Package: libapache2-mod-rpaf Severity: critical Tags: security Version: 0.5-3
Sébastien Bocahu reported to the security team: > (...) > A single request makes Apache segfault. On some of the environments I tested, > it even kills all Apache processes (they become zombies). > > I tested three environments, all of them running Debian squeeze with latests > Apache and mod_rpaf packages, MPM prefork only, behind haproxy. > > To what I understand, there is a bug in version 0.5 of mod_rpaf, but the IPv6 > patch that was applied by Debian exposes Apache to segfaults under specific > crafted requests. > > The magick request is the following: > curl -H "x-forwarded-for: 1'\"5000" -H "Host: a.vhost.example.com" > reverseproxy > > Apache processes will segfault, hence a potential DOS issue. > > I have taken notes for myself and people I am working with. > You can find these notes on > http://zecrazytux.net/troubleshooting/apache2-segfault-debugging-tutorial > > From my experiments, version 0.6 fixes the issue (IPv6 patched or unpatched). Please, prepare a minimal patch for stable and contact the security team to update the package. Thanks, luciano -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
