Bug#894713: stretch-pu: apache2/2.4.25-3+deb9u5

2018-06-25 Thread Stefan Fritsch 
On Sunday, 24 June 2018 19:00:22 CEST Adam D. Barratt wrote:
> On Sat, 2018-06-02 at 10:29 +0200, Stefan Fritsch wrote:
> > +apache2 (2.4.25-3+deb9u5) stretch; urgency=medium
> > +
> > +  * This package upgrades mod_http2 to the version from apache2
> > 2.4.33. This
> > +fixes a lot of bugs and some security issues, but it also
> > removes the
> > +support for using HTTP/2 when running with mpm_prefork. HTTP/2
> > support
> > +is only provided when running with mpm_event or mpm_worker.
> > +
> > + -- Stefan Fritsch   Sat, 02 Jun 2018 09:51:46 +0200
> 
> Do we have any idea how common such a configuration is? (Or, indeed,
> how common the use of HTTP/2 with stretch's apache is.)

Unfortunately not. I guess there are still a fair number of mpm_prefork users 
because of mod_php. But I don't know how many enable mod_http2 (it's not 
enabled by default). But I expect that there are extremely few users who 
actually depend on HTTP/2 working. For the vast majority, it's only a nice to 
have feature.

Cheers,
Stefan

Bug#894713: stretch-pu: apache2/2.4.25-3+deb9u5

2018-06-24 Thread Adam D. Barratt 
On Sat, 2018-06-02 at 10:29 +0200, Stefan Fritsch wrote:
> +apache2 (2.4.25-3+deb9u5) stretch; urgency=medium
> +
> +  * This package upgrades mod_http2 to the version from apache2
> 2.4.33. This
> +fixes a lot of bugs and some security issues, but it also
> removes the
> +support for using HTTP/2 when running with mpm_prefork. HTTP/2
> support
> +is only provided when running with mpm_event or mpm_worker.
> +
> + -- Stefan Fritsch   Sat, 02 Jun 2018 09:51:46 +0200

Do we have any idea how common such a configuration is? (Or, indeed,
how common the use of HTTP/2 with stretch's apache is.)

Regards,

Adam

Bug#894713: stretch-pu: apache2/2.4.25-3+deb9u5

2018-06-02 Thread Stefan Fritsch 
On Sunday, 20 May 2018 18:32:55 CEST Stefan Fritsch wrote:
> As I don't see any other way to fix the open issues, I would still like to
> go ahead. But I will prepare a new package/diff with a NEWS.Debian entry
> that informs about this change.

The new debdiff is attached. the NEWS part is also below.

Cheers,
Stefan

--- apache2-2.4.25/debian/apache2.NEWS  2018-03-30 17:07:14.0 +0200
+++ apache2-2.4.25/debian/apache2.NEWS  2018-06-02 10:01:13.0 +0200
@@ -1,3 +1,12 @@
+apache2 (2.4.25-3+deb9u5) stretch; urgency=medium
+
+  * This package upgrades mod_http2 to the version from apache2 2.4.33. This
+fixes a lot of bugs and some security issues, but it also removes the
+support for using HTTP/2 when running with mpm_prefork. HTTP/2 support
+is only provided when running with mpm_event or mpm_worker.
+
+ -- Stefan Fritsch   Sat, 02 Jun 2018 09:51:46 +0200
diff -Nru apache2-2.4.25/debian/apache2.apache-htcacheclean.init apache2-2.4.25/debian/apache2.apache-htcacheclean.init
--- apache2-2.4.25/debian/apache2.apache-htcacheclean.init	2018-03-31 10:45:18.0 +0200
+++ apache2-2.4.25/debian/apache2.apache-htcacheclean.init	2018-05-13 18:52:55.0 +0200
@@ -30,6 +30,13 @@
 HTCACHECLEAN_PATH="${HTCACHECLEAN_PATH:=/var/cache/apache2$DIR_SUFFIX/mod_cache_disk}"
 HTCACHECLEAN_OPTIONS="${HTCACHECLEAN_OPTIONS:=-n}"
 
