Bug#722333: Update for #722333
Hi Stefan Could you please provide an updated package for oldstable and stable via oldstable-proposed-updates and proposed-updates. This problem will not be fixed via -security. Bastian -- Bastian BlankDurchwahl: +49 21 61 / 46 43 -194 credativ GmbH, HRB Mönchengladbach 12080 Zentrale: +49 21 61 / 46 43 0 Hohenzollernstr. 133 Fax: +49 21 61 / 46 43 -100 D-41061 Mönchengladbach www: http://www.credativ.de Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140107082638.ga3...@lacehammer.credativ.lan
Bug#734446: pu: package apache2/2.2.16-6+squeeze11a - CVE-2013-1862
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu CVE-2013-1862 is a low impact security bug. It should be fixed via pu. Apache maintainers: Do you want to handle this yourself? Bastian diff -Nru apache2-2.2.22/debian/changelog apache2-2.2.22/debian/changelog --- apache2-2.2.22/debian/changelog 2013-03-04 22:21:05.0 +0100 +++ apache2-2.2.22/debian/changelog 2014-01-07 10:57:50.0 +0100 @@ -1,3 +1,11 @@ +apache2 (2.2.22-13.1) UNRELEASED; urgency=low + + * Non-maintainer upload. + * Properly escape data written to rewrite log. +CVE-2013-1862 + + -- Bastian Blank bastian.bl...@credativ.de Tue, 07 Jan 2014 09:57:36 + + apache2 (2.2.22-13) unstable; urgency=medium [ Stefan Fritsch ] diff -Nru apache2-2.2.22/debian/patches/CVE-2013-1862.patch apache2-2.2.22/debian/patches/CVE-2013-1862.patch --- apache2-2.2.22/debian/patches/CVE-2013-1862.patch 1970-01-01 01:00:00.0 +0100 +++ apache2-2.2.22/debian/patches/CVE-2013-1862.patch 2014-01-07 10:56:59.0 +0100 @@ -0,0 +1,33 @@ +Description: + mod_rewrite: Ensure that client data written to the RewriteLog is + escaped to prevent terminal escape sequences from entering the + log file. [Joe Orton] +Origin: http://people.apache.org/~jorton/mod_rewrite-CVE-2013-1862.patch +Id: CVE-2013-1862 +--- a(/odules/mappers/mod_rewrite.c(revision 1469310) b/modules/mappers/mod_rewrite.c(working copy) +@@ -500,11 +500,11 @@ + + logline = apr_psprintf(r-pool, %s %s %s %s [%s/sid#%pp][rid#%pp/%s%s%s] + (%d) %s%s%s%s APR_EOL_STR, +- rhost ? rhost : UNKNOWN-HOST, +- rname ? rname : -, +- r-user ? (*r-user ? r-user : \\) : -, ++ rhost ? ap_escape_logitem(r-pool, rhost) : UNKNOWN-HOST, ++ rname ? ap_escape_logitem(r-pool, rname) : -, ++ r-user ? (*r-user ? ap_escape_logitem(r-pool, r-user) : \\) : -, +current_logtime(r), +- ap_get_server_name(r), ++ ap_escape_logitem(r-pool, ap_get_server_name(r)), +(void *)(r-server), +(void *)r, +r-main ? subreq : initial, +@@ -514,7 +514,7 @@ +perdir ? [perdir : , +perdir ? perdir : , +perdir ? ] : , +- text); ++ ap_escape_logitem(r-pool, text)); + + nbytes = strlen(logline); + apr_file_write(conf-rewritelogfp, logline, nbytes); diff -Nru apache2-2.2.22/debian/patches/series apache2-2.2.22/debian/patches/series --- apache2-2.2.22/debian/patches/series2013-03-04 22:00:37.0 +0100 +++ apache2-2.2.22/debian/patches/series2014-01-07 10:57:11.0 +0100 @@ -35,3 +35,4 @@ disable-ssl-compression.patch CVE-2012-3499_CVE-2012-4558_XSS.patch mod_log_forensic_693292.patch +CVE-2013-1862.patch -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (990, 'testing'), (500, 'testing-updates'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140107102125.7302.75499.report...@lacehammer.credativ.lan
