Bug#894713: stretch-pu: apache2/2.4.25-3+deb9u5
On Sunday, 24 June 2018 19:00:22 CEST Adam D. Barratt wrote: > On Sat, 2018-06-02 at 10:29 +0200, Stefan Fritsch wrote: > > +apache2 (2.4.25-3+deb9u5) stretch; urgency=medium > > + > > + * This package upgrades mod_http2 to the version from apache2 > > 2.4.33. This > > +fixes a lot of bugs and some security issues, but it also > > removes the > > +support for using HTTP/2 when running with mpm_prefork. HTTP/2 > > support > > +is only provided when running with mpm_event or mpm_worker. > > + > > + -- Stefan Fritsch Sat, 02 Jun 2018 09:51:46 +0200 > > Do we have any idea how common such a configuration is? (Or, indeed, > how common the use of HTTP/2 with stretch's apache is.) Unfortunately not. I guess there are still a fair number of mpm_prefork users because of mod_php. But I don't know how many enable mod_http2 (it's not enabled by default). But I expect that there are extremely few users who actually depend on HTTP/2 working. For the vast majority, it's only a nice to have feature. Cheers, Stefan
Bug#894713: stretch-pu: apache2/2.4.25-3+deb9u5
On Sat, 2018-06-02 at 10:29 +0200, Stefan Fritsch wrote: > +apache2 (2.4.25-3+deb9u5) stretch; urgency=medium > + > + * This package upgrades mod_http2 to the version from apache2 > 2.4.33. This > +fixes a lot of bugs and some security issues, but it also > removes the > +support for using HTTP/2 when running with mpm_prefork. HTTP/2 > support > +is only provided when running with mpm_event or mpm_worker. > + > + -- Stefan Fritsch Sat, 02 Jun 2018 09:51:46 +0200 Do we have any idea how common such a configuration is? (Or, indeed, how common the use of HTTP/2 with stretch's apache is.) Regards, Adam
Bug#894713: stretch-pu: apache2/2.4.25-3+deb9u5
On Sunday, 20 May 2018 18:32:55 CEST Stefan Fritsch wrote: > As I don't see any other way to fix the open issues, I would still like to > go ahead. But I will prepare a new package/diff with a NEWS.Debian entry > that informs about this change. The new debdiff is attached. the NEWS part is also below. Cheers, Stefan --- apache2-2.4.25/debian/apache2.NEWS 2018-03-30 17:07:14.0 +0200 +++ apache2-2.4.25/debian/apache2.NEWS 2018-06-02 10:01:13.0 +0200 @@ -1,3 +1,12 @@ +apache2 (2.4.25-3+deb9u5) stretch; urgency=medium + + * This package upgrades mod_http2 to the version from apache2 2.4.33. This +fixes a lot of bugs and some security issues, but it also removes the +support for using HTTP/2 when running with mpm_prefork. HTTP/2 support +is only provided when running with mpm_event or mpm_worker. + + -- Stefan Fritsch Sat, 02 Jun 2018 09:51:46 +0200 diff -Nru apache2-2.4.25/debian/apache2.apache-htcacheclean.init apache2-2.4.25/debian/apache2.apache-htcacheclean.init --- apache2-2.4.25/debian/apache2.apache-htcacheclean.init 2018-03-31 10:45:18.0 +0200 +++ apache2-2.4.25/debian/apache2.apache-htcacheclean.init 2018-05-13 18:52:55.0 +0200 @@ -30,6 +30,13 @@ HTCACHECLEAN_PATH="${HTCACHECLEAN_PATH:=/var/cache/apache2$DIR_SUFFIX/mod_cache_disk}" HTCACHECLEAN_OPTIONS="${HTCACHECLEAN_OPTIONS:=-n}" +# Read configuration variable file if it is present +if [ -f /etc/default/apache-htcacheclean$DIR_SUFFIX ] ; then + . /etc/default/apache-htcacheclean$DIR_SUFFIX +elif [ -f /etc/default/apache-htcacheclean ] ; then + . /etc/default/apache-htcacheclean +fi + PIDDIR="/var/run/apache2/$RUN_USER" PIDFILE="$PIDDIR/$NAME.pid" DAEMON_ARGS="$HTCACHECLEAN_OPTIONS \ diff -Nru apache2-2.4.25/debian/apache2.NEWS apache2-2.4.25/debian/apache2.NEWS --- apache2-2.4.25/debian/apache2.NEWS 2018-03-30 17:07:14.0 +0200 +++ apache2-2.4.25/debian/apache2.NEWS 2018-06-02 10:01:13.0 +0200 @@ -1,3 +1,12 @@ +apache2 (2.4.25-3+deb9u5) stretch; urgency=medium + + * This package upgrades mod_http2 to the version from apache2 2.4.33. This +fixes a lot of bugs and some security issues, but it also removes the +support for using HTTP/2 when running with mpm_prefork. HTTP/2 support +is only provided when running with mpm_event or mpm_worker. + + -- Stefan