Re: Re: Re: CVE-2013-5704 fix breaks mod_wsgi

On 14 January 2015 at 09:10, wrote: > > > > - Original Message - > Subject: Re: Re: CVE-2013-5704 fix breaks mod_wsgi > From: "Graham Dumpleton" > Date: 1/12/15 11:34 pm > To: "dev@httpd.apache.org" > > > But the damage has

RE: Re: Re: CVE-2013-5704 fix breaks mod_wsgi

- Original Message - Subject: Re: Re: CVE-2013-5704 fix breaks mod_wsgi From: "Graham Dumpleton" Date: 1/12/15 11:34 pm To: "dev@httpd.apache.org" > But the damage has been done for some months on 2.2, and we are noticing > this, now? All dis

Re: Re: CVE-2013-5704 fix breaks mod_wsgi

If interested, my initial blog post about the issue in relation to mod_wsgi is now posted at: * http://blog.dscpl.com.au/2015/01/important-modwsgi-information-about.html The link to that has also been posted on the mod_wsgi mailing list and Twitter. Graham On 13 January 2015 at 16:34, Graham Du

Re: Re: CVE-2013-5704 fix breaks mod_wsgi

> But the damage has been done for some months on 2.2, and we are noticing this, now? All distros still shipping Apache 2.2 still are using older mod_wsgi 3.X versions which I don't at this point believe are affected by this issue. People who build stuff from source code themselves would be using

RE: Re: CVE-2013-5704 fix breaks mod_wsgi

- Original Message - Subject: Re: CVE-2013-5704 fix breaks mod_wsgi From: "Joe Orton" Date: 1/12/15 11:05 am To: dev@httpd.apache.org On Mon, Jan 12, 2015 at 11:25:53AM -0500, Eric Covener wrote: > On Fri, Jan 9, 2015 at 3:23 PM, Joe Orton wrote: > > Eith

RE: Re: CVE-2013-5704 fix breaks mod_wsgi

- Original Message - Subject: Re: CVE-2013-5704 fix breaks mod_wsgi From: "Joe Orton" Date: 1/12/15 5:27 am To: "Graham Dumpleton" Cc: "dev@httpd.apache.org" On Sat, Jan 10, 2015 at 09:04:12AM +1100, Graham Dumpleton wrote: > 1. Verify that

Re: CVE-2013-5704 fix breaks mod_wsgi

On Mon, Jan 12, 2015 at 11:25:53AM -0500, Eric Covener wrote: > On Fri, Jan 9, 2015 at 3:23 PM, Joe Orton wrote: > > Either way, the fix for CVE-2013-5704 ends up breaking backwards > > compatibility with existing 2.4.x builds of mod_wsgi, which is kind of > > Bad. I don't have a good proposal fo

Re: CVE-2013-5704 fix breaks mod_wsgi

On Mon, Jan 12, 2015 at 11:25 AM, Eric Covener wrote: > Part of that question is probably "who else has figured out how to cope ignore this trailing bit.

Re: CVE-2013-5704 fix breaks mod_wsgi

On Fri, Jan 9, 2015 at 3:23 PM, Joe Orton wrote: > Either way, the fix for CVE-2013-5704 ends up breaking backwards > compatibility with existing 2.4.x builds of mod_wsgi, which is kind of > Bad. I don't have a good proposal for how to fix or avoid this. Worst > case, we make clear the mod_wsgi

Re: CVE-2013-5704 fix breaks mod_wsgi

BTW. I need to go back and check, but I actually suspect that the crash will only occur in mod_wsgi where mod_wsgi 4.4.0 or later was being used. It was only in 4.4.0 that content started to be passed between the Apache child worker processes and the mod_wsgi daemon process using chunking. The WSG

Re: CVE-2013-5704 fix breaks mod_wsgi

On 12 January 2015 at 22:27, Joe Orton wrote: > On Sat, Jan 10, 2015 at 09:04:12AM +1100, Graham Dumpleton wrote: > > 1. Verify that recompiling mod_wsgi is actually sufficient given than my > > direct use of request_rec isn't going to populate the extra fields and > they > > will remain NULL sti

Re: CVE-2013-5704 fix breaks mod_wsgi

On Sat, Jan 10, 2015 at 07:38:03AM -0500, Jeff Trawick wrote: > On Fri, Jan 9, 2015 at 3:48 PM, Jeff Trawick wrote: > > * Add helper functions to allocate a request_rec, conn_rec, server_rec. > > It doesn't solve all possible problems of course but can drastically reduce > > the frequency of needi