Bug#734447: opu: package apache2/2.2.16-6+squeeze11 - CVE-2013-1862
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: opu CVE-2013-1862 is a low impact security bug. It should be fixed via opu. Apache maintainers: Do you want to handle this yourself? Bastian diff -u apache2-2.2.16/debian/changelog apache2-2.2.16/debian/changelog --- apache2-2.2.16/debian/changelog +++ apache2-2.2.16/debian/changelog @@ -1,3 +1,11 @@ +apache2 (2.2.16-6+squeeze11.1) UNRELEASED; urgency=low + + * Non-maintainer upload. + * Properly escape data written to rewrite log. +CVE-2013-1862 + + -- Bastian Blank bastian.bl...@credativ.de Tue, 07 Jan 2014 09:48:07 + + apache2 (2.2.16-6+squeeze11) squeeze-security; urgency=high * CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2 diff -u apache2-2.2.16/debian/patches/00list apache2-2.2.16/debian/patches/00list --- apache2-2.2.16/debian/patches/00list +++ apache2-2.2.16/debian/patches/00list @@ -48,0 +49 @@ +303_CVE-2013-1862.dpatch only in patch2: unchanged: --- apache2-2.2.16.orig/debian/patches/303_CVE-2013-1862.dpatch +++ apache2-2.2.16/debian/patches/303_CVE-2013-1862.dpatch @@ -0,0 +1,33 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## DP: *) SECURITY: CVE-2013-1862 (cve.mitre.org) +## DP:mod_rewrite: Ensure that client data written to the RewriteLog is +## DP:escaped to prevent terminal escape sequences from entering the +## DP:log file. [Joe Orton] +@DPATCH@ +--- a/modules/mappers/mod_rewrite.c(revision 1469310) b/modules/mappers/mod_rewrite.c(working copy) +@@ -500,11 +500,11 @@ + + logline = apr_psprintf(r-pool, %s %s %s %s [%s/sid#%pp][rid#%pp/%s%s%s] + (%d) %s%s%s%s APR_EOL_STR, +- rhost ? rhost : UNKNOWN-HOST, +- rname ? rname : -, +- r-user ? (*r-user ? r-user : \\) : -, ++ rhost ? ap_escape_logitem(r-pool, rhost) : UNKNOWN-HOST, ++ rname ? ap_escape_logitem(r-pool, rname) : -, ++ r-user ? (*r-user ? ap_escape_logitem(r-pool, r-user) : \\) : -, +current_logtime(r), +- ap_get_server_name(r), ++ ap_escape_logitem(r-pool, ap_get_server_name(r)), +(void *)(r-server), +(void *)r, +r-main ? subreq : initial, +@@ -514,7 +514,7 @@ +perdir ? [perdir : , +perdir ? perdir : , +perdir ? ] : , +- text); ++ ap_escape_logitem(r-pool, text)); + + nbytes = strlen(logline); + apr_file_write(conf-rewritelogfp, logline, nbytes); -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (990, 'testing'), (500, 'testing-updates'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140107102241.7529.91210.report...@lacehammer.credativ.lan
Bug#573163: apache2.2-common - mod_proxy_http reports stray timeouts
On Tue, Mar 09, 2010 at 08:28:44PM +0100, Stefan Fritsch wrote:
On Tuesday 09 March 2010, Bastian Blank wrote:
The timeout is reported less then 30 seconds after the start, which
is much below the configured timeout.
Please try if disabling mod_reqtimeout fixes the problem.
Yep, I did not see any of the mentioned errors anymore.
