Bug#933129: apache2: OCSP stapling poorly handled, yielding trylater errors in the client

2019-09-26 Thread Vincent Lefevre 
On 2019-09-26 23:40:45 +0200, Vincent Lefevre wrote:
> Control: found -1 2.4.38-3+deb10u1
> 
> On 2019-07-26 22:30:00 +0200, Vincent Lefevre wrote:
> > I sometimes get SEC_ERROR_OCSP_TRY_SERVER_LATER errors in Firefox
> > when I connect to my web server. The apache log shows errors like
> > 
> > [Fri Jul 26 20:01:31.355081 2019] [ssl:error] [pid 13552:tid 
> > 139871725876992] [client 207.46.13.73:1928] AH02321: empty response from 
> > OCSP server
> > [Fri Jul 26 20:01:31.366890 2019] [ssl:error] [pid 13552:tid 
> > 139871725876992] [client 207.46.13.73:1928] AH01980: bad response from OCSP 
> > server: (none)
> > [Fri Jul 26 20:01:31.366961 2019] [ssl:error] [pid 13552:tid 
> > 139871725876992] AH01941: stapling_renew_response: responder error
> 
> This still occurs. And when it does, I need to restart apache2.

This may be one of the following upstream bugs:

  https://bz.apache.org/bugzilla/show_bug.cgi?id=57121
  "ocsp stapling should not pass temporary server outages to clients"

  https://bz.apache.org/bugzilla/show_bug.cgi?id=61453
  "OCSP Stapling: SSLStaplingFakeTryLater responses cached too long"

  https://bz.apache.org/bugzilla/show_bug.cgi?id=61531
  "SSLStaplingReturnResponderErrors should return last cached response
  if is an error upstream"

The second one has a link to a very simple patch, in case this is
related.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Processed: Re: apache2: OCSP stapling poorly handled, yielding trylater errors in the client

2019-09-26 Thread Debian Bug Tracking System 
Processing control commands:

> found -1 2.4.38-3+deb10u1
Bug #933129 [apache2] apache2: OCSP stapling poorly handled, yielding trylater 
errors in the client
Marked as found in versions apache2/2.4.38-3+deb10u1.

-- 
933129: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933129
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#933129: apache2: OCSP stapling poorly handled, yielding trylater errors in the client

2019-09-26 Thread Vincent Lefevre 
Control: found -1 2.4.38-3+deb10u1

On 2019-07-26 22:30:00 +0200, Vincent Lefevre wrote:
> I sometimes get SEC_ERROR_OCSP_TRY_SERVER_LATER errors in Firefox
> when I connect to my web server. The apache log shows errors like
> 
> [Fri Jul 26 20:01:31.355081 2019] [ssl:error] [pid 13552:tid 139871725876992] 
> [client 207.46.13.73:1928] AH02321: empty response from OCSP server
> [Fri Jul 26 20:01:31.366890 2019] [ssl:error] [pid 13552:tid 139871725876992] 
> [client 207.46.13.73:1928] AH01980: bad response from OCSP server: (none)
> [Fri Jul 26 20:01:31.366961 2019] [ssl:error] [pid 13552:tid 139871725876992] 
> AH01941: stapling_renew_response: responder error

This still occurs. And when it does, I need to restart apache2.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Bug#941202: apache2: Fix for CVE-2019-10092 results in AH10187 when hitting balancer-manager

2019-09-26 Thread Daniel Cadden 
Package: apache2
Version: 2.4.25-3+deb9u8
Severity: normal

Dear Maintainer,

The fix for CVE-2019-10092 results in the following error when attempting
to access details of a member in a mod_proxy_balancer http balancer via the
balancer-manager web page:

"[Thu Sep 26 09:51:08.228312 2019] [proxy_balancer:error] [pid 13106:tid
139942457935616] [client 127.0.0.1:54712] AH10187: ignoring params in
balancer-manager cross-site access, referer:
http://httpbalancer01/httpbalancer/__balancer-manager?b=http-balancer=http://192.168.13.71=193a3e00-9795-f9bb-6cc2-d7f3ac222b68
"

The net effect of this is an inability to dynamically change the status of
members in the balancer via the balancer-manager.

Raised in Apache httpd-2 bug report 63688:
https://bz.apache.org/bugzilla/show_bug.cgi?id=63688

Committed upstream in r1865749:
https://svn.apache.org/viewvc?view=revision=1865749

-- Package-specific info:

-- System Information:
Debian Release: 9.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-11-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apache2 depends on:
ii  apache2-bin  2.4.25-3+deb9u8
ii  apache2-data 2.4.25-3+deb9u8
ii  apache2-utils2.4.25-3+deb9u8
ii  dpkg 1.18.25
ii  init-system-helpers  1.48
ii  lsb-base 9.20161125
ii  mime-support 3.60
ii  perl 5.24.1-3+deb9u5
ii  procps   2:3.3.12-3+deb9u1

Versions of packages apache2 recommends:
pn  ssl-cert  

Versions of packages apache2 suggests:
pn  apache2-doc  
pn  apache2-suexec-pristine | apache2-suexec-custom  
pn  www-browser  

Versions of packages apache2-bin depends on:
ii  libapr1  1.5.2-5
ii  libaprutil1  1.5.4-3
ii  libaprutil1-dbd-sqlite3  1.5.4-3
ii  libaprutil1-ldap 1.5.4-3
ii  libc62.24-11+deb9u4
ii  libldap-2.4-22.4.44+dfsg-5+deb9u3
ii  liblua5.2-0  5.2.4-1.1+b2
ii  libnghttp2-141.18.1-1+deb9u1
ii  libpcre3 2:8.39-3
ii  libssl1.0.2  1.0.2s-1~deb9u1
ii  libxml2  2.9.4+dfsg1-2.2+deb9u2
ii  perl 5.24.1-3+deb9u5
ii  zlib1g   1:1.2.8.dfsg-5

Versions of packages apache2-bin suggests:
pn  apache2-doc  
pn  apache2-suexec-pristine | apache2-suexec-custom  
pn  www-browser  

Versions of packages apache2 is related to:
ii  apache2  2.4.25-3+deb9u8
ii  apache2-bin  2.4.25-3+deb9u8

-- no debconf information

--