Your message dated Sun, 22 Mar 2015 19:44:29 +0000
with message-id <[email protected]>
and subject line Re: Bug#780973: unblock: apache2/2.4.10-10
has caused the Debian Bug report #780973,
regarding unblock: apache2/2.4.10-10
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
780973: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780973
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package apache2. It fixes CVE-2015-0228.
unblock apache2/2.4.10-10
Debdiff:
diff -Nru apache2-2.4.10/debian/apache2.NEWS apache2-2.4.10/debian/apache2.NEWS
--- apache2-2.4.10/debian/apache2.NEWS 2014-11-08 23:16:55.000000000 +0100
+++ apache2-2.4.10/debian/apache2.NEWS 2015-02-01 09:25:15.000000000 +0100
@@ -15,10 +15,11 @@
modules, you have to re-compile them for apache2 2.4.
The authorization and authentication system has changed. Existing
- configurations using deprecated Order/Allow/Deny directives should be
+ configurations using deprecated Order/Allow/Deny directives need to be
upgraded to the new system. Please review upstream's "Authentication,
- Authorization and Access Control Howto" [1]. However, "mod_access_compat" is
- loaded by default to provide backward compatibility.
+ Authorization and Access Control Howto" [1]. There is a new module
+ "mod_access_compat", which is supposed to provide backward compatibility,
+ but it does not work well in practice.
Furthermore, MPMs are simple modules now. Thus, the MPM can be changed
at any time by (un-)loading a specific module. Be careful when upgrading. An
diff -Nru apache2-2.4.10/debian/changelog apache2-2.4.10/debian/changelog
--- apache2-2.4.10/debian/changelog 2014-12-22 21:46:14.000000000 +0100
+++ apache2-2.4.10/debian/changelog 2015-03-15 10:47:36.000000000 +0100
@@ -1,3 +1,14 @@
+apache2 (2.4.10-10) unstable; urgency=medium
+
+ * CVE-2015-0228: mod_lua: Fix denial of service vulnerability in
+ wsupgrade().
+ * Fix setup-instance example script to handle a2enconf/a2disconf.
+ LP: #1430936
+ * Tweak mention of mod_access_compat in NEWS.Debian. The module does
+ not really work in practice.
+
+ -- Stefan Fritsch <[email protected]> Sun, 15 Mar 2015 10:47:36 +0100
+
apache2 (2.4.10-9) unstable; urgency=medium
* CVE-2014-8109: mod_lua: Fix handling of the Require line when a
diff -Nru apache2-2.4.10/debian/patches/CVE-2015-0228_mod_lua.diff
apache2-2.4.10/debian/patches/CVE-2015-0228_mod_lua.diff
--- apache2-2.4.10/debian/patches/CVE-2015-0228_mod_lua.diff 1970-01-01
01:00:00.000000000 +0100
+++ apache2-2.4.10/debian/patches/CVE-2015-0228_mod_lua.diff 2015-03-15
10:33:38.000000000 +0100
@@ -0,0 +1,53 @@
+#commit 1f1375a2a615337d3fd1da2aad7a080243cbdcb7
+#Author: Eric Covener <[email protected]>
+#Date: Wed Mar 4 19:18:27 2015 +0000
+#
+# Merge r1657261 from trunk:
+#
+# *) SECURITY: CVE-2015-0228 (cve.mitre.org)
+# mod_lua: A maliciously crafted websockets PING after a script
+# calls r:wsupgrade() can cause a child process crash.
+# [Edward Lu <Chaosed0 gmail.com>]
+#
+# Discovered by Guido Vranken <guidovranken gmail.com>
+#
+# Submitted by: Edward Lu
+# Committed by: covener
+#
+#
+#
+#
+# git-svn-id:
https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1664118
13f79535-47bb-0310-9956-ffa450edef68
+#
+--- apache2.orig/modules/lua/lua_request.c
++++ apache2/modules/lua/lua_request.c
+@@ -2229,6 +2229,7 @@ static int lua_websocket_read(lua_State
+ {
+ apr_socket_t *sock;
+ apr_status_t rv;
++ int do_read = 1;
+ int n = 0;
+ apr_size_t len = 1;
+ apr_size_t plen = 0;
+@@ -2246,6 +2247,8 @@ static int lua_websocket_read(lua_State
+ mask_bytes = apr_pcalloc(r->pool, 4);
+ sock = ap_get_conn_socket(r->connection);
+
++ while (do_read) {
++ do_read = 0;
+ /* Get opcode and FIN bit */
+ if (plaintext) {
+ rv = apr_socket_recv(sock, &byte, &len);
+@@ -2372,10 +2375,11 @@ static int lua_websocket_read(lua_State
+ frame[0] = 0x8A;
+ frame[1] = 0;
+ apr_socket_send(sock, frame, &plen); /* Pong! */
+- lua_websocket_read(L); /* read the next frame instead */
++ do_read = 1;
+ }
+ }
+ }
++ }
+ return 0;
+ }
+
diff -Nru apache2-2.4.10/debian/patches/series
apache2-2.4.10/debian/patches/series
--- apache2-2.4.10/debian/patches/series 2014-12-22 19:53:05.000000000
+0100
+++ apache2-2.4.10/debian/patches/series 2015-03-15 10:33:23.000000000
+0100
@@ -11,3 +11,4 @@
mod_ssl_memleak.diff
mod_ssl-oscp_stapling_crash.diff
CVE-2014-8109_mod_lua.diff
+CVE-2015-0228_mod_lua.diff
diff -Nru apache2-2.4.10/debian/setup-instance
apache2-2.4.10/debian/setup-instance
--- apache2-2.4.10/debian/setup-instance 2014-11-08 23:16:56.000000000
+0100
+++ apache2-2.4.10/debian/setup-instance 2015-03-15 10:37:19.000000000
+0100
@@ -25,7 +25,7 @@
chmod 755 /etc/init.d/apache2-$SUFFIX
echo -n Setting up symlinks:
-for a in a2enmod a2dismod a2ensite a2dissite apache2ctl ; do
+for a in a2enmod a2dismod a2ensite a2dissite a2enconf a2disconf apache2ctl ; do
echo -n " $a-$SUFFIX"
ln -s /usr/sbin/$a /usr/local/sbin/$a-$SUFFIX
done
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
On Sun, 2015-03-22 at 18:54 +0100, Moritz Muehlenhoff wrote:
> Please unblock package apache2. It fixes CVE-2015-0228.
Unblocked.
Regards,
Adam
--- End Message ---
