Bug#316173: apache2: Security issues in HTTP proxy responses with both Transfer-Encoding and Content-Length headers

2005-06-29 Thread Moritz Muehlenhoff
Steve Kemp wrote: |Proxy HTTP: If a response contains both Transfer-Encoding |and a Content-Length, remove the Content-Length to eliminate |an HTTP Request Smuggling vulnerability and don't reuse the |connection, stopping some HTTP Request Spoofing attacks. Can I be

Bug#326435: CAN-2005-2728: DoS through overly long Range values passed to the byte-range filter

2005-09-03 Thread Moritz Muehlenhoff
Package: apache2 Severity: important Tags: security CAN-2005-2728 describes a DoS vulnerability through overly long values in the Range field. Please see http://issues.apache.org/bugzilla/show_bug.cgi?id=29962 for a more complete description and a patch. Cheers, Moritz -- System

Apache 1 in Etch

2006-08-20 Thread Moritz Muehlenhoff
Dear Apache maintainers, I suppose that six years after the release of Apache 2 Etch will no longer ship with Apache 1? Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Apache 1 in Etch

2006-08-20 Thread Moritz Muehlenhoff
Matthew Wilcox wrote: Dear Apache maintainers, I suppose that six years after the release of Apache 2 Etch will no longer ship with Apache 1? We discussed that just the other day (which led to the most recent upload). Apache 1.3 still has a use; in particular, some software is still

Re: Apache 1 in Etch

2006-08-27 Thread Moritz Muehlenhoff
Adam Conrad wrote: Moritz Muehlenhoff wrote: It has now, but if it's included in Etch it means that the Security Team has to maintain it until at least June 2009. Historically most of the vulnerabilities in Apache 1 applied to version 2 as well, so it's twice the amount of work and should

Bug#357561: privilege escalation hole

2007-03-01 Thread Moritz Muehlenhoff
Joey Hess wrote: On the third hand, this bug has documented a security hole with exploit in apache for about 2 weeks without any reaction from its maintainers, and was open for many months before that without any reaction from them. If apache isn't being maintained, it might be better to drop

Bug#418266: apache: Should not be included in Lenny

2007-04-08 Thread Moritz Muehlenhoff
Package: apache Severity: serious Apache 1.3 is obsolete and should not be included in Lenny, which would require to support it at least until 2011. Cheers, Moritz -- System Information: Debian Release: 4.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686)

Re: [OSRM] please review apache2 2.0.54-5sarge2

2007-07-18 Thread Moritz Muehlenhoff
On Wed, Jul 18, 2007 at 11:28:39PM +0200, Martin Zobel-Helas wrote: Hi, On Wed Jul 18, 2007 at 23:24:19 +0200, Stefan Fritsch wrote: Hi, please review apache2 2.0.54-5sarge2 for the next sarge point release: apache2 (2.0.54-5sarge2) stable; urgency=low * Fix some less

Passing LDFLAGS to Apache modules for hardened build flags

2012-04-08 Thread Moritz Muehlenhoff
Hi, I'm working on hardened build flags for Squeeze and I'm looking into how to pass hardened build flags to Apache modules. According to the apxs2 manpage the following should work: APACHE_CFLAGS = `dpkg-buildflags --get CFLAGS` APACHE_CFLAGS += `dpkg-buildflags --get CPPFLAGS` APACHE_LDFLAGS

Bug#878920: IncludeOptional should deal gracefully with a missing directory in the specified path

2017-10-17 Thread Moritz Muehlenhoff
Source: apache2 Version: 2.4.25-3+deb9u3 Severity: normal Hi, libapache2-mod-security2 sets a Recommends: on modsecurity-crs and ships a /etc/apache2/mods-enabled/security2.conf with the following directive: - # Include OWASP ModSecurity CRS rules if installed IncludeOptional

Bug#878920: IncludeOptional should deal gracefully with a missing directory in the specified path

2017-10-26 Thread Moritz Muehlenhoff
forwarded 878920 https://bz.apache.org/bugzilla/show_bug.cgi?id=57585 thanks Hi, On Tue, Oct 17, 2017 at 07:27:54PM +0200, Moritz Muehlenhoff wrote: > Creating /usr/share/modsecurity-crs/ fixes it, but that seems like a > misfeature/bug? > Shouldn't it also fail gracefully in the absen