+# Read configuration variable file if it is present
+if [ -f /etc/default/apache-htcacheclean$DIR_SUFFIX ] ; then
+   . /etc/default/apache-htcacheclean$DIR_SUFFIX
+elif [ -f /etc/default/apache-htcacheclean ] ; then
+   . /etc/default/apache-htcacheclean
+fi
+
 PIDDIR="/var/run/apache2/$RUN_USER"
 PIDFILE="$PIDDIR/$NAME.pid"
 DAEMON_ARGS="$HTCACHECLEAN_OPTIONS \
diff -Nru apache2-2.4.25/debian/apache2.NEWS apache2-2.4.25/debian/apache2.NEWS
--- apache2-2.4.25/debian/apache2.NEWS	2018-03-30 17:07:14.0 +0200
+++ apache2-2.4.25/debian/apache2.NEWS	2018-06-02 10:01:13.0 +0200
@@ -1,3 +1,12 @@
+apache2 (2.4.25-3+deb9u5) stretch; urgency=medium
+
+  * This package upgrades mod_http2 to the version from apache2 2.4.33. This
+fixes a lot of bugs and some security issues, but it also removes the
+support for using HTTP/2 when running with mpm_prefork. HTTP/2 support
+is only provided when running with mpm_event or mpm_worker.
+
+ -- Stefan Fritsch   Sat, 02 Jun 2018 09:51:46 +0200
+
 apache2 (2.4.10-2) unstable; urgency=low
 
   The default period for which rotated log files are kept has been
diff -Nru apache2-2.4.25/debian/changelog apache2-2.4.25/debian/changelog
--- apache2-2.4.25/debian/changelog	2018-03-31 10:47:16.0 +0200
+++ apache2-2.4.25/debian/changelog	2018-06-02 10:01:13.0 +0200
@@ -1,3 +1,20 @@
+apache2 (2.4.25-3+deb9u5) stretch; urgency=medium
+
+  * Upgrade mod_http and mod_proxy_http2 to the versions from 2.4.33. This
+fixes
+- CVE-2018-1302: mod_http2: Potential crash w/ mod_http2
+- Segfaults in mod_http2 (Closes: #873945)
+- mod_http2 issue with option "Indexes" and directive "HeaderName"
+  (Closes: #850947)
+Unfortunately, this also removes support for http2 when running on
+mpm_prefork.
+  * mod_http2: Avoid high memory usage with large files, causing crashes on
+32bit archs. Closes: #897218
+  * Make the apache-htcacheclean init script actually look into
+/etc/default/apache-htcacheclean for its config. Closes: #898563
+
+ -- Stefan Fritsch   Sat, 02 Jun 2018 10:01:13 +0200
+
 apache2 (2.4.25-3+deb9u4) stretch-security; urgency=medium
 
   * CVE-2017-15710: mod_authnz_ldap: Out of bound write in mod_authnz_ldap
diff -Nru apache2-2.4.25/debian/patches/CVE-2017-7659.diff apache2-2.4.25/debian/patches/CVE-2017-7659.diff
--- apache2-2.4.25/debian/patches/CVE-2017-7659.diff	2018-03-31 10:45:18.0 +0200
+++ apache2-2.4.25/debian/patches/CVE-2017-7659.diff	1970-01-01 01:00:00.0 +0100
@@ -1,33 +0,0 @@
-#commit 672187c168b94b562d8065e08e2cad5b00cdd0e3
-#Author: Stefan Eissing 
-#Date:   Wed Feb 1 20:40:38 2017 +
-#
-#On the trunk:
-#
-#mod_http2: fix for crash when running out of memory. Initial patch by Robert Swiecki 
-#
-#
-#
-#git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1781304 13f79535-47bb-0310-9956-ffa450edef68
-#
 apache2.orig/modules/http2/h2_stream.c
-+++ apache2/modules/http2/h2_stream.c
-@@ -286,11 +286,13 @@ apr_status_t h2_stream_set_request_rec(h
- return APR_ECONNRESET;
- }
- status = h2_request_rcreate(, stream->pool, r);
--ap_log_rerror(APLOG_MARK, APLOG_DEBUG, status, r, APLOGNO(03058)
--  "h2_request(%d): set_request_rec %s host=%s://%s%s",
--  stream->id, req->method, req->scheme, req->authority, 
--  req->path);
--stream->rtmp = req;
-+if (status == APR_SUCCESS) {
-+ap_log_rerror(APLOG_MARK, APLOG_DEBUG, status, r, APLOGNO(03058)
-+  "h2_request(%d): set_request_rec %s

