apache2_2.2.3-4+etch3_i386.changes ACCEPTED
Accepted: apache2-doc_2.2.3-4+etch3_all.deb to pool/main/a/apache2/apache2-doc_2.2.3-4+etch3_all.deb apache2-mpm-event_2.2.3-4+etch3_i386.deb to pool/main/a/apache2/apache2-mpm-event_2.2.3-4+etch3_i386.deb apache2-mpm-perchild_2.2.3-4+etch3_all.deb to pool/main/a/apache2/apache2-mpm-perchild_2.2.3-4+etch3_all.deb apache2-mpm-prefork_2.2.3-4+etch3_i386.deb to pool/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch3_i386.deb apache2-mpm-worker_2.2.3-4+etch3_i386.deb to pool/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch3_i386.deb apache2-prefork-dev_2.2.3-4+etch3_i386.deb to pool/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch3_i386.deb apache2-src_2.2.3-4+etch3_all.deb to pool/main/a/apache2/apache2-src_2.2.3-4+etch3_all.deb apache2-threaded-dev_2.2.3-4+etch3_i386.deb to pool/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch3_i386.deb apache2-utils_2.2.3-4+etch3_i386.deb to pool/main/a/apache2/apache2-utils_2.2.3-4+etch3_i386.deb apache2.2-common_2.2.3-4+etch3_i386.deb to pool/main/a/apache2/apache2.2-common_2.2.3-4+etch3_i386.deb apache2_2.2.3-4+etch3.diff.gz to pool/main/a/apache2/apache2_2.2.3-4+etch3.diff.gz apache2_2.2.3-4+etch3.dsc to pool/main/a/apache2/apache2_2.2.3-4+etch3.dsc apache2_2.2.3-4+etch3_all.deb to pool/main/a/apache2/apache2_2.2.3-4+etch3_all.deb Override entries for your package: apache2-doc_2.2.3-4+etch3_all.deb - optional doc apache2-mpm-event_2.2.3-4+etch3_i386.deb - optional web apache2-mpm-perchild_2.2.3-4+etch3_all.deb - optional web apache2-mpm-prefork_2.2.3-4+etch3_i386.deb - optional web apache2-mpm-worker_2.2.3-4+etch3_i386.deb - optional web apache2-prefork-dev_2.2.3-4+etch3_i386.deb - optional devel apache2-src_2.2.3-4+etch3_all.deb - extra devel apache2-threaded-dev_2.2.3-4+etch3_i386.deb - optional devel apache2-utils_2.2.3-4+etch3_i386.deb - optional web apache2.2-common_2.2.3-4+etch3_i386.deb - optional web apache2_2.2.3-4+etch3.dsc - optional web apache2_2.2.3-4+etch3_all.deb - optional web Announcing to [EMAIL PROTECTED] Closing bugs: 441845 443196 Thank you for your contribution to Debian. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#441845: marked as done (CVE-2007-3847: apache2 denial of service vulnerability (for threaded MPMs) in mod_proxy)
Your message dated Sat, 22 Sep 2007 19:56:18 + with message-id [EMAIL PROTECTED] and subject line Bug#441845: fixed in apache2 2.2.3-4+etch3 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) ---BeginMessage--- Package: apache2 Severity: critical Justification: root security hole Tags: security *** Please type your report below this line *** A security hole has been disclosed on the Apache web site. http://httpd.apache.org/security/vulnerabilities_22.html Although it is disclosed as a denial of service, it seems to involve a buffer overflow, and thus allow remote code execution under the apache account. I can confim, from attacks in systems of a customer, that this is actually the case. As I have not seen any security upgrade from 4th of september, date of the disclosure, I request this issue to be fixed. Ramon Garcia Systems Administrator [EMAIL PROTECTED] http://www.kotasoft.com -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-5-vserver-686 Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8) ---End Message--- ---BeginMessage--- Source: apache2 Source-Version: 2.2.3-4+etch3 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive: apache2-doc_2.2.3-4+etch3_all.deb to pool/main/a/apache2/apache2-doc_2.2.3-4+etch3_all.deb apache2-mpm-event_2.2.3-4+etch3_i386.deb to pool/main/a/apache2/apache2-mpm-event_2.2.3-4+etch3_i386.deb apache2-mpm-perchild_2.2.3-4+etch3_all.deb to pool/main/a/apache2/apache2-mpm-perchild_2.2.3-4+etch3_all.deb apache2-mpm-prefork_2.2.3-4+etch3_i386.deb to pool/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch3_i386.deb apache2-mpm-worker_2.2.3-4+etch3_i386.deb to pool/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch3_i386.deb apache2-prefork-dev_2.2.3-4+etch3_i386.deb to pool/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch3_i386.deb apache2-src_2.2.3-4+etch3_all.deb to pool/main/a/apache2/apache2-src_2.2.3-4+etch3_all.deb apache2-threaded-dev_2.2.3-4+etch3_i386.deb to pool/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch3_i386.deb apache2-utils_2.2.3-4+etch3_i386.deb to pool/main/a/apache2/apache2-utils_2.2.3-4+etch3_i386.deb apache2.2-common_2.2.3-4+etch3_i386.deb to pool/main/a/apache2/apache2.2-common_2.2.3-4+etch3_i386.deb apache2_2.2.3-4+etch3.diff.gz to pool/main/a/apache2/apache2_2.2.3-4+etch3.diff.gz apache2_2.2.3-4+etch3.dsc to pool/main/a/apache2/apache2_2.2.3-4+etch3.dsc apache2_2.2.3-4+etch3_all.deb to pool/main/a/apache2/apache2_2.2.3-4+etch3_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch [EMAIL PROTECTED] (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.7 Date: Sat, 15 Sep 2007 11:33:58 +0200 Source: apache2 Binary: apache2-utils apache2-prefork-dev apache2 apache2-mpm-prefork apache2-doc