[Bug 877740] Re: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure
This was fixed for Ubuntu 8.04 LTS (hardy) in 2.2.8-1ubuntu0.22 as referred to in USN http://www.ubuntu.com/usn/usn-1259-1 ; closing. ** Changed in: apache2 (Ubuntu Hardy) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/877740 Title: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/877740/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 877740] Re: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure
** Branch linked: lp:ubuntu/lucid-updates/apache2 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/877740 Title: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/877740/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 877740] Re: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure
** Branch linked: lp:ubuntu/lucid-security/apache2 ** Branch linked: lp:ubuntu/maverick-security/apache2 ** Branch linked: lp:ubuntu/natty-security/apache2 ** Branch linked: lp:ubuntu/oneiric-security/apache2 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/877740 Title: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/877740/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 877740] Re: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure
This bug was fixed in the package apache2 - 2.2.14-5ubuntu8.7 --- apache2 (2.2.14-5ubuntu8.7) lucid-security; urgency=low [ Michael Jeanson ] * SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740) - debian/patches/212_CVE-2011-3368.dpatch: return 400 on invalid requests. - debian/patches/214_CVE-2011-3368_part2.dpatch: fix same for http 0.9 protocol - CVE-2011-3368 [ Steve Beattie ] * SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674) - debian/patches/213_CVE-2011-3348.dpatch: return HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested - CVE-2011-3348 * SECURITY UPDATE: mpm-itk failure to drop privileges in certain configurations - debian/mpm-itk/patches/11-CVE-2011-1176.patch: merge configurations correctly - CVE-2011-1176 * Include additional fixes for regressions introduced by CVE-2011-3192 fixes - debian/patches/215_CVE-2011-3192_regression_part2.dpatch: take upstream fixes for byterange_filter.c through the 2.2.21 release except for the added MaxRanges configuration option along with a fix staged for 2.2.22. -- Steve BeattieWed, 02 Nov 2011 17:27:07 -0700 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/877740 Title: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/877740/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 877740] Re: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure
This bug was fixed in the package apache2 - 2.2.16-1ubuntu3.4 --- apache2 (2.2.16-1ubuntu3.4) maverick-security; urgency=low * SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740) - debian/patches/212_CVE-2011-3368.dpatch: return 400 on invalid requests. (patch courtesy of Michael Jeanson) - debian/patches/214_CVE-2011-3368_part2.dpatch: fix same for http 0.9 protocol - CVE-2011-3368 * SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674) - debian/patches/213_CVE-2011-3348.dpatch: return HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested - CVE-2011-3348 * SECURITY UPDATE: mpm-itk failure to drop privileges in certain configurations - debian/mpm-itk/patches/11-CVE-2011-1176.patch: merge configurations correctly - CVE-2011-1176 * Include additional fixes for regressions introduced by CVE-2011-3192 fixes - debian/patches/085_CVE-2011-3192_regression_part2.dpatch: take upstream fixes for byterange_filter.c through the 2.2.21 release except for the added MaxRanges configuration option along with a fix staged for 2.2.22. -- Steve BeattieWed, 02 Nov 2011 17:23:07 -0700 ** Changed in: apache2 (Ubuntu Lucid) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/877740 Title: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/877740/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 877740] Re: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure
This bug was fixed in the package apache2 - 2.2.17-1ubuntu1.4 --- apache2 (2.2.17-1ubuntu1.4) natty-security; urgency=low * SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740) - debian/patches/212_CVE-2011-3368.dpatch: return 400 on invalid requests. (patch courtesy of Michael Jeanson) - debian/patches/214_CVE-2011-3368_part2.dpatch: fix same for http 0.9 protocol - CVE-2011-3368 * SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674) - debian/patches/213_CVE-2011-3348.dpatch: return HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested - CVE-2011-3348 * SECURITY UPDATE: mpm-itk failure to drop privileges in certain configurations - debian/mpm-itk/patches/11-CVE-2011-1176.patch: merge configurations correctly - CVE-2011-1176 * Include additional fixes for regressions introduced by CVE-2011-3192 fixes - debian/patches/084_CVE-2011-3192_regression_part2.dpatch: take upstream fixes for byterange_filter.c through the 2.2.21 release except for the added MaxRanges configuration option along with a fix staged for 2.2.22. -- Steve BeattieWed, 02 Nov 2011 17:21:04 -0700 ** Changed in: apache2 (Ubuntu Maverick) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/877740 Title: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/877740/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 877740] Re: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure
This bug was fixed in the package apache2 - 2.2.20-1ubuntu1.1 --- apache2 (2.2.20-1ubuntu1.1) oneiric-security; urgency=low * SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740) - debian/patches/212_CVE-2011-3368.dpatch: return 400 on invalid requests. (patch courtesy of Michael Jeanson) - CVE-2011-3368 * SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674) - debian/patches/213_CVE-2011-3348.dpatch: return HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested - CVE-2011-3348 * Include additional fixes for regressions introduced by CVE-2011-3192 fixes - debian/patches/214_CVE-2011-3192_regression.dpatch: take upstream fixes for byterange_filter.c through the 2.2.21 release except for the added MaxRanges configuration option, along with a staged fix for the 2.2.22 release. -- Steve BeattieMon, 07 Nov 2011 14:01:10 -0800 ** Changed in: apache2 (Ubuntu Oneiric) Status: In Progress => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-3192 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-3348 ** Changed in: apache2 (Ubuntu Natty) Status: In Progress => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-1176 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/877740 Title: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/877740/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 877740] Re: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure
My bad, sorry if anyone tried this package, I had only tested on hardy. I uploaded a fixed package to my ppa. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/877740 Title: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/877740/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 877740] Re: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure
Thanks, Michael, I expect packages to go out in the next couple of days. FYI, the lucid debdiff you posted did not include an edit to debian/patches/00list, so I don't believe it's getting applied in your ppa build. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/877740 Title: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/877740/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 877740] Re: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure
Debdiff for lucid, also available in my ppa. ** Patch added: "apache2_2.2.14-5ubuntu8.7.debdiff" https://bugs.launchpad.net/ubuntu/hardy/+source/apache2/+bug/877740/+attachment/2560947/+files/apache2_2.2.14-5ubuntu8.7.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/877740 Title: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/877740/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 877740] Re: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure
I built a fixed package for hardy in my ppa (2.2.8-1ubuntu0.22~ppa1) and tested it in our environment, I confirm it fixes the exploit. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/877740 Title: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/877740/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 877740] Re: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure
This was fixed in precise in 2.2.21-2ubuntu1 (see bug 872000). Assigning the other releases to myself. ** Changed in: apache2 (Ubuntu) Status: New => Fix Released ** Changed in: apache2 (Ubuntu Hardy) Status: New => In Progress ** Changed in: apache2 (Ubuntu Lucid) Status: New => In Progress ** Changed in: apache2 (Ubuntu Maverick) Status: New => In Progress ** Changed in: apache2 (Ubuntu Natty) Status: New => In Progress ** Changed in: apache2 (Ubuntu Oneiric) Status: New => In Progress ** Changed in: apache2 (Ubuntu Hardy) Assignee: (unassigned) => Steve Beattie (sbeattie) ** Changed in: apache2 (Ubuntu Lucid) Assignee: (unassigned) => Steve Beattie (sbeattie) ** Changed in: apache2 (Ubuntu Maverick) Assignee: (unassigned) => Steve Beattie (sbeattie) ** Changed in: apache2 (Ubuntu Natty) Assignee: (unassigned) => Steve Beattie (sbeattie) ** Changed in: apache2 (Ubuntu Oneiric) Assignee: (unassigned) => Steve Beattie (sbeattie) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/877740 Title: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/877740/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 877740] Re: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure
** Also affects: apache2 (Ubuntu Hardy) Importance: Undecided Status: New ** Also affects: apache2 (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: apache2 (Ubuntu Natty) Importance: Undecided Status: New ** Also affects: apache2 (Ubuntu Maverick) Importance: Undecided Status: New ** Also affects: apache2 (Ubuntu Oneiric) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/877740 Title: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/877740/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 877740] Re: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure
Debdiff for hardy, including patch from http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/CVE-2011-3368.patch ** Patch added: "apache2_2.2.8-1ubuntu0.22.debdiff" https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/877740/+attachment/2558586/+files/apache2_2.2.8-1ubuntu0.22.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/877740 Title: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/877740/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs