Bug#847124: apache2: CVE-2016-8740: erver memory can be exhausted and service denied when HTTP/2 is used
Source: apache2 Version: 2.4.23-8 Severity: important Tags: security upstream patch Hi CVE-2016-8740 was announced for apache, CVE-2016-8740, Server memory can be exhausted and service denied when HTTP/2 is used. Post to oss-security at: http://www.openwall.com/lists/oss-security/2016/12/05/14 Patch: https://svn.apache.org/r1772576 Regards, Salvatore
Bug#868467: apache2: CVE-2017-9788
Source: apache2 Version: 2.4.10-10 Severity: important Tags: security upstream fixed-upstream Hi, the following vulnerability was published for apache2. CVE-2017-9788[0]: | In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value | placeholder in [Proxy-]Authorization headers of type 'Digest' was not | initialized or reset before or between successive key=value | assignments by mod_auth_digest. Providing an initial key with no '=' | assignment could reflect the stale value of uninitialized pool memory | used by the prior request, leading to leakage of potentially | confidential information, and a segfault in other cases resulting in | denial of service. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-9788 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9788 Regards, Salvatore
Bug#876109: apache2: CVE-2017-9798: HTTP OPTIONS method can leak Apache's server memory
Source: apache2 Version: 2.4.10-10 Severity: important Tags: upstream security Hi, the following vulnerability was published for apache2. CVE-2017-9798[0]: HTTP OPTIONS method can leak Apache's server memory If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-9798 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798 [1] https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html Regards, Salvatore
Bug#876109: apache2: CVE-2017-9798: HTTP OPTIONS method can leak Apache's server memory
Control: severity -1 serious Rationale: Raising the severity to RC / serious, due to fix beeing available in stable but not yet in unstable. Regards, Salvatore
Bug#904106: apache2: CVE-2018-1333: DoS for HTTP/2 connections by crafted requests
Source: apache2 Version: 2.4.18-1 Severity: important Tags: security upstream Hi, The following vulnerability was published for apache2. CVE-2018-1333[0]: | By specially crafting HTTP/2 requests, workers would be allocated 60 | seconds longer than necessary, leading to worker exhaustion and a | denial of service. Fixed in Apache HTTP Server 2.4.34 (Affected | 2.4.18-2.4.30,2.4.33). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1333 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1333 [1] https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-1333 Regards, Salvatore
Bug#904107: apache2: CVE-2018-8011: mod_md, DoS via Coredumps on specially crafted requests
Source: apache2 Version: 2.4.33-1 Severity: important Tags: security upstream Hi, The following vulnerability was published for apache2. CVE-2018-8011[0]: | By specially crafting HTTP requests, the mod_md challenge handler | would dereference a NULL pointer and cause the child process to | segfault. This could be used to DoS the server. Fixed in Apache HTTP | Server 2.4.34 (Affected 2.4.33). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-8011 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8011 [1] https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-8011 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#909591: apache2: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames
Source: apache2 Version: 2.4.25-1 Severity: important Tags: security upstream Hi, The following vulnerability was published for apache2. CVE-2018-11763[0]: mod_http2, DoS via continuous SETTINGS frames If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-11763 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11763 [1] https://lists.apache.org/thread.html/d435b0267a76501b9e06c552b20c887171064cde38e46d678da4d3dd@%3Cannounce.httpd.apache.org%3E Regards, Salvatore
Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Source: apache2 Version: 2.4.37-1 Severity: grave Tags: patch security upstream Hi (Stefan), I agree the severity is not the best choosen one for this issue, it is more to ensure we could release buster with an appropriate fix already before the release. If you disagree, please do downgrade. The following vulnerability was published for apache2. CVE-2019-0190[0]: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-0190 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0190 [1] https://marc.info/?l=oss-security&m=154817901921421&w=2 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Control: tags -1 + fixed-upstream Control: tags -1 - patch Hi Xavier, On Wed, Jan 23, 2019 at 09:18:36AM +0100, Xavier wrote: > Hello, > > Debian bug is tagged as "patch", but I didn't find any patch in the > related documents. Can you give me the link to patch ? Well you are right, not a patch per se, maybe fixed-upstream and "there is a patch" would have been better. Let me fix that. If feasible possibly updating to the new upstream version fixing this CVE (and two other) would be better if still feasible so short before the soft freeze. Regards, Salvatore
Bug#920302: apache2: CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies
Source: apache2 Version: 2.4.37-1 Severity: important Tags: security upstream fixed-upstream Control: found -1 2.4.25-3+deb9u6 Control: found -1 2.4.25-3 Hi, The following vulnerability was published for apache2. CVE-2018-17189[0]: mod_http2, DoS via slow, unneeded request bodies If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-17189 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17189 [1] https://www.openwall.com/lists/oss-security/2019/01/22/2 Regards, Salvatore
Bug#920303: apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time
Source: apache2 Version: 2.4.37-1 Severity: important Tags: security upstream fixed-upstream Control: found -1 2.4.25-3+deb9u6 Control: found -1 2.4.25-3 Hi, The following vulnerability was published for apache2. CVE-2018-17199[0]: mod_session_cookie does not respect expiry time If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-17199 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17199 [1] https://www.openwall.com/lists/oss-security/2019/01/22/3 Regards, Salvatore
Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Hi Xavier, On Wed, Jan 23, 2019 at 09:46:44PM +0100, Xavier wrote: > Le 23/01/2019 à 20:57, Salvatore Bonaccorso a écrit : > > Control: tags -1 + fixed-upstream > > Control: tags -1 - patch > > > > Hi Xavier, > > > > On Wed, Jan 23, 2019 at 09:18:36AM +0100, Xavier wrote: > >> Hello, > >> > >> Debian bug is tagged as "patch", but I didn't find any patch in the > >> related documents. Can you give me the link to patch ? > > > > Well you are right, not a patch per se, maybe fixed-upstream and > > "there is a patch" would have been better. Let me fix that. > > > > If feasible possibly updating to the new upstream version fixing this > > CVE (and two other) would be better if still feasible so short before > > the soft freeze. > > > > Regards, > > Salvatore > > Hello, > > looking at last release changelog, bug seems not fixed Cf. https://www.openwall.com/lists/oss-security/2019/01/22/4, where it is fixed in 2.4.38 upstream. HTH, Regards, Salvatore
Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Hi Xavier, On Wed, Jan 23, 2019 at 09:54:29PM +0100, Xavier wrote: > Le 23/01/2019 à 21:50, Salvatore Bonaccorso a écrit : > > Hi Xavier, > > > > On Wed, Jan 23, 2019 at 09:46:44PM +0100, Xavier wrote: > >> Le 23/01/2019 à 20:57, Salvatore Bonaccorso a écrit : > >>> Control: tags -1 + fixed-upstream > >>> Control: tags -1 - patch > >>> > >>> Hi Xavier, > >>> > >>> On Wed, Jan 23, 2019 at 09:18:36AM +0100, Xavier wrote: > >>>> Hello, > >>>> > >>>> Debian bug is tagged as "patch", but I didn't find any patch in the > >>>> related documents. Can you give me the link to patch ? > >>> > >>> Well you are right, not a patch per se, maybe fixed-upstream and > >>> "there is a patch" would have been better. Let me fix that. > >>> > >>> If feasible possibly updating to the new upstream version fixing this > >>> CVE (and two other) would be better if still feasible so short before > >>> the soft freeze. > >>> > >>> Regards, > >>> Salvatore > >> > >> Hello, > >> > >> looking at last release changelog, bug seems not fixed > > > > Cf. https://www.openwall.com/lists/oss-security/2019/01/22/4, where it > > is fixed in 2.4.38 upstream. > > > > HTH, > > > > Regards, > > Salvatore > > I see that but the provided link [1] doesn't mention it, neither apache2 > changelog. I'm almost sure this is just because the respective vulnerabilities_24 page has just not yet been updated accordingly. The fixes are mentioned already in the upstream changelog at https://www.apache.org/dist/httpd/CHANGES_2.4.38 . Regards, Salvatore
Bug#925472: apache2: AuthLDAPBindPassword with exec: variant: child processes not properly destroyed
