Bug#847124: apache2: CVE-2016-8740: erver memory can be exhausted and service denied when HTTP/2 is used
Source: apache2 Version: 2.4.23-8 Severity: important Tags: security upstream patch Hi CVE-2016-8740 was announced for apache, CVE-2016-8740, Server memory can be exhausted and service denied when HTTP/2 is used. Post to oss-security at: http://www.openwall.com/lists/oss-security/2016/12/05/14 Patch: https://svn.apache.org/r1772576 Regards, Salvatore
Bug#868467: apache2: CVE-2017-9788
Source: apache2 Version: 2.4.10-10 Severity: important Tags: security upstream fixed-upstream Hi, the following vulnerability was published for apache2. CVE-2017-9788[0]: | In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value | placeholder in [Proxy-]Authorization headers of type 'Digest' was not | initialized or reset before or between successive key=value | assignments by mod_auth_digest. Providing an initial key with no '=' | assignment could reflect the stale value of uninitialized pool memory | used by the prior request, leading to leakage of potentially | confidential information, and a segfault in other cases resulting in | denial of service. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-9788 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9788 Regards, Salvatore
Bug#876109: apache2: CVE-2017-9798: HTTP OPTIONS method can leak Apache's server memory
Source: apache2 Version: 2.4.10-10 Severity: important Tags: upstream security Hi, the following vulnerability was published for apache2. CVE-2017-9798[0]: HTTP OPTIONS method can leak Apache's server memory If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-9798 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798 [1] https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html Regards, Salvatore
Bug#876109: apache2: CVE-2017-9798: HTTP OPTIONS method can leak Apache's server memory
Control: severity -1 serious Rationale: Raising the severity to RC / serious, due to fix beeing available in stable but not yet in unstable. Regards, Salvatore
Bug#904106: apache2: CVE-2018-1333: DoS for HTTP/2 connections by crafted requests
Source: apache2 Version: 2.4.18-1 Severity: important Tags: security upstream Hi, The following vulnerability was published for apache2. CVE-2018-1333[0]: | By specially crafting HTTP/2 requests, workers would be allocated 60 | seconds longer than necessary, leading to worker exhaustion and a | denial of service. Fixed in Apache HTTP Server 2.4.34 (Affected | 2.4.18-2.4.30,2.4.33). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1333 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1333 [1] https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-1333 Regards, Salvatore
Bug#904107: apache2: CVE-2018-8011: mod_md, DoS via Coredumps on specially crafted requests
Source: apache2 Version: 2.4.33-1 Severity: important Tags: security upstream Hi, The following vulnerability was published for apache2. CVE-2018-8011[0]: | By specially crafting HTTP requests, the mod_md challenge handler | would dereference a NULL pointer and cause the child process to | segfault. This could be used to DoS the server. Fixed in Apache HTTP | Server 2.4.34 (Affected 2.4.33). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-8011 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8011 [1] https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-8011 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#909591: apache2: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames
Source: apache2 Version: 2.4.25-1 Severity: important Tags: security upstream Hi, The following vulnerability was published for apache2. CVE-2018-11763[0]: mod_http2, DoS via continuous SETTINGS frames If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-11763 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11763 [1] https://lists.apache.org/thread.html/d435b0267a76501b9e06c552b20c887171064cde38e46d678da4d3dd@%3Cannounce.httpd.apache.org%3E Regards, Salvatore
Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Source: apache2 Version: 2.4.37-1 Severity: grave Tags: patch security upstream Hi (Stefan), I agree the severity is not the best choosen one for this issue, it is more to ensure we could release buster with an appropriate fix already before the release. If you disagree, please do downgrade. The following vulnerability was published for apache2. CVE-2019-0190[0]: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-0190 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0190 [1] https://marc.info/?l=oss-security=154817901921421=2 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Control: tags -1 + fixed-upstream Control: tags -1 - patch Hi Xavier, On Wed, Jan 23, 2019 at 09:18:36AM +0100, Xavier wrote: > Hello, > > Debian bug is tagged as "patch", but I didn't find any patch in the > related documents. Can you give me the link to patch ? Well you are right, not a patch per se, maybe fixed-upstream and "there is a patch" would have been better. Let me fix that. If feasible possibly updating to the new upstream version fixing this CVE (and two other) would be better if still feasible so short before the soft freeze. Regards, Salvatore
Bug#920303: apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time
Source: apache2 Version: 2.4.37-1 Severity: important Tags: security upstream fixed-upstream Control: found -1 2.4.25-3+deb9u6 Control: found -1 2.4.25-3 Hi, The following vulnerability was published for apache2. CVE-2018-17199[0]: mod_session_cookie does not respect expiry time If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-17199 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17199 [1] https://www.openwall.com/lists/oss-security/2019/01/22/3 Regards, Salvatore
Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Hi Xavier, On Wed, Jan 23, 2019 at 09:54:29PM +0100, Xavier wrote: > Le 23/01/2019 à 21:50, Salvatore Bonaccorso a écrit : > > Hi Xavier, > > > > On Wed, Jan 23, 2019 at 09:46:44PM +0100, Xavier wrote: > >> Le 23/01/2019 à 20:57, Salvatore Bonaccorso a écrit : > >>> Control: tags -1 + fixed-upstream > >>> Control: tags -1 - patch > >>> > >>> Hi Xavier, > >>> > >>> On Wed, Jan 23, 2019 at 09:18:36AM +0100, Xavier wrote: > >>>> Hello, > >>>> > >>>> Debian bug is tagged as "patch", but I didn't find any patch in the > >>>> related documents. Can you give me the link to patch ? > >>> > >>> Well you are right, not a patch per se, maybe fixed-upstream and > >>> "there is a patch" would have been better. Let me fix that. > >>> > >>> If feasible possibly updating to the new upstream version fixing this > >>> CVE (and two other) would be better if still feasible so short before > >>> the soft freeze. > >>> > >>> Regards, > >>> Salvatore > >> > >> Hello, > >> > >> looking at last release changelog, bug seems not fixed > > > > Cf. https://www.openwall.com/lists/oss-security/2019/01/22/4, where it > > is fixed in 2.4.38 upstream. > > > > HTH, > > > > Regards, > > Salvatore > > I see that but the provided link [1] doesn't mention it, neither apache2 > changelog. I'm almost sure this is just because the respective vulnerabilities_24 page has just not yet been updated accordingly. The fixes are mentioned already in the upstream changelog at https://www.apache.org/dist/httpd/CHANGES_2.4.38 . Regards, Salvatore
Bug#920302: apache2: CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies
Source: apache2 Version: 2.4.37-1 Severity: important Tags: security upstream fixed-upstream Control: found -1 2.4.25-3+deb9u6 Control: found -1 2.4.25-3 Hi, The following vulnerability was published for apache2. CVE-2018-17189[0]: mod_http2, DoS via slow, unneeded request bodies If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-17189 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17189 [1] https://www.openwall.com/lists/oss-security/2019/01/22/2 Regards, Salvatore
Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Hi Xavier, On Wed, Jan 23, 2019 at 09:46:44PM +0100, Xavier wrote: > Le 23/01/2019 à 20:57, Salvatore Bonaccorso a écrit : > > Control: tags -1 + fixed-upstream > > Control: tags -1 - patch > > > > Hi Xavier, > > > > On Wed, Jan 23, 2019 at 09:18:36AM +0100, Xavier wrote: > >> Hello, > >> > >> Debian bug is tagged as "patch", but I didn't find any patch in the > >> related documents. Can you give me the link to patch ? > > > > Well you are right, not a patch per se, maybe fixed-upstream and > > "there is a patch" would have been better. Let me fix that. > > > > If feasible possibly updating to the new upstream version fixing this > > CVE (and two other) would be better if still feasible so short before > > the soft freeze. > > > > Regards, > > Salvatore > > Hello, > > looking at last release changelog, bug seems not fixed Cf. https://www.openwall.com/lists/oss-security/2019/01/22/4, where it is fixed in 2.4.38 upstream. HTH, Regards, Salvatore
