr1=179781r2=179780p1=httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.cp2=/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (SVN revision 179781) patch which can be dropped into the Debian package as 043_fix_buffer_overflow_in_ssl_engine_kernel is attached -- System Information: Debian Release: 3.1 APT prefers stable Architecture: i386 (i686) Kernel: Linux 2.6.11.12-incase Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages apache2 depends on: ii apache2-mpm-prefork 2.0.54-4 traditional model for Apache2 -- no debconf information --===1719839988== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=043_fix_buffer_overflow_in_ssl_engine_kernel diff -ruN -x Makefile.in -x configure -x '*~' -x build-tree.orig -x '*.rej' build-tree.orig/apache2/config.layout build-tree/apache2/config.layout --- build-tree.orig/apache2/modules/ssl/ssl_engine_kernel.c 2005/06/03 12:43:35 179780 +++ build-tree/apache2/modules/ssl/ssl_engine_kernel.c 2005/06/03 12:54:53 179781 @@ -1408,7 +1408,7 @@ BIO_printf(bio, , nextUpdate: ); ASN1_UTCTIME_print(bio, X509_CRL_get_nextUpdate(crl)); -n = BIO_read(bio, buff, sizeof(buff)); +n = BIO_read(bio, buff, sizeof(buff) - 1); buff[n] = '\0'; BIO_free(bio); --===1719839988==-- --- Received: (at 320048-close) by bugs.debian.org; 8 Sep 2005 18:21:33 + From [EMAIL PROTECTED] Thu Sep 08 11:21:33 2005 Return-path: [EMAIL PROTECTED] Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian)) id 1EDQxO-00065e-00; Thu, 08 Sep 2005 11:17:06 -0700 From: Adam Conrad [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-Katie:
Bug#320063: marked as done (Security: buffer-overrun in apache2-ssl)
Your message dated Thu, 08 Sep 2005 11:17:06 -0700 with message-id [EMAIL PROTECTED] and subject line Bug#320048: fixed in apache2 2.0.54-5 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -- Received: (at submit) by bugs.debian.org; 26 Jul 2005 18:45:58 + From [EMAIL PROTECTED] Tue Jul 26 11:45:58 2005 Return-path: [EMAIL PROTECTED] Received: from svr.bitshelter.net (mx0.bitshelter.net) [85.10.193.115] by spohr.debian.org with esmtp (Exim 3.36 1 (Debian)) id 1DxURC-0002H7-00; Tue, 26 Jul 2005 11:45:58 -0700 Received: from localhost (localhost [127.0.0.1]) by mx0.bitshelter.net (Postfix) with ESMTP id 2AC873FFEC for [EMAIL PROTECTED]; Tue, 26 Jul 2005 20:45:54 +0200 (CEST) Received: from mx0.bitshelter.net ([127.0.0.1]) by localhost (svr.bitshelter.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 29705-01-2 for [EMAIL PROTECTED]; Tue, 26 Jul 2005 20:45:39 +0200 (CEST) Received: from nz (J1afb.j.pppool.de [85.74.26.251]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mx0.bitshelter.net (Postfix) with ESMTP id 6A0BD3FF4A for [EMAIL PROTECTED]; Tue, 26 Jul 2005 20:45:39 +0200 (CEST) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Security: buffer-overrun in apache2-ssl Date: Tue, 26 Jul 2005 20:45:35 +0200 User-Agent: KMail/1.8.1 X-Fingerprint: BBF9 60C6 892A A542 0006 B208 63F8 974C 8DC6 9FB4 X-PGP: 8DC69FB4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-6.4 required=4.0 tests=BAYES_00,HAS_PACKAGE, NO_REAL_NAME autolearn=no version=2.60-bugs.debian.org_2005_01_02 Package: apache2 Version: 2.0.54-4 Severity:critical Tags: security, fixed-upstream There is a possible remote-exploitable buffer overrun in the Apache2 ssl implementation. A patch is available. See http://issues.apache.org/bugzilla/show_bug.cgi?id=35081 and http://svn.apache.org/viewcvs?rev=189562view=rev --- Received: (at 320048-close) by bugs.debian.org; 8 Sep 2005 18:21:33 + From [EMAIL PROTECTED] Thu Sep 08 11:21:33 2005 Return-path: [EMAIL PROTECTED] Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian)) id 1EDQxO-00065e-00; Thu, 08 Sep 2005 11:17:06 -0700 From: Adam Conrad [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-Katie: $Revision: 1.56 $ Subject: Bug#320048: fixed in apache2 2.0.54-5 Message-Id: [EMAIL PROTECTED] Sender: Archive Administrator [EMAIL PROTECTED] Date: Thu, 08 Sep 2005 11:17:06 -0700 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-CrossAssassin-Score: 2 Source: apache2 Source-Version: 2.0.54-5 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive: apache2-common_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-common_2.0.54-5_i386.deb apache2-doc_2.0.54-5_all.deb to pool/main/a/apache2/apache2-doc_2.0.54-5_all.deb apache2-mpm-perchild_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-mpm-perchild_2.0.54-5_i386.deb apache2-mpm-prefork_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-mpm-prefork_2.0.54-5_i386.deb apache2-mpm-threadpool_2.0.54-5_all.deb to pool/main/a/apache2/apache2-mpm-threadpool_2.0.54-5_all.deb apache2-mpm-worker_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-mpm-worker_2.0.54-5_i386.deb apache2-prefork-dev_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-prefork-dev_2.0.54-5_i386.deb apache2-threaded-dev_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-threaded-dev_2.0.54-5_i386.deb apache2-utils_2.0.54-5_i386.deb to pool/main/a/apache2/apache2-utils_2.0.54-5_i386.deb apache2_2.0.54-5.diff.gz to pool/main/a/apache2/apache2_2.0.54-5.diff.gz apache2_2.0.54-5.dsc to pool/main/a/apache2/apache2_2.0.54-5.dsc apache2_2.0.54-5_i386.deb to pool/main/a/apache2/apache2_2.0.54-5_i386.deb libapr0-dev_2.0.54-5_i386.deb to
Bug#320048: marked as done (SECURITY: buffer-overrun in apache2-ssl (CAN-2005-1268))
Your message dated Thu, 08 Sep 2005 11:17:06 -0700 with message-id [EMAIL PROTECTED] and subject line Bug#320063: fixed in apache2 2.0.54-5 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -- Received: (at submit) by bugs.debian.org; 26 Jul 2005 17:11:21 + From [EMAIL PROTECTED] Tue Jul 26 10:11:21 2005 Return-path: [EMAIL PROTECTED] Received: from mail.incase.de [85.10.192.47] by spohr.debian.org with esmtp (Exim 3.36 1 (Debian)) id 1DxSxd-0007O9-00; Tue, 26 Jul 2005 10:11:21 -0700 Received: from localhost (localhost [127.0.0.1]) by mail1_1.incase.de (Postfix) with ESMTP id 0C19B251B18 for [EMAIL PROTECTED]; Tue, 26 Jul 2005 19:10:46 +0200 (CEST) Received: from mail.incase.de ([127.0.0.1]) by localhost (mail1.incase.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28020-01 for [EMAIL PROTECTED]; Tue, 26 Jul 2005 19:10:44 +0200 (CEST) Received: from mail2.incase.de (mail.incase.de [85.10.192.47]) by mail.incase.de (Postfix) with SMTP id B17F6251B17 for [EMAIL PROTECTED]; Tue, 26 Jul 2005 19:10:44 +0200 (CEST) Received: by mail2.incase.de (sSMTP sendmail emulation); Tue, 26 Jul 2005 19:10:44 +0200 Content-Type: multipart/mixed; boundary1719839988== MIME-Version: 1.0 From: Sven Mueller [EMAIL PROTECTED] To: Debian Bug Tracking System [EMAIL PROTECTED] Subject: security: Buffer overflow in ssl_engine_kernel.c X-Mailer: reportbug 3.8 Date: Tue, 26 Jul 2005 19:10:44 +0200 Message-Id: [EMAIL PROTECTED] X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at incase.de X-Spam-Bayes: Score: 0. Tokensummary: Tokens: new, 47; hammy, 98; neutral, 61; spammy, 0. Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 This is a multi-part MIME message sent by reportbug. --===1719839988== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline Package: apache2 Version: 2.0.54-4 Severity: grave Tags: security, patch Justification: possible DoS There is a buffer overflow (off-by-one in buffer size checks) in ssl_engine_kernel.c which could be exploited to DoS the server. Upstream bug report at http://issues.apache.org/bugzilla/show_bug.cgi?id=35081 Upstream patch at http://svn.apache.org/viewcvs.cgi/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=179781view=diffr1=179781r2=179780p1=httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.cp2=/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (SVN