Bug#879708: CVE-2017-12613 CVE-2017-12618

2017-10-24 Thread Moritz Muehlenhoff
Source: apr-util Severity: important Tags: security I'm sure you're aware, but filing for completeness in the BTS anyway: http://mail-archives.apache.org/mod_mbox/apr-dev/201710.mbox/%3CCACsi252POs4toeJJciwg09_eu2cO3XFg%3DUqsPjXsfjDoeC3-UQ%40mail.gmail.com%3E Cheers, Moritz

Bug#879708: CVE-2017-12613 CVE-2017-12618

2017-10-24 Thread Moritz Muehlenhoff
On Tue, Oct 24, 2017 at 10:28:02PM +0200, Moritz Muehlenhoff wrote: > Source: apr-util > Severity: important > Tags: security > > I'm sure you're aware, but filing for completeness in the BTS anyway: > http://mail-archives.apache.org/mod_mbox/a

Bug#881725: apache2: reload fails inside (libvirt) lxc container

2018-04-16 Thread Moritz Muehlenhoff
Stefan Fritsch wrote: > On Monday, 16 April 2018 20:34:00 CEST Matthew Gabeler-Lee wrote: > > On Sat, 14 Apr 2018, Stefan Fritsch wrote: > > > This seems to be a systemd bug. Changing PrivateTmp from true to false in > > > apache2.service fixes the issue. But even with PrivateTmp it works for > >

Bug#881725: apache2: reload fails inside (libvirt) lxc container

2018-04-24 Thread Moritz Muehlenhoff
On Mon, Apr 23, 2018 at 09:48:03PM +0200, Stefan Fritsch wrote: > On Monday, 16 April 2018 21:51:36 CEST Stefan Fritsch wrote: > > So tmpreaper should exclude systemd-private-* files by default. Moritz, do > > you also have some cron job cleaning up stale files in /tmp ? > > tmpreaper needs to

Bug#881725: apache2: reload fails inside (libvirt) lxc container

2018-04-25 Thread Moritz Muehlenhoff
reassign 881725 tmpreaper retitle 881725 tmpreaper breaks systemd services using PrivateTmp=true severity 881725 important tags 881725 patch thanks On Tue, Apr 24, 2018 at 07:17:32PM +0200, Moritz Muehlenhoff wrote: > On Mon, Apr 23, 2018 at 09:48:03PM +0200, Stefan Fritsch wrote: > >

Bug#1012513: apache2: CVE-2022-31813 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556

2022-06-08 Thread Moritz Muehlenhoff
On Wed, Jun 08, 2022 at 07:51:28PM +0200, Yadd wrote: > Hi, > > those CVEs are tagged low/moderate by upstream, why did you tag this bug as > grave ? Anything moderate or above should get fixed by the next Debian release IOW RC severity. Cheers, Moritz

Bug#1032476: apache2: CVE-2023-25690 CVE-2023-27522

2023-03-08 Thread Moritz Muehlenhoff
On Wed, Mar 08, 2023 at 07:09:20AM +0400, Yadd wrote: > On 3/7/23 23:46, Salvatore Bonaccorso wrote: > > Source: apache2 > > Version: 2.4.55-1 > > Severity: grave > > Tags: security upstream > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > > > > Hi, > > > > The following

Re: CVE-2023-25690: Apache2 mod_proxy for old(old)stable?

2023-04-20 Thread Moritz Muehlenhoff
Hi Philipp, > lists > "2.4.38-3+deb10u9" from Debian-10-Buster as still vulnerable. > Are there any plans to back-port the change to that older version, e.g. > - Debian-10-Buster Security > - Debian-9-Stretch ELTS (Freexian) > > If

Bug#1068412: apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709

2024-04-05 Thread Moritz Muehlenhoff
On Fri, Apr 05, 2024 at 08:16:43AM +0400, Yadd wrote: > On 4/4/24 22:51, Moritz Mühlenhoff wrote: > > Source: apache2 > > X-Debbugs-CC: t...@security.debian.org > > Severity: grave > > Tags: security > > > > Hi, > > > > The following vulnerabilities were published for apache2. > > > >