I found the following in a trace with mod_reqtimeout enabled:
| read(15, GET / HTTP/1.1\r\nHost: example.com:8080\r\nUser-Agent: Mozilla/5.0
(X11; U; Linux i686; en-US; rv:1.9.1.6) Gecko/20091216 Iceweasel/3.5.8 (like
Firefox/3.5.8)\r\nAccept: ..., 8000) = X
| gettimeofday({1268142128, 550919}, NULL) = 0
| gettimeofday({1268142128, 551011}, NULL) = 0
| gettimeofday({1268142128, 551124}, NULL) = 0
| gettimeofday({1268142128, 551213}, NULL) = 0
| gettimeofday({1268142128, 551300}, NULL) = 0
| gettimeofday({1268142128, 551387}, NULL) = 0
| gettimeofday({1268142128, 551474}, NULL) = 0
| gettimeofday({1268142128, 551561}, NULL) = 0
| gettimeofday({1268142128, 551648}, NULL) = 0
| gettimeofday({1268142128, 551734}, NULL) = 0
| gettimeofday({1268142128, 551821}, NULL) = 0
| gettimeofday({1268142128, 551907}, NULL) = 0
| gettimeofday({1268142128, 552122}, NULL) = 0
| poll([{fd=18, events=POLLIN}], 1, 0)= 0 (Timeout)
| writev(18, [{GET / HTTP/1.1\r\n, 188}, {Host: localhost:2120\r\n, 45},
{User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.6)
Gecko/20091216 Iceweasel/3.5.8 (like Firefox/3.5.8)\r\n, 117}, {Accept:
*/*\r\n, 13}, {Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\r\n,
54}, {Accept-Encoding: gzip,deflate\r\n, 31}, {Via: 1.1
example.com:8080\r\n, 44}, {X-Forwarded-For: 0.1.2.3\r\n, 32},
{X-Forwarded-Host: example.com:8080\r\n, 53}, {X-Forwarded-Server:
examle.com\r\n, 50}, {Connection: Keep-Alive\r\n, 24}, {\r\n, 2}], 15) = X
| gettimeofday({1268142128, 552791}, NULL) = 0
| gettimeofday({1268142128, 552943}, NULL) = 0
| write(2, [Tue Mar 09 14:42:08 2010] [error] [client 0.1.2.3] (70007)The
timeout specified has expired: proxy: error reading status line from remote
server localhost, referer: http://example.com\n;, 250) = 250
| gettimeofday({1268142128, 553416}, NULL) = 0
| write(2, [Tue Mar 09 14:42:08 2010] [error] [client 0.1.2.3] proxy: Error
reading from remote server returned by /, referer: http://example.com\n;, 245)
= 245
| close(18)
It checks for POLLIN (aka for readable things) before writing the
request, which makes no sense at all.
Oh, and the timeout error should include the port, otherwise it is
impossible to distinguish two backends on the same ip.
Bastian
--
The sight of death frightens them [Earthers].
-- Kras the Klingon, Friday's Child, stardate 3497.2
--
To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20100310075715.gb4...@wavehammer.waldi.eu.org
Bug#573163: apache2.2-common - mod_proxy_http reports stray timeouts
Package: apache2.2-common Version: 2.2.15-1 Severity: important I'm playing with mod_proxy (and mod_cache) in front of some Zope servers. Config is mostly unchanged. Virtual host config: | VirtualHost *:8080 | ServerName http://example.com:8080/ | UseCanonicalName On | | Proxy * | Order deny,allow | Allow from all | /Proxy | | ProxyPass / http://localhost:2120/VirtualHostBase/http/example.com:8080/root/VirtualHostRoot/ max=3 | /VirtualHost Especially the timeouts are unchanged: | Timeout 300 However it starts to report timeouts shortly after the server start. | [Tue Mar 09 14:24:03 2010] [notice] caught SIGTERM, shutting down | [Tue Mar 09 14:24:05 2010] [notice] Apache/2.2.15 (Debian) configured -- resuming normal operations | [Tue Mar 09 14:24:29 2010] [error] [client 0.1.2.3] (70007)The timeout specified has expired: proxy: error reading status line from remote server localhost, referer: http://example.com:8080/fakultaet | [Tue Mar 09 14:24:29 2010] [error] [client 0.1.2.3] proxy: Error reading from remote server returned by /fakultaet/test.jpg, referer: http://example.com:8080/fakultaet The timeout is reported less then 30 seconds after the start, which is much below the configured timeout. Bastian -- Package-specific info: List of /etc/apache2/mods-enabled/*.load: alias auth_basic authn_file authz_default authz_groupfile