apache2-mpm-event apache2.2-common apache2-mpm-worker apache2-src apache2-threaded-dev apache2-mpm-perchild Architecture: source all i386 Version: 2.2.3-4+etch3 Distribution: stable Urgency: low Maintainer: Debian Apache Maintainers debian-apache@lists.debian.org Changed-By: Stefan Fritsch [EMAIL PROTECTED] Description: apache2- Next generation, scalable, extendable web server apache2-doc - documentation for apache2 apache2-mpm-event - Event driven model for Apache HTTPD 2.1 apache2-mpm-perchild - Transitional package - please remove apache2-mpm-prefork - Traditional model for Apache HTTPD 2.1 apache2-mpm-worker - High speed threaded model for Apache HTTPD 2.1 apache2-prefork-dev - development headers for apache2 apache2-src - Apache source code apache2-threaded-dev - development headers for apache2 apache2-utils - utility programs for webservers apache2.2-common - Next generation, scalable, extendable web server Closes: 441845 443196 Changes: apache2 (2.2.3-4+etch3) stable; urgency=low . * fix CVE-2007-3847: DoS in mod_proxy (for threaded MPMs)
Bug#443196: marked as done (apache2-mpm-worker: reload after altering apache2.conf immediately eats all memory)
Your message dated Sat, 22 Sep 2007 19:56:18 + with message-id [EMAIL PROTECTED] and subject line Bug#443196: fixed in apache2 2.2.3-4+etch3 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) ---BeginMessage--- Package: apache2-mpm-worker Version: 2.2.3-4+etch1 Severity: critical Justification: breaks the whole system Start with a simple apache2.conf containing two vhosts: Listen 192.168.1.1:80 VirtualHost 192.168.1.1:80 ServerName my.server DocumentRoot /var/www /VirtualHost Listen 192.168.1.2:80 VirtualHost 192.168.1.2:80 ServerName my.server DocumentRoot /var/www /VirtualHost With Apache running, edit apache2.conf to remove the first vhost (i.e. comment out the first Listen+VirtualHost section) and reload Apache (SIGUSR1). It then consumes all memory, making the system unusable until the process is killed. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable'), (1, 'experimental') Architecture: amd64 Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-5-amd64 Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) ---End Message--- ---BeginMessage--- Source: apache2 Source-Version: 2.2.3-4+etch3 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive: apache2-doc_2.2.3-4+etch3_all.deb to pool/main/a/apache2/apache2-doc_2.2.3-4+etch3_all.deb apache2-mpm-event_2.2.3-4+etch3_i386.deb to pool/main/a/apache2/apache2-mpm-event_2.2.3-4+etch3_i386.deb apache2-mpm-perchild_2.2.3-4+etch3_all.deb to pool/main/a/apache2/apache2-mpm-perchild_2.2.3-4+etch3_all.deb apache2-mpm-prefork_2.2.3-4+etch3_i386.deb to pool/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch3_i386.deb apache2-mpm-worker_2.2.3-4+etch3_i386.deb to pool/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch3_i386.deb apache2-prefork-dev_2.2.3-4+etch3_i386.deb to pool/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch3_i386.deb apache2-src_2.2.3-4+etch3_all.deb to pool/main/a/apache2/apache2-src_2.2.3-4+etch3_all.deb apache2-threaded-dev_2.2.3-4+etch3_i386.deb to pool/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch3_i386.deb apache2-utils_2.2.3-4+etch3_i386.deb to pool/main/a/apache2/apache2-utils_2.2.3-4+etch3_i386.deb apache2.2-common_2.2.3-4+etch3_i386.deb to pool/main/a/apache2/apache2.2-common_2.2.3-4+etch3_i386.deb apache2_2.2.3-4+etch3.diff.gz to pool/main/a/apache2/apache2_2.2.3-4+etch3.diff.gz apache2_2.2.3-4+etch3.dsc to pool/main/a/apache2/apache2_2.2.3-4+etch3.dsc apache2_2.2.3-4+etch3_all.deb to pool/main/a/apache2/apache2_2.2.3-4+etch3_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch [EMAIL PROTECTED] (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.7 Date: Sat, 15 Sep 2007 11:33:58 +0200 Source: apache2 Binary: apache2-utils apache2-prefork-dev apache2 apache2-mpm-prefork apache2-doc apache2-mpm-event apache2.2-common apache2-mpm-worker apache2-src apache2-threaded-dev apache2-mpm-perchild Architecture: source all i386 Version: 2.2.3-4+etch3 Distribution: stable Urgency: low Maintainer: Debian Apache Maintainers debian-apache@lists.debian.org Changed-By: Stefan Fritsch [EMAIL PROTECTED] Description: apache2- Next generation, scalable, extendable web server apache2-doc - documentation for apache2 apache2-mpm-event - Event driven model for Apache HTTPD 2.1 apache2-mpm-perchild - Transitional package - please remove apache2-mpm-prefork - Traditional model for Apache HTTPD 2.1 apache2-mpm-worker - High speed threaded model for Apache HTTPD 2.1 apache2-prefork-dev - development headers for apache2 apache2-src - Apache source code apache2-threaded-dev - development headers for apache2 apache2-utils - utility programs for webservers apache2.2-common - Next generation, scalable, extendable web server Closes: 441845 443196 Changes: apache2 (2.2.3-4+etch3) stable; urgency=low . * fix CVE-2007-3847: DoS in mod_proxy (for threaded MPMs) (Closes: #441845) * Don't eat all memory on