revision 179781) patch which can be dropped into the Debian package as 043_fix_buffer_overflow_in_ssl_engine_kernel is attached -- System Information: Debian Release: 3.1 APT prefers stable Architecture: i386 (i686) Kernel: Linux 2.6.11.12-incase Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages apache2 depends on: ii apache2-mpm-prefork 2.0.54-4 traditional model for Apache2 -- no debconf information --===1719839988== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=043_fix_buffer_overflow_in_ssl_engine_kernel diff -ruN -x Makefile.in -x configure -x '*~' -x build-tree.orig -x '*.rej' build-tree.orig/apache2/config.layout build-tree/apache2/config.layout --- build-tree.orig/apache2/modules/ssl/ssl_engine_kernel.c 2005/06/03 12:43:35 179780 +++ build-tree/apache2/modules/ssl/ssl_engine_kernel.c 2005/06/03 12:54:53 179781 @@ -1408,7 +1408,7 @@ BIO_printf(bio, , nextUpdate: ); ASN1_UTCTIME_print(bio, X509_CRL_get_nextUpdate(crl)); -n = BIO_read(bio, buff, sizeof(buff)); +n = BIO_read(bio, buff, sizeof(buff) - 1); buff[n] = '\0'; BIO_free(bio); --===1719839988==-- --- Received: (at 320063-close) by bugs.debian.org; 8 Sep 2005 18:22:55 + From [EMAIL PROTECTED] Thu Sep 08 11:22:55 2005 Return-path: [EMAIL PROTECTED] Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian)) id 1EDQxO-00065g-00; Thu, 08 Sep 2005 11:17:06 -0700 From: Adam Conrad [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-Katie:
Bug#327269: apache2 security update breaks ssl+svn
Package: apache2 Version: 2.0.54-5 Severity: critical After upgrading 2.0.54-4 to 2.0.54-5 svn+ssl is broken: subversion client (e.g. checkout): svn: PROPFIND request failed on '/svn/test' svn: PROPFIND of '/svn/test': Could not read status line: SSL error: sslv3 alert unexpected message (https://www.opensc.org) apache error log: [Thu Sep 08 20:47:39 2005] [error] Re-negotiation handshake failed: Not accepted by client!? downgrade to 2.0.54-4 and everything is fine again. debian gnu linux / sarge / kernel 2.6.11.11 vanilla, i386, apache2 on 80 and 443, ssl with self signed certificate, accepting a list of self signed certificates, svn repository needs those for write access only. more configuration and any detail you need available on request. Regards, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Processed: severity of 327269 is grave
Processing commands for [EMAIL PROTECTED]: # Automatically generated email from bts, devscripts version 2.9.4 # regression, but certainly doesn't break the whole system severity 327269 grave Bug#327269: apache2 security update breaks ssl+svn Severity set to `grave'. End of message, stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#327210: marked as done (apache2: CAN-2005-2700)
Your message dated Fri, 09 Sep 2005 10:10:22 +1000 with message-id [EMAIL PROTECTED] and subject line Closing this bug. has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -- Received: (at submit) by bugs.debian.org; 8 Sep 2005 11:56:17 + From [EMAIL PROTECTED] Thu Sep 08 04:56:17 2005 Return-path: [EMAIL PROTECTED] Received: from smtp.blackdown.de [213.239.206.42] by spohr.debian.org with esmtp (Exim 3.36 1 (Debian)) id 1EDL0r-00059N-00; Thu, 08 Sep 2005 04:56:17 -0700 Received: from p50909074.dip0.t-ipconnect.de ([80.144.144.116] ident=[oOVMVvEhkZdhuzXZN38gshWY7Yo6U33e]) by smtp.blackdown.