Fritsch Sat, 02 Jun 2018 09:51:46 +0200 + apache2 (2.4.10-2) unstable; urgency=low The default period for which rotated log files are kept has been diff -Nru apache2-2.4.25/debian/changelog apache2-2.4.25/debian/changelog --- apache2-2.4.25/debian/changelog 2018-03-31 10:47:16.0 +0200 +++ apache2-2.4.25/debian/changelog 2018-06-02 10:01:13.0 +0200 @@ -1,3 +1,20 @@ +apache2 (2.4.25-3+deb9u5) stretch; urgency=medium + + * Upgrade mod_http and mod_proxy_http2 to the versions from 2.4.33. This +fixes +- CVE-2018-1302: mod_http2: Potential crash w/ mod_http2 +- Segfaults in mod_http2 (Closes: #873945) +- mod_http2 issue with option "Indexes" and directive "HeaderName" + (Closes: #850947) +Unfortunately, this also removes support for http2 when running on +mpm_prefork. + * mod_http2: Avoid high memory usage with large files, causing crashes on +32bit archs. Closes: #897218 + * Make the apache-htcacheclean init script actually look into +/etc/default/apache-htcacheclean for its config. Closes: #898563 + + -- Stefan Fritsch Sat, 02 Jun 2018 10:01:13 +0200 + apache2 (2.4.25-3+deb9u4) stretch-security; urgency=medium * CVE-2017-15710: mod_authnz_ldap: Out of bound write in mod_authnz_ldap diff -Nru apache2-2.4.25/debian/patches/CVE-2017-7659.diff apache2-2.4.25/debian/patches/CVE-2017-7659.diff --- apache2-2.4.25/debian/patches/CVE-2017-7659.diff 2018-03-31 10:45:18.0 +0200 +++ apache2-2.4.25/debian/patches/CVE-2017-7659.diff 1970-01-01 01:00:00.0 +0100 @@ -1,33 +0,0 @@ -#commit 672187c168b94b562d8065e08e2cad5b00cdd0e3 -#Author: Stefan Eissing -#Date: Wed Feb 1 20:40:38 2017 + -# -#On the trunk: -# -#mod_http2: fix for crash when running out of memory. Initial patch by Robert Swiecki -# -# -# -#git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1781304 13f79535-47bb-0310-9956-ffa450edef68 -# apache2.orig/modules/http2/h2_stream.c -+++ apache2/modules/http2/h2_stream.c -@@ -286,11 +286,13 @@ apr_status_t h2_stream_set_request_rec(h - return APR_ECONNRESET; - } - status = h2_request_rcreate(, stream->pool, r); --ap_log_rerror(APLOG_MARK, APLOG_DEBUG, status, r, APLOGNO(03058) -- "h2_request(%d): set_request_rec %s host=%s://%s%s", -- stream->id, req->method, req->scheme, req->authority, -- req->path); --stream->rtmp = req; -+if (status == APR_SUCCESS) { -+ap_log_rerror(APLOG_MARK, APLOG_DEBUG, status, r, APLOGNO(03058) -+ "h2_request(%d): set_request_rec %s
Bug#894713: stretch-pu: apache2/2.4.25-3+deb9u5
Hi, On Sunday, 13 May 2018 19:15:22 CEST Stefan Fritsch wrote: > On Tuesday, 3 April 2018 14:07:33 CEST Stefan Fritsch wrote: > > I would like to do an upgrade of apache2 in stretch that upgrades the > > complete mod_http2 and mod_proxy_http2 modules from the versions from > > 2.4.25 to the versions from 2.4.33. > > > > The reason is that the fix for CVE-2018-1302 [1] is difficult to > > backport because it concerns a complex life-time issue of data > > structures, the relevant code has changed greatly between 2.4.25 and > > 2.4.33, and I am not familiar with the internals of mod_http2. There > > are other random segfaults [2] and other bugs [3] in stretch's mod_http2 > > that are reportedly fixed by newer mod_http2. Therefore, upgrading the > > whole thing seems like the best solution to me. Do you agree with this > > approach? > > I have now prepared updated packages. The changelog diff is: There is one complication: It turns out that in newer versions of apache2, mod_http2 does no longer support being used with mpm_prefork but only with mpm_worker and mpm_event. If loaded together with mpm_prefork, mod_http2 will log a message and refuse to serve HTTP/2, but HTTP/1.x continues to work. As I don't see any other way to fix the open issues, I would still like to go ahead. But I will prepare a new package/diff with a NEWS.Debian entry that informs about this change. Cheers, Stefan
Bug#894713: stretch-pu: apache2/2.4.25-3+deb9u5