Source: apache2 Version: 2.4.25-3+deb9u6 Severity: normal Tags: upstream Forwarded: https://bz.apache.org/bugzilla/show_bug.cgi?id=61817 Control: found -1 2.4.25-3 Hi When using a setup using for mod_authnz_ldap the AuthLDAPBindPassword directive specifically with the exec: variant as documented in [1], a respective child process is not destroyed correctly. To reproduce the issue within a .htaccess file (we managed to reproduce in .htaccess context but not in a directory context) > AuthType Basic > AuthName "Restricted access" > AuthBasicProvider ldap > > AuthLDAPURL $url > AuthLDAPBindDN $binddn > AuthLDAPBindPassword "exec:/bin/cat /path/to/ldap/passwd" > > Require valid-user is enough, resulting in defunct processes [...] S www-data 145731 82080 0 80 0 13016 223273 - 13:50 ?00:00:00 \_ /usr/sbin/apache2 -k start Z www-data 151575 145731 0 80 0 0 0 - 14:21 ?00:00:00 | \_ [cat] S www-data 145732 82080 0 80 0 13980 223674 - 13:50 ?00:00:00 \_ /usr/sbin/apache2 -k start Z www-data 151686 145732 0 80 0 0 0 - 14:22 ?00:00:00 \_ [cat] [...] The issue has been submitted upstream already in [2] with a tentative patch, but it looks the issue got not yet adressed upstream. Regards, Salvatore [1] http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#AuthLDAPBindPassword [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61817
Bug#989562: apache2: CVE-2021-31618: NULL pointer dereference on specially crafted HTTP/2 request
Source: apache2 Version: 2.4.47-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for apache2. CVE-2021-31618[0]: | httpd: NULL pointer dereference on specially crafted HTTP/2 request If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-31618 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31618 [1] https://github.com/apache/httpd/commit/a4fba223668c554e06bc78d6e3a88f33d4238ae4 [2] https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-31618 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#992789: apr: CVE-2021-35940
Source: apr Version: 1.7.0-6 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for apr. CVE-2021-35940[0]: | An out-of-bounds array read in the apr_time_exp*() functions was fixed | in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix | for this issue was not carried forward to the APR 1.7.x branch, and | hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to | the same issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-35940 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35940 [1] https://www.openwall.com/lists/oss-security/2021/08/23/1 Regards, Salvatore
Bug#992789: apr: CVE-2021-35940
Control: tags -1 + patch On Mon, Aug 23, 2021 at 03:44:05PM +0200, Salvatore Bonaccorso wrote: > Source: apr > Version: 1.7.0-6 > Severity: important > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > Hi, > > The following vulnerability was published for apr. > > CVE-2021-35940[0]: > | An out-of-bounds array read in the apr_time_exp*() functions was fixed > | in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix > | for this issue was not carried forward to the APR 1.7.x branch, and > | hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to > | the same issue. proposed change in https://salsa.debian.org/apache-team/apr/-/merge_requests/8 Regards, Salvatore
Bug#1032476: apache2: CVE-2023-25690 CVE-2023-27522
Source: apache2 Version: 2.4.55-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for apache2. CVE-2023-25690[0]: | Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 | through 2.4.55 allow a HTTP Request Smuggling attack. Configurations | are affected when mod_proxy is enabled along with some form of | RewriteRule or ProxyPassMatch in which a non-specific pattern matches | some portion of the user-supplied request-target (URL) data and is | then re-inserted into the proxied request-target using variable | substitution. For example, something like: RewriteEngine on | RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1";; [P] | ProxyPassReverse /here/ http://example.com:8080/ Request | splitting/smuggling could result in bypass of access controls in the | proxy server, proxying unintended URLs to existing origin servers, and | cache poisoning. Users are recommended to update to at least version | 2.4.56 of Apache HTTP Server. CVE-2023-27522[1]: | HTTP Response Smuggling vulnerability in Apache HTTP Server via | mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 | through 2.4.55. Special characters in the origin response header can | truncate/split the response forwarded to the client. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-25690 https://www.cve.org/CVERecord?id=CVE-2023-25690 [1] https://security-tracker.debian.org/tracker/CVE-2023-27522 https://www.cve.org/CVERecord?id=CVE-2023-27522 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#1033408: apache2: Segmentation fault + 503 on frontpage on 2.4.56-1