Bug#894713: stretch-pu: apache2/2.4.25-3+deb9u5

2018-05-20 Thread Stefan Fritsch 
Hi,

On Sunday, 13 May 2018 19:15:22 CEST Stefan Fritsch wrote:
> On Tuesday, 3 April 2018 14:07:33 CEST Stefan Fritsch wrote:
> > I would like to do an upgrade of apache2 in stretch that upgrades the
> > complete mod_http2 and mod_proxy_http2 modules from the versions from
> > 2.4.25 to the versions from 2.4.33.
> > 
> > The reason is that the fix for CVE-2018-1302 [1] is difficult to
> > backport because it concerns a complex life-time issue of data
> > structures, the relevant code has changed greatly between 2.4.25 and
> > 2.4.33, and I am not familiar with the internals of mod_http2.  There
> > are other random segfaults [2] and other bugs [3] in stretch's mod_http2
> > that are reportedly fixed by newer mod_http2. Therefore, upgrading the
> > whole thing seems like the best solution to me. Do you agree with this
> > approach?
> 
> I have now prepared updated packages. The changelog diff is:


There is one complication: It turns out that in newer versions of apache2, 
mod_http2 does no longer support being used with mpm_prefork but only with 
mpm_worker and mpm_event. If loaded together with mpm_prefork, mod_http2 will 
log a message and refuse to serve HTTP/2, but HTTP/1.x continues to work.

As I don't see any other way to fix the open issues, I would still like to go 
ahead. But I will prepare a new package/diff with a NEWS.Debian entry that 
informs about this change.

Cheers,
Stefan

Bug#894713: stretch-pu: apache2/2.4.25-3+deb9u5

2018-05-13 Thread Stefan Fritsch 
Hi,

On Tuesday, 3 April 2018 14:07:33 CEST Stefan Fritsch wrote:
> I would like to do an upgrade of apache2 in stretch that upgrades the
> complete mod_http2 and mod_proxy_http2 modules from the versions from
> 2.4.25 to the versions from 2.4.33.
> 
> The reason is that the fix for CVE-2018-1302 [1] is difficult to
> backport because it concerns a complex life-time issue of data
> structures, the relevant code has changed greatly between 2.4.25 and
> 2.4.33, and I am not familiar with the internals of mod_http2.  There
> are other random segfaults [2] and other bugs [3] in stretch's mod_http2
> that are reportedly fixed by newer mod_http2. Therefore, upgrading the
> whole thing seems like the best solution to me. Do you agree with this
> approach?

I have now prepared updated packages. The changelog diff is:

apache2 (2.4.25-3+deb9u5) stretch; urgency=medium

  * Upgrade mod_http and mod_proxy_http2 to the versions from 2.4.33. This
fixes
- CVE-2018-1302: mod_http2: Potential crash w/ mod_http2
- Segfaults in mod_http2 (Closes: #873945)
- mod_http2 issue with option "Indexes" and directive "HeaderName"
  (Closes: #850947)
  * mod_http2: Avoid high memory usage with large files, causing crashes on
32bit archs. Closes: #897218
  * Make the apache-htcacheclean init script actually look into
/etc/default/apache-htcacheclean for its config. Closes: #898563

 -- Stefan Fritsch   Sun, 13 May 2018 17:43:20 +0200

A partial debdiff without the mod_http2-upgrade-to-2.4.33.diff file is 
attached. The full debdiff is available at [1] (probably too large for mailing 
lists). The diffstat of the  mod_http2-upgrade-to-2.4.33.diff file is included 
below [2].

Cheers,
Stefan

[1] https://www.sfritsch.de/~stf/apache2_2.4.25-3+deb9u5~test1/
apache2_2.4.25-3+deb9u5.debdiff 

[2]
 configure|2 
 modules/http2/NWGNUmod_http2 |2 
 modules/http2/config2.m4 |   23 
 modules/http2/h2.h   |   46 -
 modules/http2/h2_alt_svc.c   |   13 
 modules/http2/h2_alt_svc.h   |   13 
 modules/http2/h2_bucket_beam.c   |  892 --
 modules/http2/h2_bucket_beam.h   |  147 ++-
 modules/http2/h2_bucket_eoc.c|  110 --
 modules/http2/h2_bucket_eoc.h|   32 
 modules/http2/h2_bucket_eos.c|   18 
 modules/http2/h2_bucket_eos.h|   13 
 modules/http2/h2_config.c|   38 
 modules/http2/h2_config.h|   15 
 modules/http2/h2_conn.c  |  156 ++-
 modules/http2/h2_conn.h  |   16 
 modules/http2/h2_conn_io.c   |  138 +--
 modules/http2/h2_conn_io.h   |   27 
 modules/http2/h2_ctx.c   |   15 
 modules/http2/h2_ctx.h   |   13 
 modules/http2/h2_filter.c|  165 ++--
 modules/http2/h2_filter.h|   26 
 modules/http2/h2_from_h1.c   |   54 -
 modules/http2/h2_from_h1.h   |   13 
 modules/http2/h2_h2.c|   25 
 modules/http2/h2_h2.h|   13 
 modules/http2/h2_headers.c   |   31 
 modules/http2/h2_headers.h   |   19 
 modules/http2/h2_mplx.c  | 1551 
+--
 modules/http2/h2_mplx.h  |   84 --
 modules/http2/h2_ngn_shed.c  |   30 
 modules/http2/h2_ngn_shed.h  |   13 
 modules/http2/h2_private.h   |   13 
 modules/http2/h2_proxy_session.c |   94 +-
 modules/http2/h2_proxy_session.h |   23 
 modules/http2/h2_proxy_util.c|  296 +++
 modules/http2/h2_proxy_util.h|   64 +
 modules/http2/h2_push.c  |   20 
 modules/http2/h2_push.h  |   14 
 modules/http2/h2_request.c   |   34 
 modules/http2/h2_request.h   |   13 
 modules/http2/h2_session.c   | 1432 +---
 modules/http2/h2_session.h   |   76 -
 modules/http2/h2_stream.c| 1208 ++
 modules/http2/h2_stream.h|  179 ++--
 modules/http2/h2_switch.c|   29 
 modules/http2/h2_switch.h|   13 
 modules/http2/h2_task.c  |  250 +++---
 modules/http2/h2_task.h  |   26 
 modules/http2/h2_util.c  | 1017 -
 modules/http2/h2_util.h  |  188 
 modules/http2/h2_version.h   |   33 
 modules/http2/h2_worker.c|  103 --
 modules/http2/h2_worker.h|  135 ---
 modules/http2/h2_workers.c   |  587 ++
 modules/http2/h2_workers.h   |   82 --
 modules/http2/mod_http2.c|   37 
 modules/http2/mod_http2.dep  |  118 --
 modules/http2/mod_http2.dsp  |8 
 modules/http2/mod_http2.h|   13 
 modules/http2/mod_http2.mak  |   18 
 modules/http2/mod_proxy_http2.c  |  208 ++---
 modules/http2/mod_proxy_http2.h  |   13 
 63 files changed, 5534 insertions(+), 4563 deletions(-)


diff -Nru apache2-2.4.25/debian/apache2.apache-htcacheclean.init apache2-2.4.25/debian/apache2.apache-htcacheclean.init
--- apache2-2.4.25/debian/apache2.apache-htcacheclean.init	2018-03-31 10:45:18.0 +0200
+++