Your message dated Sun, 1 Nov 2009 19:05:06 +0100
with message-id <[email protected]>
and subject line Re: Bug#551727: apache2: CVE-2009-1890 - backport patch from
Apache 2.2.12
has caused the Debian Bug report #551727,
regarding apache2: CVE-2009-1890 - backport patch from Apache 2.2.12
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
551727: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=551727
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: apache2.2-common
Version: 2.2.9-10+lenny4
Severity: normal
see http://httpd.apache.org/security/vulnerabilities_22.html - there is a
mod_proxy DOS attack vulnerability that should be fixed in some of the next
revisions of the apache2 Debian packages
-- Package-specific info:
List of enabled modules from 'apache2 -M':
alias auth_basic authn_file authz_default authz_groupfile
authz_host authz_user autoindex cgi dir env mime negotiation perl
php5 proxy_connect proxy_http proxy python security2 setenvif
status unique_id
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages apache2 depends on:
ii apache2-mpm-prefork 2.2.9-10+lenny4 Apache HTTP Server - traditional n
apache2 recommends no packages.
apache2 suggests no packages.
Versions of packages apache2.2-common depends on:
ii apache2-utils 2.2.9-10+lenny4 utility programs for webservers
ii libapr1 1.2.12-5+lenny1 The Apache Portable Runtime Librar
ii libaprutil1 1.2.12+dfsg-8+lenny4 The Apache Portable Runtime Utilit
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libmagic1 4.26-1 File type determination library us
ii libssl0.9.8 0.9.8g-15+lenny5 SSL shared libraries
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii mime-support 3.44-1 MIME files 'mime.types' & 'mailcap
ii net-tools 1.60-22 The NET-3 networking toolkit
ii perl 5.10.0-19lenny2 Larry Wall's Practical Extraction
ii procps 1:3.2.7-11 /proc file system utilities
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
-- no debconf information
--- End Message ---
--- Begin Message ---
On Tuesday 20 October 2009, Stefan Fritsch wrote:
> > see http://httpd.apache.org/security/vulnerabilities_22.html -
> > there is a mod_proxy DOS attack vulnerability that should be
> > fixed in some of the next revisions of the apache2 Debian
> > packages
>
> These are not very severe issues and will be fixed in
> 2.2.9-10+lenny5 in the next stable point release. Packages are
> already available in stable-proposed-updates for most
> architectures.
>
Ups, I confused that with CVE-2009-3094 (mod_proxy_ftp DoS).
CVE-2009-1890 is already fixed in 2.2.9-10+lenny4.
--- End Message ---