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32) (Exim 4.50) id 1EDL0f-0008K3-S0 for [EMAIL PROTECTED]; Thu, 08 Sep 2005 13:56:05 +0200 Received: from fry.jknet ([192.168.1.2] ident=[btV3bMm6pD4ub1LvHGFVPLglcm44NJoB]) by server.jknet with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA:32) (Exim 4.50) id 1EDL0W-0006NV-Nx for [EMAIL PROTECTED]; Thu, 08 Sep 2005 13:55:56 +0200 Received: from jk by fry.jknet with local (Exim 4.52) id 1EDL0W-0007OT-Dp for [EMAIL PROTECTED]; Thu, 08 Sep 2005 13:55:56 +0200 From: Juergen Kreileder [EMAIL PROTECTED] To: Debian Bug Tracking System [EMAIL PROTECTED] Subject: apache2: CAN-2005-2700 X-PGP-Key: http://blackhole.pca.dfn.de:11371/pks/lookup?op=getsearch=0x730A28A5 X-PGP-Fingerprint: 7C19 D069 9ED5 DC2E 1B10 9859 C027 8D5B 730A 28A5 X-Debbugs-CC: Juergen Kreileder [EMAIL PROTECTED] Date: Thu, 08 Sep 2005 13:55:56 +0200 Message-ID: [EMAIL PROTECTED] Organization: Blackdown Java-Linux Team Lines: 21 User-Agent: Gnus/5.110003 (No Gnus v0.3) Emacs/21.4 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE, X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02 Package: apache2 Version: 2.0.54-4 Severity: critical Tags: security, fixed-upstream See http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700 , | ssl_engine_kernel.c in mod_ssl before 2.8.24, when using | SSLVerifyClient optional in the global virtual host configuration, | does not properly enforce SSLVerifyClient require in a per-location | context, which allows remote attackers to bypass intended access | restrictions. ` Juergen -- Juergen Kreileder, Blackdown Java-Linux Team http://blog.blackdown.de/ --- Received: (at 327210-done) by bugs.debian.org; 9 Sep 2005 00:11:03 + From [EMAIL PROTECTED] Thu Sep 08 17:11:03 2005 Return-path: [EMAIL PROTECTED] Received: from loki.0c3.net [69.0.240.48] by spohr.debian.org with esmtp (Exim 3.36 1 (Debian)) id 1EDWTv-0008HJ-00; Thu, 08 Sep 2005 17:11:03 -0700 Received: from [203.49.196.168] (helo=[10.0.0.4]) by loki.0c3.net with esmtp (Exim 4.34) id 1EDWTN-0003xC-V1 for [EMAIL PROTECTED]; Thu, 08 Sep 2005 18:10:30 -0600 Message-ID: [EMAIL PROTECTED] Date: Fri, 09 Sep 2005 10:10:22 +1000 From: Adam Conrad [EMAIL PROTECTED] User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050831) X-Accept-Language: en-us, en MIME-Version: 1.0 To: [EMAIL PROTECTED] Subject: Closing this bug. X-Enigmail-Version: 0.92.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no version=2.60-bugs.debian.org_2005_01_02 The update has been released, as 2.0.54-5, so closing this bug. ... Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Processed: closing 327210
Processing commands for [EMAIL PROTECTED]: # Automatically generated email from bts, devscripts version 2.9.7 close 327210 2.0.54-5 Bug#327210: apache2: CAN-2005-2700 'close' is deprecated; see http://www.debian.org/Bugs/Developer#closing. Bug marked as fixed in version 2.0.54-5, send any further explanations to Juergen Kreileder [EMAIL PROTECTED] End of message, stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#327269: apache2 security update breaks ssl+svn
Andreas Jellinghaus wrote: Package: apache2 Version: 2.0.54-5 Severity: critical After upgrading 2.0.54-4 to 2.0.54-5 svn+ssl is broken: subversion client (e.g. checkout): svn: PROPFIND request failed on '/svn/test' svn: PROPFIND of '/svn/test': Could not read status line: SSL error: sslv3 alert unexpected message (https://www.opensc.org) apache error log: [Thu Sep 08 20:47:39 2005] [error] Re-negotiation handshake failed: Not accepted by client!? downgrade to 2.0.54-4 and everything is fine again. debian gnu linux / sarge / kernel 2.6.11.11 vanilla, i386, apache2 on 80 and 443, ssl with self signed certificate, accepting a list of self signed certificates, svn repository needs those for write access only. more configuration and any detail you need available on request. I would like a tarball of your /etc/apache2/, if that's not too much inconvenience. I suspect a combination of a longstanding subversion bug and a (mis)configuration of apache2 are biting you, and the recent apache2 bugfix just exposed the issue. I need to see how you have your sites set up to confirm this, though. ... Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]