Hi, On Fri, Mar 24, 2023 at 05:17:34PM +0100, Fabien LE BERRE wrote: > Yes it does look like the bug. The Backtrace looks a lot like the coredump > I've seen. > Thanks for the heads up. Looking forward for the patch to be applied > officially. Would you be able to have additionally test the patch on your case to confirm? That would be great and helpful for releasing the regression update. Regards, Salvatore
[ftpmas...@ftp-master.debian.org: Accepted apache2 2.4.59-1 (source) into unstable]
Source: apache2 Source-Version: 2.4.59-1 - Forwarded message from Debian FTP Masters - -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 05 Apr 2024 08:08:11 +0400 Source: apache2 Built-For-Profiles: nocheck Architecture: source Version: 2.4.59-1 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Yadd Closes: 1032628 1054564 Changes: apache2 (2.4.59-1) unstable; urgency=medium . [ Stefan Fritsch ] * Remove old transitional packages libapache2-mod-md and libapache2-mod-proxy-uwsgi. Closes: #1032628 . [ Yadd ] * mod_proxy_connect: disable AllowCONNECT by default (Closes: #1054564) * Refresh patches * New upstream version 2.4.59 * Refresh patches * Update patches * Update test framework Checksums-Sha1: f1cf18103ca23c57beaa2985bbbe4eee1e8dff87 3334 apache2_2.4.59-1.dsc 7a118baaed0f2131e482f93f5057038ca6c021be 9843252 apache2_2.4.59.orig.tar.gz 837cdf46898d962c4c05642745566249fc91e52b 833 apache2_2.4.59.orig.tar.gz.asc 3e1cad5ee1fc66d350465c1e81d7e0f88221bc01 820300 apache2_2.4.59-1.debian.tar.xz Checksums-Sha256: 25e6990e65cb685f3172143648806ab0fd263a18cd412155f0d14d7ef9987428 3334 apache2_2.4.59-1.dsc e4ec4ce12c6c8f5a794dc2263d126cb1d6ef667f034c4678ec945d61286e8b0f 9843252 apache2_2.4.59.orig.tar.gz 0ad3f670b944ebf08c81544bc82fae9496e88d96840cd0612d8cdeaa073eb06d 833 apache2_2.4.59.orig.tar.gz.asc 1e869a5024215a2a9b69603daf1395840774640f7b2701ca4b7971452a0641d1 820300 apache2_2.4.59-1.debian.tar.xz Files: 3f3ee286b583f22ec5cb3efc1f0a5016 3334 httpd optional apache2_2.4.59-1.dsc c39d28e0777bc95631cb49958fdb6601 9843252 httpd optional apache2_2.4.59.orig.tar.gz 3c342b3dcc0fe227a1fffdf9997987d0 833 httpd optional apache2_2.4.59.orig.tar.gz.asc 4da024370ede9c5a75a0df725be0cdc5 820300 httpd optional apache2_2.4.59-1.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmYPec8ACgkQ9tdMp8mZ 7umCiw//TB1rIA1czwHsUrdeOIT3HG9qERzBJsmsP8nyg+cIrytiGfhlt2eOmLYO X+Wo19J98VuCmTbJClb6opAfSpvJG2AmNUl/PYAqOBzvDgR+QlEMmVXVgxUp9+Tv 0e0P2H+8U0pO3dE51VIXqYtCLTLQnLaci763ewB0oRlSWuzoVNDDahUS3iJ5e58o btwUQQwq+2F+RBclRhuXca3dOI93UBZDsv56mxR+p2o0vpo+pQRZjHDv8tzT3bOq /PyWusXKPDf9MXYZqwY2TgYx8v/YdDVYqzgr6Tj/VXgXEKC22pudzSv9/J5iGfHh VHmf02Gh+0wNWmxajqK2KlxjMON/Qn6kyoAok9w5vv4HtOXBZimzdq0kDsc8EjJl QuaBcwIAy+0EATBhjaVY7sHtM9SydJNr1f4DBBD9kEB2DKEE9n7/iFxcFfSMd52Y xwJ4fPk1fe1ki7k/qn0VULpzf1iM3JDQE19uXyE29cSW4eJhiWvH1v+NZzzxNo+t NtDhSIEEnUkGZSsYyg2qg5NH3e3PJMadc1nTRY6hVNzGpJlsUrCKnMOZbJsBQM6S cNCY48ux8ziQmJNowvBVbXf6/+SH9h2+CYFRw9GZagaNe1yfErNglbn78KZqJUHw YcXIFc96qeznRJ9zRhPdHGGeqa+nETH1lWBp6eitihkKhDjCF48= =dQDE -END PGP SIGNATURE- - End forwarded message -
Bug#1080375: apr: CVE-2023-49582
Source: apr Version: 1.7.2-3 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for apr. CVE-2023-49582[0]: | Lax permissions set by the Apache Portable Runtime library on Unix | platforms would allow local users read access to named shared memory | segments, potentially revealing sensitive application data. This | issue does not affect non-Unix platforms, or builds | with APR_USE_SHMEM_SHMGET=1 (apr.h) Users are recommended to | upgrade to APR version 1.7.5, which fixes this issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-49582 https://www.cve.org/CVERecord?id=CVE-2023-49582 [1] https://lists.apache.org/thread/h5f1c2dqm8bf5yfosw3rg85927p612l0 Regards, Salvatore
Bug#1081266: apache2: Reverse proxy via mod_rewrite broken after upgrade to 2.4.62-1~deb12u1
Hi,
On Tue, Sep 10, 2024 at 06:59:51AM +, Markus Wollny wrote:
> Package: apache2
> Version: 2.4.62-1~deb12u1
> Severity: important
> X-Debbugs-Cc: markus.wol...@computec.de, t...@security.debian.org
>
> Dear Maintainer,
>
> After upgrading apache2 packages, we noticed that our SEO rewriting rules in
> apache2 no longer worked and Tomcat tried to access non-existing file paths
> with URL encoded questionmarks.
>
> I have first noticed that is issue affects Debian 12, but I can confirm that
> it also affects Debian 11, so this happens in oldstable, apache2
> 2.4.62-1~deb11u1, too.
