On Sat, May 26, 2018 at 02:29:34PM -0400, Roberto C. Sánchez wrote: > On Sat, May 26, 2018 at 02:27:18PM -0400, Roberto C. Sánchez wrote: > > Hello, > > > > I have prepared a new apache2 package (version 2.2.22-13+deb7u13) to > > address CVE-2017-15710, CVE-2018-1301, and CVE-2018-1312. The patch for > > CVE-2018-1312 did not apply cleanly, required backporting an additional > > commit from the Apache history, as well as adjusting the function calls > > for logging and managing pool data. > > > > As I do not use digest authentication, I thought it prudent to give > > others the opportunity to test these packages before I upload them. > > Unless I hear a negative report, I intend to upload on Tuesday or > > Wednesday. > > > The packages are available here: https://people.debian.org/~roberto/ > Hi all,
I have been able to resolve the problem which Thorsten identified, which caused apache to fail to start with the backported patch for CVE-2018-1312. After some additional digging, I concluded that the specific issue which caused apache to fail to start resulted from an improvement/optimization included in the upstream patch which was not suitable for apache 2.2.x. I was clearly mistaken in thinking that I had been able to properly backport the change. As an alternative I went back to the original series of commits on the trunk and cherry-picked/backported only those which were needed to address the specific vulnerability in the CVE. The resulting subset was suitable for apache 2.2.x. I did perform some testing of these packages (this time even remembering that the module must be enabled in order to ensure that it works; thanks Thorsten for helping with that). However, I would appreciate some additional review on this before I upload. Updated packages are at the same location noted above. Regards, -Roberto -- Roberto C. Sánchez