Bug#925472: apache2: AuthLDAPBindPassword with exec: variant: child processes not properly destroyed
Source: apache2 Version: 2.4.25-3+deb9u6 Severity: normal Tags: upstream Forwarded: https://bz.apache.org/bugzilla/show_bug.cgi?id=61817 Control: found -1 2.4.25-3 Hi When using a setup using for mod_authnz_ldap the AuthLDAPBindPassword directive specifically with the exec: variant as documented in [1], a respective child process is not destroyed correctly. To reproduce the issue within a .htaccess file (we managed to reproduce in .htaccess context but not in a directory context) > AuthType Basic > AuthName "Restricted access" > AuthBasicProvider ldap > > AuthLDAPURL $url > AuthLDAPBindDN $binddn > AuthLDAPBindPassword "exec:/bin/cat /path/to/ldap/passwd" > > Require valid-user is enough, resulting in defunct processes [...] S www-data 145731 82080 0 80 0 13016 223273 - 13:50 ?00:00:00 \_ /usr/sbin/apache2 -k start Z www-data 151575 145731 0 80 0 0 0 - 14:21 ?00:00:00 | \_ [cat] S www-data 145732 82080 0 80 0 13980 223674 - 13:50 ?00:00:00 \_ /usr/sbin/apache2 -k start Z www-data 151686 145732 0 80 0 0 0 - 14:22 ?00:00:00 \_ [cat] [...] The issue has been submitted upstream already in [2] with a tentative patch, but it looks the issue got not yet adressed upstream. Regards, Salvatore [1] http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#AuthLDAPBindPassword [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61817
Bug#989562: apache2: CVE-2021-31618: NULL pointer dereference on specially crafted HTTP/2 request
Source: apache2 Version: 2.4.47-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for apache2. CVE-2021-31618[0]: | httpd: NULL pointer dereference on specially crafted HTTP/2 request If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-31618 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31618 [1] https://github.com/apache/httpd/commit/a4fba223668c554e06bc78d6e3a88f33d4238ae4 [2] https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-31618 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Bug#992789: apr: CVE-2021-35940
Source: apr Version: 1.7.0-6 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for apr. CVE-2021-35940[0]: | An out-of-bounds array read in the apr_time_exp*() functions was fixed | in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix | for this issue was not carried forward to the APR 1.7.x branch, and | hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to | the same issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-35940 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35940 [1] https://www.openwall.com/lists/oss-security/2021/08/23/1 Regards, Salvatore
Bug#992789: apr: CVE-2021-35940
Control: tags -1 + patch On Mon, Aug 23, 2021 at 03:44:05PM +0200, Salvatore Bonaccorso wrote: > Source: apr > Version: 1.7.0-6 > Severity: important > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > Hi, > > The following vulnerability was published for apr. > > CVE-2021-35940[0]: > | An out-of-bounds array read in the apr_time_exp*() functions was fixed > | in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix > | for this issue was not carried forward to the APR 1.7.x branch, and > | hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to > | the same issue. proposed change in https://salsa.debian.org/apache-team/apr/-/merge_requests/8 Regards, Salvatore
Bug#1033408: apache2: Segmentation fault + 503 on frontpage on 2.4.56-1
Hi, On Fri, Mar 24, 2023 at 05:17:34PM +0100, Fabien LE BERRE wrote: > Yes it does look like the bug. The Backtrace looks a lot like the coredump > I've seen. > Thanks for the heads up. Looking forward for the patch to be applied > officially. Would you be able to have additionally test the patch on your case to confirm? That would be great and helpful for releasing the regression update. Regards, Salvatore