Hi, On Tuesday, 3 April 2018 14:07:33 CEST Stefan Fritsch wrote: > I would like to do an upgrade of apache2 in stretch that upgrades the > complete mod_http2 and mod_proxy_http2 modules from the versions from > 2.4.25 to the versions from 2.4.33. > > The reason is that the fix for CVE-2018-1302 [1] is difficult to > backport because it concerns a complex life-time issue of data > structures, the relevant code has changed greatly between 2.4.25 and > 2.4.33, and I am not familiar with the internals of mod_http2. There > are other random segfaults [2] and other bugs [3] in stretch's mod_http2 > that are reportedly fixed by newer mod_http2. Therefore, upgrading the > whole thing seems like the best solution to me. Do you agree with this > approach? I have now prepared updated packages. The changelog diff is: apache2 (2.4.25-3+deb9u5) stretch; urgency=medium * Upgrade mod_http and mod_proxy_http2 to the versions from 2.4.33. This fixes - CVE-2018-1302: mod_http2: Potential crash w/ mod_http2 - Segfaults in mod_http2 (Closes: #873945) - mod_http2 issue with option "Indexes" and directive "HeaderName" (Closes: #850947) * mod_http2: Avoid high memory usage with large files, causing crashes on 32bit archs. Closes: #897218 * Make the apache-htcacheclean init script actually look into /etc/default/apache-htcacheclean for its config. Closes: #898563 -- Stefan FritschSun, 13 May 2018 17:43:20 +0200 A partial debdiff without the mod_http2-upgrade-to-2.4.33.diff file is attached. The full debdiff is available at [1] (probably too large for mailing lists). The diffstat of the mod_http2-upgrade-to-2.4.33.diff file is included below [2]. Cheers, Stefan [1] https://www.sfritsch.de/~stf/apache2_2.4.25-3+deb9u5~test1/ apache2_2.4.25-3+deb9u5.debdiff [2] configure|2 modules/http2/NWGNUmod_http2 |2 modules/http2/config2.m4 | 23 modules/http2/h2.h | 46 - modules/http2/h2_alt_svc.c | 13 modules/http2/h2_alt_svc.h | 13 modules/http2/h2_bucket_beam.c | 892 -- modules/http2/h2_bucket_beam.h | 147 ++- modules/http2/h2_bucket_eoc.c| 110 -- modules/http2/h2_bucket_eoc.h| 32 modules/http2/h2_bucket_eos.c| 18 modules/http2/h2_bucket_eos.h| 13 modules/http2/h2_config.c| 38 modules/http2/h2_config.h| 15 modules/http2/h2_conn.c | 156 ++- modules/http2/h2_conn.h | 16 modules/http2/h2_conn_io.c | 138 +-- modules/http2/h2_conn_io.h | 27 modules/http2/h2_ctx.c | 15 modules/http2/h2_ctx.h | 13 modules/http2/h2_filter.c| 165 ++-- modules/http2/h2_filter.h| 26 modules/http2/h2_from_h1.c | 54 - modules/http2/h2_from_h1.h | 13 modules/http2/h2_h2.c| 25 modules/http2/h2_h2.h| 13 modules/http2/h2_headers.c | 31 modules/http2/h2_headers.h | 19 modules/http2/h2_mplx.c | 1551 +-- modules/http2/h2_mplx.h | 84 -- modules/http2/h2_ngn_shed.c | 30 modules/http2/h2_ngn_shed.h | 13 modules/http2/h2_private.h | 13 modules/http2/h2_proxy_session.c | 94 +- modules/http2/h2_proxy_session.h | 23 modules/http2/h2_proxy_util.c| 296 +++ modules/http2/h2_proxy_util.h| 64 + modules/http2/h2_push.c | 20 modules/http2/h2_push.h | 14 modules/http2/h2_request.c | 34 modules/http2/h2_request.h | 13 modules/http2/h2_session.c | 1432 +--- modules/http2/h2_session.h | 76 - modules/http2/h2_stream.c| 1208 ++ modules/http2/h2_stream.h| 179 ++-- modules/http2/h2_switch.c| 29 modules/http2/h2_switch.h| 13 modules/http2/h2_task.c | 250 +++--- modules/http2/h2_task.h | 26 modules/http2/h2_util.c | 1017 - modules/http2/h2_util.h | 188 modules/http2/h2_version.h | 33 modules/http2/h2_worker.c| 103 -- modules/http2/h2_worker.h| 135 --- modules/http2/h2_workers.c | 587 ++ modules/http2/h2_workers.h | 82 -- modules/http2/mod_http2.c| 37 modules/http2/mod_http2.dep | 118 -- modules/http2/mod_http2.dsp |8 modules/http2/mod_http2.h| 13 modules/http2/mod_http2.mak | 18 modules/http2/mod_proxy_http2.c | 208 ++--- modules/http2/mod_proxy_http2.h | 13 63 files changed, 5534 insertions(+), 4563 deletions(-) diff -Nru apache2-2.4.25/debian/apache2.apache-htcacheclean.init apache2-2.4.25/debian/apache2.apache-htcacheclean.init --- apache2-2.4.25/debian/apache2.apache-htcacheclean.init 2018-03-31 10:45:18.0 +0200 +++