Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package apache2. It fixes CVE-2015-0228. unblock apache2/2.4.10-10 Debdiff: diff -Nru apache2-2.4.10/debian/apache2.NEWS apache2-2.4.10/debian/apache2.NEWS --- apache2-2.4.10/debian/apache2.NEWS 2014-11-08 23:16:55.000000000 +0100 +++ apache2-2.4.10/debian/apache2.NEWS 2015-02-01 09:25:15.000000000 +0100 @@ -15,10 +15,11 @@ modules, you have to re-compile them for apache2 2.4. The authorization and authentication system has changed. Existing - configurations using deprecated Order/Allow/Deny directives should be + configurations using deprecated Order/Allow/Deny directives need to be upgraded to the new system. Please review upstream's "Authentication, - Authorization and Access Control Howto" [1]. However, "mod_access_compat" is - loaded by default to provide backward compatibility. + Authorization and Access Control Howto" [1]. There is a new module + "mod_access_compat", which is supposed to provide backward compatibility, + but it does not work well in practice. Furthermore, MPMs are simple modules now. Thus, the MPM can be changed at any time by (un-)loading a specific module. Be careful when upgrading. An diff -Nru apache2-2.4.10/debian/changelog apache2-2.4.10/debian/changelog --- apache2-2.4.10/debian/changelog 2014-12-22 21:46:14.000000000 +0100 +++ apache2-2.4.10/debian/changelog 2015-03-15 10:47:36.000000000 +0100 @@ -1,3 +1,14 @@ +apache2 (2.4.10-10) unstable; urgency=medium + + * CVE-2015-0228: mod_lua: Fix denial of service vulnerability in + wsupgrade(). + * Fix setup-instance example script to handle a2enconf/a2disconf. + LP: #1430936 + * Tweak mention of mod_access_compat in NEWS.Debian. The module does + not really work in practice. + + -- Stefan Fritsch <s...@debian.org> Sun, 15 Mar 2015 10:47:36 +0100 + apache2 (2.4.10-9) unstable; urgency=medium * CVE-2014-8109: mod_lua: Fix handling of the Require line when a diff -Nru apache2-2.4.10/debian/patches/CVE-2015-0228_mod_lua.diff apache2-2.4.10/debian/patches/CVE-2015-0228_mod_lua.diff --- apache2-2.4.10/debian/patches/CVE-2015-0228_mod_lua.diff 1970-01-01 01:00:00.000000000 +0100 +++ apache2-2.4.10/debian/patches/CVE-2015-0228_mod_lua.diff 2015-03-15 10:33:38.000000000 +0100 @@ -0,0 +1,53 @@ +#commit 1f1375a2a615337d3fd1da2aad7a080243cbdcb7 +#Author: Eric Covener <cove...@apache.org> +#Date: Wed Mar 4 19:18:27 2015 +0000 +# +# Merge r1657261 from trunk: +# +# *) SECURITY: CVE-2015-0228 (cve.mitre.org) +# mod_lua: A maliciously crafted websockets PING after a script +# calls r:wsupgrade() can cause a child process crash. +# [Edward Lu <Chaosed0 gmail.com>] +# +# Discovered by Guido Vranken <guidovranken gmail.com> +# +# Submitted by: Edward Lu +# Committed by: covener +# +# +# +# +# git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1664118 13f79535-47bb-0310-9956-ffa450edef68 +# +--- apache2.orig/modules/lua/lua_request.c ++++ apache2/modules/lua/lua_request.c +@@ -2229,6 +2229,7 @@ static int lua_websocket_read(lua_State + { + apr_socket_t *sock; + apr_status_t rv; ++ int do_read = 1; + int n = 0; + apr_size_t len = 1; + apr_size_t plen = 0; +@@ -2246,6 +2247,8 @@ static int lua_websocket_read(lua_State + mask_bytes = apr_pcalloc(r->pool, 4); + sock = ap_get_conn_socket(r->connection); + ++ while (do_read) { ++ do_read = 0; + /* Get opcode and FIN bit */ + if (plaintext) { + rv = apr_socket_recv(sock, &byte, &len); +@@ -2372,10 +2375,11 @@ static int lua_websocket_read(lua_State + frame[0] = 0x8A; + frame[1] = 0; + apr_socket_send(sock, frame, &plen); /* Pong! */ +- lua_websocket_read(L); /* read the next frame instead */ ++ do_read = 1; + } + } + } ++ } + return 0; + } + diff -Nru apache2-2.4.10/debian/patches/series apache2-2.4.10/debian/patches/series --- apache2-2.4.10/debian/patches/series 2014-12-22 19:53:05.000000000 +0100 +++ apache2-2.4.10/debian/patches/series 2015-03-15 10:33:23.000000000 +0100 @@ -11,3 +11,4 @@ mod_ssl_memleak.diff mod_ssl-oscp_stapling_crash.diff CVE-2014-8109_mod_lua.diff +CVE-2015-0228_mod_lua.diff diff -Nru apache2-2.4.10/debian/setup-instance apache2-2.4.10/debian/setup-instance --- apache2-2.4.10/debian/setup-instance 2014-11-08 23:16:56.000000000 +0100 +++ apache2-2.4.10/debian/setup-instance 2015-03-15 10:37:19.000000000 +0100 @@ -25,7 +25,7 @@ chmod 755 /etc/init.d/apache2-$SUFFIX echo -n Setting up symlinks: -for a in a2enmod a2dismod a2ensite a2dissite apache2ctl ; do +for a in a2enmod a2dismod a2ensite a2dissite a2enconf a2disconf apache2ctl ; do echo -n " $a-$SUFFIX" ln -s /usr/sbin/$a /usr/local/sbin/$a-$SUFFIX done -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150322175447.14217.86284.reportbug@pisco.westfalen.local