Bug#1032476: apache2: CVE-2023-25690 CVE-2023-27522
Source: apache2 Version: 2.4.55-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for apache2. CVE-2023-25690[0]: | Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 | through 2.4.55 allow a HTTP Request Smuggling attack. Configurations | are affected when mod_proxy is enabled along with some form of | RewriteRule or ProxyPassMatch in which a non-specific pattern matches | some portion of the user-supplied request-target (URL) data and is | then re-inserted into the proxied request-target using variable | substitution. For example, something like: RewriteEngine on | RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1;; [P] | ProxyPassReverse /here/ http://example.com:8080/ Request | splitting/smuggling could result in bypass of access controls in the | proxy server, proxying unintended URLs to existing origin servers, and | cache poisoning. Users are recommended to update to at least version | 2.4.56 of Apache HTTP Server. CVE-2023-27522[1]: | HTTP Response Smuggling vulnerability in Apache HTTP Server via | mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 | through 2.4.55. Special characters in the origin response header can | truncate/split the response forwarded to the client. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-25690 https://www.cve.org/CVERecord?id=CVE-2023-25690 [1] https://security-tracker.debian.org/tracker/CVE-2023-27522 https://www.cve.org/CVERecord?id=CVE-2023-27522 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
[ftpmas...@ftp-master.debian.org: Accepted apache2 2.4.59-1 (source) into unstable]
Source: apache2 Source-Version: 2.4.59-1 - Forwarded message from Debian FTP Masters - -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 05 Apr 2024 08:08:11 +0400 Source: apache2 Built-For-Profiles: nocheck Architecture: source Version: 2.4.59-1 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers Changed-By: Yadd Closes: 1032628 1054564 Changes: apache2 (2.4.59-1) unstable; urgency=medium . [ Stefan Fritsch ] * Remove old transitional packages libapache2-mod-md and libapache2-mod-proxy-uwsgi. Closes: #1032628 . [ Yadd ] * mod_proxy_connect: disable AllowCONNECT by default (Closes: #1054564) * Refresh patches * New upstream version 2.4.59 * Refresh patches * Update patches * Update test framework Checksums-Sha1: f1cf18103ca23c57beaa2985bbbe4eee1e8dff87 3334 apache2_2.4.59-1.dsc 7a118baaed0f2131e482f93f5057038ca6c021be 9843252 apache2_2.4.59.orig.tar.gz 837cdf46898d962c4c05642745566249fc91e52b 833 apache2_2.4.59.orig.tar.gz.asc 3e1cad5ee1fc66d350465c1e81d7e0f88221bc01 820300 apache2_2.4.59-1.debian.tar.xz Checksums-Sha256: 25e6990e65cb685f3172143648806ab0fd263a18cd412155f0d14d7ef9987428 3334 apache2_2.4.59-1.dsc e4ec4ce12c6c8f5a794dc2263d126cb1d6ef667f034c4678ec945d61286e8b0f 9843252 apache2_2.4.59.orig.tar.gz 0ad3f670b944ebf08c81544bc82fae9496e88d96840cd0612d8cdeaa073eb06d 833 apache2_2.4.59.orig.tar.gz.asc 1e869a5024215a2a9b69603daf1395840774640f7b2701ca4b7971452a0641d1 820300 apache2_2.4.59-1.debian.tar.xz Files: 3f3ee286b583f22ec5cb3efc1f0a5016 3334 httpd optional apache2_2.4.59-1.dsc c39d28e0777bc95631cb49958fdb6601 9843252 httpd optional apache2_2.4.59.orig.tar.gz 3c342b3dcc0fe227a1fffdf9997987d0 833 httpd optional apache2_2.4.59.orig.tar.gz.asc 4da024370ede9c5a75a0df725be0cdc5 820300 httpd optional apache2_2.4.59-1.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmYPec8ACgkQ9tdMp8mZ 7umCiw//TB1rIA1czwHsUrdeOIT3HG9qERzBJsmsP8nyg+cIrytiGfhlt2eOmLYO X+Wo19J98VuCmTbJClb6opAfSpvJG2AmNUl/PYAqOBzvDgR+QlEMmVXVgxUp9+Tv 0e0P2H+8U0pO3dE51VIXqYtCLTLQnLaci763ewB0oRlSWuzoVNDDahUS3iJ5e58o btwUQQwq+2F+RBclRhuXca3dOI93UBZDsv56mxR+p2o0vpo+pQRZjHDv8tzT3bOq /PyWusXKPDf9MXYZqwY2TgYx8v/YdDVYqzgr6Tj/VXgXEKC22pudzSv9/J5iGfHh VHmf02Gh+0wNWmxajqK2KlxjMON/Qn6kyoAok9w5vv4HtOXBZimzdq0kDsc8EjJl QuaBcwIAy+0EATBhjaVY7sHtM9SydJNr1f4DBBD9kEB2DKEE9n7/iFxcFfSMd52Y xwJ4fPk1fe1ki7k/qn0VULpzf1iM3JDQE19uXyE29cSW4eJhiWvH1v+NZzzxNo+t NtDhSIEEnUkGZSsYyg2qg5NH3e3PJMadc1nTRY6hVNzGpJlsUrCKnMOZbJsBQM6S cNCY48ux8ziQmJNowvBVbXf6/+SH9h2+CYFRw9GZagaNe1yfErNglbn78KZqJUHw YcXIFc96qeznRJ9zRhPdHGGeqa+nETH1lWBp6eitihkKhDjCF48= =dQDE -END PGP SIGNATURE- - End forwarded message -