>
> To show the issue, you'll want to enable the following mods:
> a2enmod lbmethod_byrequests proxy proxy_ajp proxy_balancer slotmem_shm rewrite
>
> I have set up a balancer worker in mods-available/proxy_balancer.conf:
>
> BalancerMember ajp://localhost:8009 secret=youllneverknow
>
>
> I have narrowed the issue down to using a proxy RewriteRule inside a
> Directory block. So to reproduce, set up
> /etc/apache2/sites-available/000-default.conf like this:
>
>
> ServerAdmin webmaster@localhost
> DocumentRoot /var/www/html
>
> ErrorLog ${APACHE_LOG_DIR}/error.log
> CustomLog ${APACHE_LOG_DIR}/access.log combined
>
>
> DirectoryIndex index.html
> RewriteEngine On
> RewriteRule ^/?(.*?)$
> balancer://tomcat/demo/index.jsp?rewrite=$1
> [P,L,env=AJP_REDIRECT_REAL_URL:$1,QSA]
>
>
>
> To illustrate the issue, I have set up a simple /demo/ application in Tomcat
> 10, but the problem is caused by the Apache2 webserver, so this part is not
> relevant here.
>
> Before the upgrade, i.e. with apache <= 2.4.61-1~deb12u1, a request to
> http://127.0.0.1/foo/bar/?someparam will result in the following request
> being proxied to tomcat, as is expected:
> GET /demo/index.jsp?rewrite=foo/bar/&someparam
>
> After the upgrade to 2.4.62-1~deb12u1, the same requests gets mangled:
> GET
> /demo/index.jsp%3Frewrite=foo/bar/&someparam?rewrite=foo/bar/&someparam
>
> You can see that the complete parameter string is added twice now, with the
> leading ? being escaped the first time around, which in turn causes the path
> to be completely messed up, so Tomcat won't be able to find the file and
> returns a 404 status.
>
> When turning on debug logging in apache2, one can see that the request path
> is still fine during mod_rewrite processing, it only gets broken during
> mod_proxy processing. The issue does not occur, when the RewriteRule is
> placed outside of the Directory block. Unfortunately, this is not a viable
> workaround for us, we really need to be able to use this inside
> and we need the full flexibility of mod_rewrite too, so we cannot implement
> the same thing using ProxyPass, either. For now, the only resolution is to
> downgrade the apache2 packages:
>
> apt -y --allow-downgrades install apache2=2.4.61-1~deb12u1
> apache2-data=2.4.61-1~deb12u1 apache2-bin=2.4.61-1~deb12u1
> apache2-utils=2.4.61-1~deb12u1
>
> After the downgrade, the RewriteRule with the proxy directive is back to
> working as expected. As 2.4.62-1~deb12u1 contains security fixes, it feels
> like having to pin the previous apache2 version is not a good solution, but
> upgrading it is not possible until this is fixed.
>
> If I had to guess, this may be caused by the following change:
> mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for
> "balancer:" URLs set via SetHandler, also allowing for "unix:" sockets
> with BalancerMember(s). PR 69168. [Yann Ylavic]
Can you double-check is this #1079172 and as reported upstream in
https://bz.apache.org/bugzilla/show_bug.cgi?id=69197 ?
Regards,
Salvatore
Bug#1081266: apache2: Reverse proxy via mod_rewrite broken after upgrade to 2.4.62-1~deb12u1
Hi,
On Tue, Sep 10, 2024 at 05:07:29PM +0200, Salvatore Bonaccorso wrote:
> Hi,
>
> On Tue, Sep 10, 2024 at 06:59:51AM +, Markus Wollny wrote:
> > Package: apache2
> > Version: 2.4.62-1~deb12u1
> > Severity: important
> > X-Debbugs-Cc: markus.wol...@computec.de, t...@security.debian.org
> >
> > Dear Maintainer,
> >
> > After upgrading apache2 packages, we noticed that our SEO rewriting rules
> > in apache2 no longer worked and Tomcat tried to access non-existing file
> > paths with URL encoded questionmarks.
> >
> > I have first noticed that is issue affects Debian 12, but I can confirm
> > that it also affects Debian 11, so this happens in oldstable, apache2
> > 2.4.62-1~deb11u1, too.
> >
> > To show the issue, you'll want to enable the following mods:
> > a2enmod lbmethod_byrequests proxy proxy_ajp proxy_balancer slotmem_shm
> > rewrite
> >
> > I have set up a balancer worker in mods-available/proxy_balancer.conf:
> >
> > BalancerMember ajp://localhost:8009 secret=youllneverknow
> >
> >
> > I have narrowed the issue down to using a proxy RewriteRule inside a
> > Directory block. So to reproduce, set up
> > /etc/apache2/sites-available/000-default.conf like this:
> >
> >
> > ServerAdmin webmaster@localhost
> > DocumentRoot /var/www/html
> >
> > ErrorLog ${APACHE_LOG_DIR}/error.log
> > CustomLog ${APACHE_LOG_DIR}/access.log combined
> >
> >
> > DirectoryIndex index.html
> > RewriteEngine On
> > RewriteRule ^/?(.*?)$
> > balancer://tomcat/demo/index.jsp?rewrite=$1
> > [P,L,env=AJP_REDIRECT_REAL_URL:$1,QSA]
> >
> >
> >
> > To illustrate the issue, I have set up a simple /demo/ application in
> > Tomcat 10, but the problem is caused by the Apache2 webserver, so this part
> > is not relevant here.
> >
> > Before the upgrade, i.e. with apache <= 2.4.61-1~deb12u1, a request to
> > http://127.0.0.1/foo/bar/?someparam will result in the following request
> > being proxied to tomcat, as is expected:
> > GET /demo/index.jsp?rewrite=foo/bar/&someparam
> >
> > After the upgrade to 2.4.62-1~deb12u1, the same requests gets mangled:
> > GET
> > /demo/index.jsp%3Frewrite=foo/bar/&someparam?rewrite=foo/bar/&someparam
> >
> > You can see that the complete parameter string is added twice now, with the
> > leading ? being escaped the first time around, which in turn causes the
> > path to be completely messed up, so Tomcat won't be able to find the file
> > and returns a 404 status.
> >
> > When turning on debug logging in apache2, one can see that the request path
> > is still fine during mod_rewrite processing, it only gets broken during
> > mod_proxy processing. The issue does not occur, when the RewriteRule is
> > placed outside of the Directory block. Unfortunately, this is not a viable
> > workaround for us, we really need to be able to use this inside
> > and we need the full flexibility of mod_rewrite too, so we cannot implement
> > the same thing using ProxyPass, either. For now, the only resolution is to
> > downgrade the apache2 packages:
> >
> > apt -y --allow-downgrades install apache2=2.4.61-1~deb12u1
> > apache2-data=2.4.61-1~deb12u1 apache2-bin=2.4.61-1~deb12u1
> > apache2-utils=2.4.61-1~deb12u1
> >
> > After the downgrade, the RewriteRule with the proxy directive is back to
> > working as expected. As 2.4.62-1~deb12u1 contains security fixes, it feels
> > like having to pin the previous apache2 version is not a good solution, but
> > upgrading it is not possible until this is fixed.
> >
> > If I had to guess, this may be caused by the following change:
> > mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for
> > "balancer:" URLs set via SetHandler, also allowing for "unix:" sockets
> > with BalancerMember(s). PR 69168. [Yann Ylavic]
>
> Can you double-check is this #1079172 and as reported upstream in
> https://bz.apache.org/bugzilla/show_bug.cgi?id=69197 ?
Actually after a quick discussion with Bastien, he pointed out to
https://bz.apache.org/bugzilla/show_bug.cgi?id=69241 .
Regards,
Salvatore
Bug#1086632: bookworm-pu: package apr/1.7.2-3+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: a...@packages.debian.org, Stefan Fritsch ,
Debian Apache Maintainers , j...@debian.org,
car...@debian.org
Control: affects -1 + src:apr
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
apr in bookworm is affected by CVE-2023-49582, #1080375 where
permissions of shared mem files are too wide, making them word
readable.
The apr upstream version 1.7.5 changes those to 0600 permissions.
The issue does not warrant a DSA, so we would like to include it in
the point release.
[ Impact ]
Users of libapr1 create still shared mem files with too lax
permissions.
[ Tests ]
Manual testing the update with apache2 ScoreBoardFile file, previously
created with 0644 permissions, and now with the more restrictive 0600.
[ Risks ]
The patch is taken to upstream merge into 1.7.x version and there were
no followups since then. The version is unstable is present since
beginning of september, TTBOMK without reports.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Change to use 0600 permissions for named shared memoy.
[ Other info ]
Nothing specifically.
Regards,
Salvatore
diff -Nru apr-1.7.2/debian/changelog apr-1.7.2/debian/changelog
--- apr-1.7.2/debian/changelog 2023-02-26 21:51:24.0 +0100
+++ apr-1.7.2/debian/changelog 2024-10-31 21:08:12.0 +0100
@@ -1,3 +1,11 @@
+apr (1.7.2-3+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Use 0600 perms for named shared mem consistently (CVE-2023-49582)
+(Closes: #1080375)
+
+ -- Salvatore Bonaccorso Thu, 31 Oct 2024 21:08:12 +0100
+
apr (1.7.2-3) unstable; urgency=medium
* Add more fixes for atomics from upstream, in particular for
diff -Nru apr-1.7.2/debian/patches/CVE-2023-49582.patch
apr-1.7.2/debian/patches/CVE-2023-49582.patch
--- apr-1.7.2/debian/patches/CVE-2023-49582.patch 1970-01-01
01:00:00.0 +0100
+++ apr-1.7.2/debian/patches/CVE-2023-49582.patch 2024-10-31
21:07:08.0 +0100
@@ -0,0 +1,71 @@
+From: Eric Covener
+Date: Tue, 20 Aug 2024 21:50:42 +
+Subject: Merge r1920082 from 1.8.x:
+Origin:
https://github.com/apache/apr/commit/36ea6d5a2bfc480dd8032cc8651e6793552bc2aa
+Bug-Debian: https://bugs.debian.org/1080375
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-49582
+
+use 0600 perms for named shared mem consistently
+
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/apr/apr/branches/1.7.x@1920083
13f79535-47bb-0310-9956-ffa450edef68
+---
+ shmem/unix/shm.c | 18 +++---
+ 1 file changed, 7 insertions(+), 11 deletions(-)
+
+diff --git a/shmem/unix/shm.c b/shmem/unix/shm.c
+index 096884d99d50..ea9b94277b01 100644
+--- a/shmem/unix/shm.c
b/shmem/unix/shm.c
+@@ -287,10 +287,9 @@ APR_DECLARE(apr_status_t) apr_shm_create(apr_shm_t **m,
+ status = APR_SUCCESS;
+
+ #if APR_USE_SHMEM_MMAP_TMP
+-/* FIXME: Is APR_OS_DEFAULT sufficient? */
+-status = apr_file_open(&file, filename,
+- APR_READ | APR_WRITE | APR_CREATE | APR_EXCL,
+- APR_OS_DEFAULT, pool);
++status = apr_file_open(&file, filename,
++ APR_FOPEN_READ | APR_FOPEN_WRITE |
APR_FOPEN_CREATE | APR_FOPEN_EXCL,
++ APR_FPROT_UREAD | APR_FPROT_UWRITE, pool);
+ if (status != APR_SUCCESS) {
+ return status;
+ }
+@@ -319,8 +318,7 @@ APR_DECLARE(apr_status_t) apr_shm_create(apr_shm_t **m,
+ }
+ #endif /* APR_USE_SHMEM_MMAP_TMP */
+ #if APR_USE_SHMEM_MMAP_SHM
+-/* FIXME: SysV uses 0600... should we? */
+-tmpfd = shm_open(shm_name, O_RDWR | O_CREAT | O_EXCL, 0644);
++tmpfd = shm_open(shm_name, O_RDWR | O_CREAT | O_EXCL, 0600);
+ if (tmpfd == -1) {
+ return errno;
+ }
+@@ -361,10 +359,9 @@ APR_DECLARE(apr_status_t) apr_shm_create(apr_shm_t **m,
+ #elif APR_USE_SHMEM_SHMGET
+ new_m->realsize = reqsize;
+
+-/* FIXME: APR_OS_DEFAULT is too permissive, switch to 600 I think. */
+-status = apr_file_open(&file, filename,
++status = apr_file_open(&file, filename,
+APR_FOPEN_WRITE | APR_FOPEN_CREATE |
APR_FOPEN_EXCL,
+- APR_OS_DEFAULT, pool);
++ APR_FPROT_UREAD | APR_FPROT_UWRITE, pool);
+ if (status != APR_SUCCESS) {
+ return status;
+ }
+@@ -555,8 +552,7 @@ APR_DECLARE(apr_status_t) apr_shm_attach(apr_shm_t **m,
+ #if APR_USE_SHMEM_MMAP_SHM
+ const char *shm_name = make_shm_open_safe_name(filename, pool);
+
+-/* FIXME: SysV uses 0600... should we? */
+-tmpfd = shm_open(shm_name, O_RDWR, 064
Bug#1081266: apache2: Reverse proxy via mod_rewrite broken after upgrade to 2.4.62-1~deb12u1
Hi,
On Tue, Sep 10, 2024 at 03:35:26PM +, Bastien Roucariès wrote:
> control: retitle -1 Regression: Reverse proxy via mod_rewrite broken after
> 2.4.62
>
> Le mardi 10 septembre 2024, 15:18:48 UTC Salvatore Bonaccorso a écrit :
> > Hi,
> >
> > On Tue, Sep 10, 2024 at 05:07:29PM +0200, Salvatore Bonaccorso wrote:
> > > Hi,
> > >
> > > On Tue, Sep 10, 2024 at 06:59:51AM +, Markus Wollny wrote:
> > > > Package: apache2
> > > > Version: 2.4.62-1~deb12u1
> > > > Severity: important
> > > > X-Debbugs-Cc: markus.wol...@computec.de, t...@security.debian.org
> > > >
> > > > Dear Maintainer,
> > > >
> > > > After upgrading apache2 packages, we noticed that our SEO rewriting
> > > > rules in apache2 no longer worked and Tomcat tried to access
> > > > non-existing file paths with URL encoded questionmarks.