Re: CVE-2013-5704 fix breaks mod_wsgi

On Sat, Jan 10, 2015 at 09:04:12AM +1100, Graham Dumpleton wrote: > 1. Verify that recompiling mod_wsgi is actually sufficient given than my > direct use of request_rec isn't going to populate the extra fields and they > will remain NULL still. As trailers shouldn't be expected in context the > req

Re: CVE-2013-5704 fix breaks mod_wsgi

I'm ok with any of those, or all. Agreed that some sort of allocator for req and conn_recs makes sense, esp as we look to http2 and the idea of slave conn_recs > On Jan 9, 2015, at 3:48 PM, Jeff Trawick wrote: > > On Fri, Jan 9, 2015 at 3:23 PM, Joe Orton wrote: > Since Jim is talking 2.4.11, I

Re: CVE-2013-5704 fix breaks mod_wsgi

On Fri, Jan 9, 2015 at 5:04 PM, Graham Dumpleton wrote: > Thanks for the heads up and I appreciate very much the steps you are > taking to limit possible affects. > > What I will do is the following: > > 1. Verify that recompiling mod_wsgi is actually sufficient given than my > direct use of requ

Re: CVE-2013-5704 fix breaks mod_wsgi

On Fri, Jan 9, 2015 at 10:31 PM, Graham Dumpleton wrote: > Okay, I screwed up that analysis a bit. It is APR 1.X to 2.X which is the > issue and I can fix by having: > > #if APR_MAJOR_VERSION < 2 > #include "apr_support.h" > #endif > > The specific code was: > > #if APR_MAJOR_VERSION < 2 >

Re: CVE-2013-5704 fix breaks mod_wsgi

On Fri, Jan 9, 2015 at 3:48 PM, Jeff Trawick wrote: > On Fri, Jan 9, 2015 at 3:23 PM, Joe Orton wrote: > >> Since Jim is talking 2.4.11, I should report this now. We discovered >> this week in Fedora: mod_wsgi does some interesting things in daemon >> mode, notably that it allocates a request_r

Re: CVE-2013-5704 fix breaks mod_wsgi

Okay, I screwed up that analysis a bit. It is APR 1.X to 2.X which is the issue and I can fix by having: #if APR_MAJOR_VERSION < 2 #include "apr_support.h" #endif The specific code was: #if APR_MAJOR_VERSION < 2 rv = apr_wait_for_io_or_timeout(NULL, sock, 0); #else rv = apr_socke

Re: CVE-2013-5704 fix breaks mod_wsgi

FWIW, there is potentially another issue for mod_wsgi coming up as well. Seems that I was using an APR function which was tagged as internal and in trunk of APR the header file that function is defined in is no longer installed, or at least when within srclib of httpd, thus mod_wsgi will no longer

Re: CVE-2013-5704 fix breaks mod_wsgi

mod_ftpd too I believe

Re: CVE-2013-5704 fix breaks mod_wsgi

Thanks for the heads up and I appreciate very much the steps you are taking to limit possible affects. What I will do is the following: 1. Verify that recompiling mod_wsgi is actually sufficient given than my direct use of request_rec isn't going to populate the extra fields and they will remain

Re: CVE-2013-5704 fix breaks mod_wsgi

On 01/09/2015 09:48 PM, Jeff Trawick wrote: > On Fri, Jan 9, 2015 at 3:23 PM, Joe Orton > wrote: > > Since Jim is talking 2.4.11, I should report this now. We discovered > this week in Fedora: mod_wsgi does some interesting things in daemon > mode, notably

Re: CVE-2013-5704 fix breaks mod_wsgi

On 01/09/2015 09:23 PM, Joe Orton wrote: > Since Jim is talking 2.4.11, I should report this now. We discovered > this week in Fedora: mod_wsgi does some interesting things in daemon > mode, notably that it allocates a request_rec internally which ends up > getting used by httpd. > > Reason

Re: CVE-2013-5704 fix breaks mod_wsgi

On Fri, Jan 9, 2015 at 3:23 PM, Joe Orton wrote: > Since Jim is talking 2.4.11, I should report this now. We discovered > this week in Fedora: mod_wsgi does some interesting things in daemon > mode, notably that it allocates a request_rec internally which ends up > getting used by httpd. > > Rea

CVE-2013-5704 fix breaks mod_wsgi

Since Jim is talking 2.4.11, I should report this now. We discovered this week in Fedora: mod_wsgi does some interesting things in daemon mode, notably that it allocates a request_rec internally which ends up getting used by httpd. Reason is, the fix for CVE-2013-5704 extends the request_rec: