--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Hi,
please review apache2/2.4.25-3+deb9u6 for inclusion into the next
stretch point release. Here is the changelog:
* CVE-2018-1333: mod_http2: Fix DoS by worker exhaustion. Closes: #904106
* CVE-2018-11763: mod_http2: Fix DoS by continuous SETTINGS.
Closes: #909591
* mod_proxy_fcgi: Fix segfault. Closes: #902906
Debdiff is attached.
Cheers,
Stefan
diff -Nru apache2-2.4.25/debian/changelog apache2-2.4.25/debian/changelog
--- apache2-2.4.25/debian/changelog 2018-06-02 10:01:13.000000000 +0200
+++ apache2-2.4.25/debian/changelog 2018-11-03 19:46:19.000000000 +0100
@@ -1,3 +1,12 @@
+apache2 (2.4.25-3+deb9u6) stretch; urgency=medium
+
+ * CVE-2018-1333: mod_http2: Fix DoS by worker exhaustion. Closes: #904106
+ * CVE-2018-11763: mod_http2: Fix DoS by continuous SETTINGS.
+ Closes: #909591
+ * mod_proxy_fcgi: Fix segfault. Closes: #902906
+
+ -- Stefan Fritsch <s...@debian.org> Sat, 03 Nov 2018 19:46:19 +0100
+
apache2 (2.4.25-3+deb9u5) stretch; urgency=medium
* Upgrade mod_http and mod_proxy_http2 to the versions from 2.4.33. This
diff -Nru
apache2-2.4.25/debian/patches/CVE-2018-11763-mod_http2_DoS-SETTINGS.diff
apache2-2.4.25/debian/patches/CVE-2018-11763-mod_http2_DoS-SETTINGS.diff
--- apache2-2.4.25/debian/patches/CVE-2018-11763-mod_http2_DoS-SETTINGS.diff
1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.4.25/debian/patches/CVE-2018-11763-mod_http2_DoS-SETTINGS.diff
2018-11-03 19:45:38.000000000 +0100
@@ -0,0 +1,458 @@
+# https://svn.apache.org/viewvc?view=revision&revision=1840757
+# CVE-2018-11763
+--- apache2.orig/modules/http2/h2_session.c
++++ apache2/modules/http2/h2_session.c
+@@ -235,6 +235,7 @@ static int on_data_chunk_recv_cb(nghttp2
+ stream = h2_session_stream_get(session, stream_id);
+ if (stream) {
+ status = h2_stream_recv_DATA(stream, flags, data, len);
++ dispatch_event(session, H2_SESSION_EV_STREAM_CHANGE, 0, "stream data
rcvd");
+ }
+ else {
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, session->c, APLOGNO(03064)
+@@ -317,9 +318,9 @@ static int on_header_cb(nghttp2_session
+ }
+
+ /**
+- * nghttp2 session has received a complete frame. Most, it uses
+- * for processing of internal state. HEADER and DATA frames however
+- * we need to handle ourself.
++ * nghttp2 session has received a complete frame. Most are used by nghttp2
++ * for processing of internal state. Some, like HEADER and DATA frames,
++ * we need to act on.
+ */
+ static int on_frame_recv_cb(nghttp2_session *ng2s,
+ const nghttp2_frame *frame,
+@@ -376,6 +377,9 @@ static int on_frame_recv_cb(nghttp2_sess
+ "h2_stream(%ld-%d): WINDOW_UPDATE incr=%d",
+ session->id, (int)frame->hd.stream_id,
+ frame->window_update.window_size_increment);
++ if (nghttp2_session_want_write(session->ngh2)) {
++ dispatch_event(session, H2_SESSION_EV_FRAME_RCVD, 0, "window
update");
++ }
+ break;
+ case NGHTTP2_RST_STREAM:
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, session->c,
APLOGNO(03067)
+@@ -402,6 +406,12 @@ static int on_frame_recv_cb(nghttp2_sess
+ frame->goaway.error_code, NULL);
+ }
+ break;
++ case NGHTTP2_SETTINGS:
++ if (APLOGctrace2(session->c)) {
++ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, session->c,
++ H2_SSSN_MSG(session, "SETTINGS, len=%ld"),
(long)frame->hd.length);
++ }
++ break;
+ default:
+ if (APLOGctrace2(session->c)) {
+ char buffer[256];
+@@ -413,7 +423,40 @@ static int on_frame_recv_cb(nghttp2_sess
+ }
+ break;
+ }
+- return (APR_SUCCESS == rv)? 0 : NGHTTP2_ERR_PROTO;
++
++ if (session->state == H2_SESSION_ST_IDLE) {
++ /* We received a frame, but session is in state IDLE. That means the
frame
++ * did not really progress any of the (possibly) open streams. It was
a meta
++ * frame, e.g. SETTINGS/WINDOW_UPDATE/unknown/etc.
++ * Remember: IDLE means we cannot send because either there are no
streams open or
++ * all open streams are blocked on exhausted WINDOWs for outgoing
data.
++ * The more frames we receive that do not change this, the less
interested we
++ * become in serving this connection. This is expressed in increasing
"idle_delays".
++ * Eventually, the connection will timeout and we'll close it. */
++ session->idle_frames = H2MIN(session->idle_frames + 1,
session->frames_received);
++ ap_log_cerror( APLOG_MARK, APLOG_TRACE2, 0, session->c,
++ H2_SSSN_MSG(session, "session has %ld idle
frames"),
++ (long)session->idle_frames);
++ if (session->idle_frames > 10) {
++ apr_size_t busy_frames = H2MAX(session->frames_received -
session->idle_frames, 1);
++ int idle_ratio = (int)(session->idle_frames / busy_frames);
++ if (idle_ratio > 100) {
++ session->idle_delay = apr_time_from_msec(H2MIN(1000,
idle_ratio));
++ }
++ else if (idle_ratio > 10) {
++ session->idle_delay = apr_time_from_msec(10);
++ }
++ else if (idle_ratio > 1) {
++ session->idle_delay = apr_time_from_msec(1);
++ }
++ else {
++ session->idle_delay = 0;
++ }
++ }
++ }
++
++ if (APR_SUCCESS != rv) return NGHTTP2_ERR_PROTO;
++ return 0;
+ }
+
+ static int h2_session_continue_data(h2_session *session) {
+@@ -1600,23 +1643,57 @@ static void update_child_status(h2_sessi
+
+ static void transit(h2_session *session, const char *action, h2_session_state
nstate)
+ {
++ apr_time_t timeout;
++ int ostate, loglvl;
++ const char *s;
++
+ if (session->state != nstate) {
+- int loglvl = APLOG_DEBUG;
+- if ((session->state == H2_SESSION_ST_BUSY && nstate ==
H2_SESSION_ST_WAIT)
+- || (session->state == H2_SESSION_ST_WAIT && nstate ==
H2_SESSION_ST_BUSY)){
++ ostate = session->state;
++ session->state = nstate;
++
++ loglvl = APLOG_DEBUG;
++ if ((ostate == H2_SESSION_ST_BUSY && nstate == H2_SESSION_ST_WAIT)
++ || (ostate == H2_SESSION_ST_WAIT && nstate ==
H2_SESSION_ST_BUSY)){
+ loglvl = APLOG_TRACE1;
+ }
+ ap_log_cerror(APLOG_MARK, loglvl, 0, session->c,
+ H2_SSSN_LOG(APLOGNO(03078), session,
+ "transit [%s] -- %s --> [%s]"),
+- h2_session_state_str(session->state), action,
++ h2_session_state_str(ostate), action,
+ h2_session_state_str(nstate));
+- session->state = nstate;
++
+ switch (session->state) {
+ case H2_SESSION_ST_IDLE:
+- update_child_status(session, (session->open_streams == 0?
+- SERVER_BUSY_KEEPALIVE
+- : SERVER_BUSY_READ), "idle");
++ if (!session->remote.emitted_count) {
++ /* on fresh connections, with async mpm, do not return
++ * to mpm for a second. This gives the first request a
better
++ * chance to arrive (und connection leaving IDLE state).
++ * If we return to mpm right away, this connection has the
++ * same chance of being cleaned up by the mpm as
connections
++ * that already served requests - not fair. */
++ session->idle_sync_until = apr_time_now() +
apr_time_from_sec(1);
++ s = "timeout";
++ timeout = H2MAX(session->s->timeout,
session->s->keep_alive_timeout);
++ update_child_status(session, SERVER_BUSY_READ, "idle");
++ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, session->c,
++ H2_SSSN_LOG("", session, "enter idle,
timeout = %d sec"),
++
(int)apr_time_sec(H2MAX(session->s->timeout, session->s->keep_alive_timeout)));
++ }
++ else if (session->open_streams) {
++ s = "timeout";
++ timeout = session->s->keep_alive_timeout;
++ update_child_status(session, SERVER_BUSY_KEEPALIVE,
"idle");
++ }
++ else {
++ /* normal keepalive setup */
++ s = "keepalive";
++ timeout = session->s->keep_alive_timeout;
++ update_child_status(session, SERVER_BUSY_KEEPALIVE,
"idle");
++ }
++ session->idle_until = apr_time_now() + timeout;
++ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, session->c,
++ H2_SSSN_LOG("", session, "enter idle, %s = %d
sec"),
++ s, (int)apr_time_sec(timeout));
+ break;
+ case H2_SESSION_ST_DONE:
+ update_child_status(session, SERVER_CLOSING, "done");
+@@ -1723,8 +1800,6 @@ static void h2_session_ev_no_io(h2_sessi
+ * This means we only wait for WINDOW_UPDATE from the
+ * client and can block on READ. */
+ transit(session, "no io (flow wait)", H2_SESSION_ST_IDLE);
+- session->idle_until = apr_time_now() +
session->s->timeout;
+- session->keep_sync_until = session->idle_until;
+ /* Make sure we have flushed all previously written output
+ * so that the client will react. */
+ if (h2_conn_io_flush(&session->io) != APR_SUCCESS) {
+@@ -1735,12 +1810,7 @@ static void h2_session_ev_no_io(h2_sessi
+ }
+ else if (session->local.accepting) {
+ /* When we have no streams, but accept new, switch to idle */
+- apr_time_t now = apr_time_now();
+ transit(session, "no io (keepalive)", H2_SESSION_ST_IDLE);
+- session->idle_until = (session->remote.emitted_count?
+- session->s->keep_alive_timeout :
+- session->s->timeout) + now;
+- session->keep_sync_until = now + apr_time_from_sec(1);
+ }
+ else {
+ /* We are no longer accepting new streams and there are
+@@ -1755,12 +1825,25 @@ static void h2_session_ev_no_io(h2_sessi
+ }
+ }
+
+-static void h2_session_ev_data_read(h2_session *session, int arg, const char
*msg)
++static void h2_session_ev_frame_rcvd(h2_session *session, int arg, const char
*msg)
++{
++ switch (session->state) {
++ case H2_SESSION_ST_IDLE:
++ case H2_SESSION_ST_WAIT:
++ transit(session, "frame received", H2_SESSION_ST_BUSY);
++ break;
++ default:
++ /* nop */
++ break;
++ }
++}
++
++static void h2_session_ev_stream_change(h2_session *session, int arg, const
char *msg)
+ {
+ switch (session->state) {
+ case H2_SESSION_ST_IDLE:
+ case H2_SESSION_ST_WAIT:
+- transit(session, "data read", H2_SESSION_ST_BUSY);
++ transit(session, "stream change", H2_SESSION_ST_BUSY);
+ break;
+ default:
+ /* nop */
+@@ -1800,16 +1883,6 @@ static void h2_session_ev_pre_close(h2_s
+ static void ev_stream_open(h2_session *session, h2_stream *stream)
+ {
+ h2_iq_append(session->in_process, stream->id);
+- switch (session->state) {
+- case H2_SESSION_ST_IDLE:
+- if (session->open_streams == 1) {
+- /* enter timeout, since we have a stream again */