> > > >
> > > > I have first noticed that is issue affects Debian 12, but I can confirm
> > > > that it also affects Debian 11, so this happens in oldstable, apache2
> > > > 2.4.62-1~deb11u1, too.
> > > >
> > > > To show the issue, you'll want to enable the following mods:
> > > > a2enmod lbmethod_byrequests proxy proxy_ajp proxy_balancer slotmem_shm
> > > > rewrite
> > > >
> > > > I have set up a balancer worker in mods-available/proxy_balancer.conf:
> > > >
> > > > BalancerMember ajp://localhost:8009 secret=youllneverknow
> > > >
> > > >
> > > > I have narrowed the issue down to using a proxy RewriteRule inside a
> > > > Directory block. So to reproduce, set up
> > > > /etc/apache2/sites-available/000-default.conf like this:
> > > >
> > > >
> > > > ServerAdmin webmaster@localhost
> > > > DocumentRoot /var/www/html
> > > >
> > > > ErrorLog ${APACHE_LOG_DIR}/error.log
> > > > CustomLog ${APACHE_LOG_DIR}/access.log combined
> > > >
> > > >
> > > > DirectoryIndex index.html
> > > > RewriteEngine On
> > > > RewriteRule ^/?(.*?)$
> > > > balancer://tomcat/demo/index.jsp?rewrite=$1
> > > > [P,L,env=AJP_REDIRECT_REAL_URL:$1,QSA]
> > > >
> > > >
> > > >
> > > > To illustrate the issue, I have set up a simple /demo/ application in
> > > > Tomcat 10, but the problem is caused by the Apache2 webserver, so this
> > > > part is not relevant here.
> > > >
> > > > Before the upgrade, i.e. with apache <= 2.4.61-1~deb12u1, a request to
> > > > http://127.0.0.1/foo/bar/?someparam will result in the following
> > > > request being proxied to tomcat, as is expected:
> > > > GET /demo/index.jsp?rewrite=foo/bar/&someparam
> > > >
> > > > After the upgrade to 2.4.62-1~deb12u1, the same requests gets mangled:
> > > > GET
> > > > /demo/index.jsp%3Frewrite=foo/bar/&someparam?rewrite=foo/bar/&someparam
> > > >
> > > > You can see that the complete parameter string is added twice now, with
> > > > the leading ? being escaped the first time around, which in turn causes
> > > > the path to be completely messed up, so Tomcat won't be able to find
> > > > the file and returns a 404 status.
> > > >
> > > > When turning on debug logging in apache2, one can see that the request
> > > > path is still fine during mod_rewrite processing, it only gets broken
> > > > during mod_proxy processing. The issue does not occur, when the
> > > > RewriteRule is placed outside of the Directory block. Unfortunately,
> > > > this is not a viable workaround for us, we really need to be able to
> > > > use this inside and we need the full flexibility of
> > > > mod_rewrite too, so we cannot implement the same thing using ProxyPass,
> > > > either. For now, the only resolution is to downgrade the apache2
> > > > packages:
> > > >
> > > > apt -y --allow-downgrades install apache2=2.4.61-1~deb12u1
> > > > apache2-data=2.4.61-1~deb12u1 apache2-bin=2.4.61-1~deb12u1
> > > > apache2-utils=2.4.61-1~deb12u1
> > > >
> > > > After the downgrade, the RewriteRule with the proxy directive is back
> > &g
Bug#1110074: unblock: apache2/2.4.65-1
Package: release.debian.org Severity: normal X-Debbugs-Cc: apac...@packages.debian.org, Debian Apache Maintainers , Ondřej Surý , Yadd , Bastien Roucariès , car...@debian.org, t...@security.debian.org Control: affects -1 + src:apache2 User: release.debian@packages.debian.org Usertags: unblock Control: block 1109084 with -1 Hi, Please unblock package apache2 AFAICS there was no unblock request for apache2/2.4.65-1 fixing a regression from 2.4.64-1 and tracked as well CVE-2025-54090. Xavier, can you confirm that this is good to go and is the version you want to see in trixie? (note that is as well needed so that the bookworm-pu request in #1109084 could be accepted). Regards, Salvatore