authz_host authz_user autoindex cache cgid deflate dir disk_cache env mime negotiation proxy proxy_balancer proxy_http reqtimeout setenvif status userdir -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages apache2 depends on: ii apache2-mpm-worker2.2.15-1 Apache HTTP Server - high speed th ii apache2.2-common 2.2.15-1 Apache HTTP Server common files apache2 recommends no packages. apache2 suggests no packages. Versions of packages apache2.2-common depends on: ii apache2-utils 2.2.15-1 utility programs for webservers ii apache2.2-bin 2.2.15-1 Apache HTTP Server common binary f ii libmagic1 5.04-1 File type determination library us ii lsb-base 3.2-23 Linux Standard Base 3.2 init scrip ii mime-support 3.48-1 MIME files 'mime.types' 'mailcap ii perl 5.10.1-11 Larry Wall's Practical Extraction ii procps1:3.2.8-8 /proc file system utilities -- no debconf information -- You can't evaluate a man by logic alone. -- McCoy, I, Mudd, stardate 4513.3 -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100309133638.ga13...@wavehammer.waldi.eu.org
Bug#344517: apache2-common - mod_deflate overwrite Vary-header
Package: apache2-common Version: 2.0.55-3 Severity: important mod_deflate overwrites the Vary variable. This breaks proxying of this responses if they already had this header set to a different value. Bastian -- Bones: The man's DEAD, Jim! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#285219: apache2-common - please split htpasswd2 into extra package
Package: apache2-common Version: 2.0.52-3 Severity: wishlist Please split htpasswd2 and htdigest2 into an extra package. They are usefull on machines without a complete apache. Bastian -- Those who hate and fight must stop themselves -- otherwise it is not stopped. -- Spock, Day of the Dove, stardate unknown signature.asc Description: Digital signature
Bug#283800: apache-mpm-worker
Package: apache2-mpm-worker Version: 2.0.52-3 Severity: grave apache fails with Invalid argument: apr_proc_mutex_unlock failed while doing a gracefull restart. This seems to be the same problem than described in #231147. Adding AcceptMutex fcntl into the worker module section fixes the problem. Bastian -- It is a human characteristic to love little animals, especially if they're attractive in some way. -- McCoy, The Trouble with Tribbles, stardate 4525.6 signature.asc Description: Digital signature
Bug#231726: apache2-common - fails to install: problems making Certificate Request
Package: apache2-common Version: 2.0.48-7 Severity: important apache2-common fails to install: Setting up apache2-common (2.0.48-7) ... (No info could be read for -p: geteuid()=0 but you should be root.) Setting Apache2 to Listen on port 80. If this is not desired, please edit /etc/apache2/ports.conf as desired. Note that the Port directive no longer works. Configuring The name of the company or organisation the certificate is for. (organisationName) :-! Organisation Name The host name of the server the certificate is for. This must be filled in. (commonName) :-! Host Name Generating a 1024 bit RSA private key . ..++ .. ..++ writing new private key to '/etc/apache2/ssl/apache.pem' - problems making Certificate Request 7766:error:0D07A098:asn1 encoding routines:ASN1_mbstring_copy:string too short:a_mbstr.c:147:minsize=1 dpkg: error processing apache2-common (--configure): subprocess post-installation script returned error exit status 1 Bastian -- Leave bigotry in your quarters; there's no room for it on the bridge. -- Kirk, Balance of Terror, stardate 1709.2 signature.asc Description: Digital signature
Bug#230165: libapr0 - libaprutil don't links against libdb4.2
Package: libapr0 Version: 2.0.48-5 Severity: serious libaprutil.so.0 uses libdb4.2 but don't links against them. Bastian -- Deflector shields just came on, Captain. signature.asc Description: Digital signature
