Package: apache2.2-common
Version: 2.2.16-6+squeeze7
Severity: normal
Hello,
mod_cache suffered from a regression (from 2.2.12) causing it to cache
"206 partial content" responses, and then serving these partial responses
when replying to normal requests.
This is upstream bug #49113, which has been fixed in apache2's SVN trunk,
but not yet backported to the 2.2.x branch.
Attached is a debdiff which applies upstream patch to Debian's 2.2.16.
Thanks,
Colin
-- Package-specific info:
List of enabled modules from 'apache2 -M':
alias auth_basic authn_file authz_default authz_groupfile
authz_host authz_user autoindex cache cgi deflate dir disk_cache
env headers info jk mem_cache mime negotiation php5 proxy_http
proxy reqtimeout rewrite setenvif status
List of enabled php5 extensions:
gd mysql mysqli pdo pdo_mysql suhosin
-- System Information:
Debian Release: 6.0.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages apache2 depends on:
ii apache2-mpm-prefork 2.2.16-6+squeeze7 Apache HTTP Server - traditional n
ii apache2.2-common 2.2.16-6+squeeze7 Apache HTTP Server common files
apache2 recommends no packages.
apache2 suggests no packages.
Versions of packages apache2.2-common depends on:
ii apache2-utils 2.2.16-6+squeeze7 utility programs for webservers
ii apache2.2-bin 2.2.16-6+squeeze7 Apache HTTP Server common binary f
ii libmagic1 5.04-5+squeeze1 File type determination library us
ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii mime-support 3.48-1 MIME files 'mime.types' & 'mailcap
ii perl 5.10.1-17squeeze3 Larry Wall's Practical Extraction
ii procps 1:3.2.8-9 /proc file system utilities
-- no debconf information
diff -u apache2-2.2.16/debian/changelog apache2-2.2.16/debian/changelog
--- apache2-2.2.16/debian/changelog
+++ apache2-2.2.16/debian/changelog
@@ -1,3 +1,10 @@
+apache2 (2.2.16-6+squeeze8) squeeze; urgency=low
+
+ * Apply Apache provided fix for bug #49113 (mod_cache caches partial
+ content)
+
+ -- Colin Leroy <co...@colino.nte> Wed, 02 May 2012 14:18:00 +0200
+
apache2 (2.2.16-6+squeeze7) squeeze-security; urgency=high
* CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
diff -u apache2-2.2.16/debian/patches/00list apache2-2.2.16/debian/patches/00list
--- apache2-2.2.16/debian/patches/00list
+++ apache2-2.2.16/debian/patches/00list
@@ -42,0 +43 @@
+203_mod_cache-partial-content.dpatch
only in patch2:
unchanged:
--- apache2-2.2.16.orig/debian/patches/203_mod_cache-partial-content.dpatch
+++ apache2-2.2.16/debian/patches/203_mod_cache-partial-content.dpatch
@@ -0,0 +1,29 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 203_mod_cache-partial-content.dpatch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix caching of 206 partial content responses. Patch from
+## DP: upstream r933919, fixes upstream bug #49113
+
+--- trunk/modules/cache/mod_cache.c 2009/11/02 23:03:14 832177
++++ trunk/modules/cache/mod_cache.c 2010/04/14 12:00:11 933919
+@@ -734,7 +734,8 @@
+ * We include 304 Not Modified here too as this is the origin server
+ * telling us to serve the cached copy.
+ */
+- if (exps != NULL || cc_out != NULL) {
++ if ((exps != NULL || cc_out != NULL)
++ && r->status != HTTP_PARTIAL_CONTENT) {
+ /* We are also allowed to cache any response given that it has a
+ * valid Expires or Cache Control header. If we find a either of
+ * those here, we pass request through the rest of the tests. From
+@@ -747,6 +748,9 @@
+ * include the following: an Expires header (section 14.21); a
+ * "max-age", "s-maxage", "must-revalidate", "proxy-revalidate",
+ * "public" or "private" cache-control directive (section 14.9).
++ *
++ * But do NOT store 206 responses in any case since we
++ * don't (yet) cache partial responses.
+ */
+ }
+ else {