+- session->idle_until = (session->s->timeout + apr_time_now());
+- }
+- break;
+- default:
+- break;
+- }
+ }
+
+ static void ev_stream_closed(h2_session *session, h2_stream *stream)
+@@ -1822,11 +1895,6 @@ static void ev_stream_closed(h2_session
+ }
+ switch (session->state) {
+ case H2_SESSION_ST_IDLE:
+- if (session->open_streams == 0) {
+- /* enter keepalive timeout, since we no longer have streams */
+- session->idle_until = (session->s->keep_alive_timeout
+- + apr_time_now());
+- }
+ break;
+ default:
+ break;
+@@ -1884,6 +1952,7 @@ static void on_stream_state_enter(void *
+ default:
+ break;
+ }
++ dispatch_event(session, H2_SESSION_EV_STREAM_CHANGE, 0, "stream state
change");
+ }
+
+ static void on_stream_event(void *ctx, h2_stream *stream,
+@@ -1942,8 +2011,8 @@ static void dispatch_event(h2_session *s
+ case H2_SESSION_EV_NO_IO:
+ h2_session_ev_no_io(session, arg, msg);
+ break;
+- case H2_SESSION_EV_DATA_READ:
+- h2_session_ev_data_read(session, arg, msg);
++ case H2_SESSION_EV_FRAME_RCVD:
++ h2_session_ev_frame_rcvd(session, arg, msg);
+ break;
+ case H2_SESSION_EV_NGH2_DONE:
+ h2_session_ev_ngh2_done(session, arg, msg);
+@@ -1954,6 +2023,9 @@ static void dispatch_event(h2_session *s
+ case H2_SESSION_EV_PRE_CLOSE:
+ h2_session_ev_pre_close(session, arg, msg);
+ break;
++ case H2_SESSION_EV_STREAM_CHANGE:
++ h2_session_ev_stream_change(session, arg, msg);
++ break;
+ default:
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, session->c,
+ H2_SSSN_MSG(session, "unknown event %d"), ev);
+@@ -1987,13 +2059,15 @@ apr_status_t h2_session_process(h2_sessi
+ apr_status_t status = APR_SUCCESS;
+ conn_rec *c = session->c;
+ int rv, mpm_state, trace = APLOGctrace3(c);
+-
++ apr_time_t now;
++
+ if (trace) {
+ ap_log_cerror( APLOG_MARK, APLOG_TRACE3, status, c,
+ H2_SSSN_MSG(session, "process start, async=%d"), async);
+ }
+
+ while (session->state != H2_SESSION_ST_DONE) {
++ now = apr_time_now();
+ session->have_read = session->have_written = 0;
+
+ if (session->local.accepting
+@@ -2031,39 +2105,42 @@ apr_status_t h2_session_process(h2_sessi
+ break;
+
+ case H2_SESSION_ST_IDLE:
+- /* We trust our connection into the default timeout/keepalive
+- * handling of the core filters/mpm iff:
+- * - keep_sync_until is not set
+- * - we have an async mpm
+- * - we have no open streams to process
+- * - we are not sitting on a Upgrade: request
+- * - we already have seen at least one request
+- */
+- if (!session->keep_sync_until && async &&
!session->open_streams
+- && !session->r && session->remote.emitted_count) {
++ if (session->idle_until && (apr_time_now() +
session->idle_delay) > session->idle_until) {
++ ap_log_cerror( APLOG_MARK, APLOG_TRACE1, status, c,
++ H2_SSSN_MSG(session, "idle, timeout
reached, closing"));
++ if (session->idle_delay) {
++ apr_table_setn(session->c->notes,
"short-lingering-close", "1");
++ }
++ dispatch_event(session, H2_SESSION_EV_CONN_TIMEOUT, 0,
"timeout");
++ goto out;
++ }
++
++ if (session->idle_delay) {
++ /* we are less interested in spending time on this
connection */
++ ap_log_cerror( APLOG_MARK, APLOG_TRACE2, status, c,
++ H2_SSSN_MSG(session, "session is idle (%ld
ms), idle wait %ld sec left"),
++ (long)apr_time_as_msec(session->idle_delay),
++ (long)apr_time_sec(session->idle_until -
now));
++ apr_sleep(session->idle_delay);
++ session->idle_delay = 0;
++ }
++
++ h2_conn_io_flush(&session->io);
++ if (async && !session->r && (now > session->idle_sync_until))
{
+ if (trace) {
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE3, status, c,
+ H2_SSSN_MSG(session,
+ "nonblock read, %d streams open"),
+ session->open_streams);
+ }
+- h2_conn_io_flush(&session->io);
+ status = h2_session_read(session, 0);
+
+ if (status == APR_SUCCESS) {
+ session->have_read = 1;
+- dispatch_event(session, H2_SESSION_EV_DATA_READ, 0,
NULL);
+ }
+- else if (APR_STATUS_IS_EAGAIN(status)
+- || APR_STATUS_IS_TIMEUP(status)) {
+- if (apr_time_now() > session->idle_until) {
+- dispatch_event(session,
+- H2_SESSION_EV_CONN_TIMEOUT, 0,
NULL);
+- }
+- else {
+- status = APR_EAGAIN;
+- goto out;
+- }
++ else if (APR_STATUS_IS_EAGAIN(status) ||
APR_STATUS_IS_TIMEUP(status)) {
++ status = APR_EAGAIN;
++ goto out;
+ }
+ else {
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, status, c,
+@@ -2075,7 +2152,6 @@ apr_status_t h2_session_process(h2_sessi
+ }
+ else {
+ /* make certain, we send everything before we idle */
+- h2_conn_io_flush(&session->io);
+ if (trace) {
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE3, status, c,
+ H2_SSSN_MSG(session,
+@@ -2087,7 +2163,6 @@ apr_status_t h2_session_process(h2_sessi
+ */
+ status = h2_mplx_idle(session->mplx);
+ if (status == APR_EAGAIN) {
+- dispatch_event(session, H2_SESSION_EV_DATA_READ, 0,
NULL);
+ break;
+ }
+ else if (status != APR_SUCCESS) {
+@@ -2098,33 +2173,11 @@ apr_status_t h2_session_process(h2_sessi
+ status = h2_session_read(session, 1);
+ if (status == APR_SUCCESS) {
+ session->have_read = 1;
+- dispatch_event(session, H2_SESSION_EV_DATA_READ, 0,
NULL);
+ }
+ else if (status == APR_EAGAIN) {
+ /* nothing to read */
+ }
+ else if (APR_STATUS_IS_TIMEUP(status)) {
+- apr_time_t now = apr_time_now();
+- if (now > session->keep_sync_until) {
+- /* if we are on an async mpm, now is the time that
+- * we may dare to pass control to it. */
+- session->keep_sync_until = 0;
+- }
+- if (now > session->idle_until) {
+- if (trace) {
+- ap_log_cerror(APLOG_MARK, APLOG_TRACE3,
status, c,
+- H2_SSSN_MSG(session,
+- "keepalive timeout"));
+- }
+- dispatch_event(session,
+- H2_SESSION_EV_CONN_TIMEOUT, 0,
"timeout");
+- }
+- else if (trace) {
+- ap_log_cerror(APLOG_MARK, APLOG_TRACE3, status, c,
+- H2_SSSN_MSG(session,
+- "keepalive, %f sec left"),
+- (session->idle_until - now) /
1000000.0f);
+- }
+ /* continue reading handling */
+ }
+ else if (APR_STATUS_IS_ECONNABORTED(status)
+@@ -2142,6 +2195,18 @@ apr_status_t h2_session_process(h2_sessi
+ dispatch_event(session, H2_SESSION_EV_CONN_ERROR, 0,
"error");
+ }
+ }
++ if (nghttp2_session_want_write(session->ngh2)) {
++ ap_update_child_status(session->c->sbh,
SERVER_BUSY_WRITE, NULL);
++ status = h2_session_send(session);
++ if (status == APR_SUCCESS) {
++ status = h2_conn_io_flush(&session->io);
++ }
++ if (status != APR_SUCCESS) {
++ dispatch_event(session, H2_SESSION_EV_CONN_ERROR,
++ H2_ERR_INTERNAL_ERROR, "writing");
++ break;
++ }
++ }
+ break;
+
+ case H2_SESSION_ST_BUSY:
+@@ -2151,7 +2216,6 @@ apr_status_t h2_session_process(h2_sessi
+ status = h2_session_read(session, 0);
+ if (status == APR_SUCCESS) {
+ session->have_read = 1;
+- dispatch_event(session, H2_SESSION_EV_DATA_READ, 0,
NULL);
+ }
+ else if (status == APR_EAGAIN) {
+ /* nothing to read */
+@@ -2215,7 +2279,7 @@ apr_status_t h2_session_process(h2_sessi
+ session->iowait);
+ if (status == APR_SUCCESS) {
+ session->wait_us = 0;
+- dispatch_event(session, H2_SESSION_EV_DATA_READ, 0, NULL);
++ dispatch_event(session, H2_SESSION_EV_STREAM_CHANGE,
0, NULL);
+ }
+ else if (APR_STATUS_IS_TIMEUP(status)) {
+ /* go back to checking all inputs again */
+--- apache2.orig/modules/http2/h2_session.h
++++ apache2/modules/http2/h2_session.h
+@@ -66,10 +66,11 @@ typedef enum {
+ H2_SESSION_EV_PROTO_ERROR, /* protocol error */
+ H2_SESSION_EV_CONN_TIMEOUT, /* connection timeout */
+ H2_SESSION_EV_NO_IO, /* nothing has been read or written */
+- H2_SESSION_EV_DATA_READ, /* connection data has been read */
++ H2_SESSION_EV_FRAME_RCVD, /* a frame has been received */
+ H2_SESSION_EV_NGH2_DONE, /* nghttp2 wants neither read nor write
anything */
+ H2_SESSION_EV_MPM_STOPPING, /* the process is stopping */
+ H2_SESSION_EV_PRE_CLOSE, /* connection will close after this */
++ H2_SESSION_EV_STREAM_CHANGE, /* a stream (state/input/output) changed
*/
+ } h2_session_event_t;
+
+ typedef struct h2_session {
+@@ -118,7 +119,9 @@ typedef struct h2_session {
+ apr_size_t max_stream_mem; /* max buffer memory for a single stream
*/
+
+ apr_time_t idle_until; /* Time we shut down due to sheer boredom
*/
+- apr_time_t keep_sync_until; /* Time we sync wait until passing to
async mpm */
++ apr_time_t idle_sync_until; /* Time we sync wait until keepalive
handling kicks in */
++ apr_size_t idle_frames; /* number of rcvd frames that kept
session in idle state */
++ apr_interval_time_t idle_delay; /* Time we delay processing rcvd frames
in idle state */
+
+ apr_bucket_brigade *bbtmp; /* brigade for keeping temporary data */
+ struct apr_thread_cond_t *iowait; /* our cond when trywaiting for data */
diff -Nru apache2-2.4.25/debian/patches/CVE-2018-1333-mod_http2_DoS.diff
apache2-2.4.25/debian/patches/CVE-2018-1333-mod_http2_DoS.diff
--- apache2-2.4.25/debian/patches/CVE-2018-1333-mod_http2_DoS.diff
1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.4.25/debian/patches/CVE-2018-1333-mod_http2_DoS.diff
2018-11-03 19:06:06.000000000 +0100
@@ -0,0 +1,29 @@
+# https://svn.apache.org/viewvc?view=revision&revision=1832487
+# CVE-2018-1333
+--- apache2.orig/modules/http2/h2_bucket_beam.c
++++ apache2/modules/http2/h2_bucket_beam.c
+@@ -550,6 +550,7 @@ static void recv_buffer_cleanup(h2_bucke
+ apr_brigade_destroy(bb);
+ if (bl) enter_yellow(beam, bl);
+
++ apr_thread_cond_broadcast(beam->change);
+ if (beam->cons_ev_cb) {
+ beam->cons_ev_cb(beam->cons_ctx, beam);
+ }
+@@ -707,12 +708,10 @@ void h2_beam_abort(h2_bucket_beam *beam)
+ h2_beam_lock bl;
+
+ if (beam && enter_yellow(beam, &bl) == APR_SUCCESS) {
+- if (!beam->aborted) {
+- beam->aborted = 1;
+- r_purge_sent(beam);
+- h2_blist_cleanup(&beam->send_list);
+- report_consumption(beam, &bl);
+- }
++ beam->aborted = 1;
++ r_purge_sent(beam);
++ h2_blist_cleanup(&beam->send_list);
++ report_consumption(beam, &bl);
+ apr_thread_cond_broadcast(beam->change);
+ leave_yellow(beam, &bl);
+ }
diff -Nru apache2-2.4.25/debian/patches/fcgi_crash.diff
apache2-2.4.25/debian/patches/fcgi_crash.diff
--- apache2-2.4.25/debian/patches/fcgi_crash.diff 1970-01-01
01:00:00.000000000 +0100
+++ apache2-2.4.25/debian/patches/fcgi_crash.diff 2018-11-03
15:29:50.000000000 +0100
@@ -0,0 +1,37 @@
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902906
+# https://bz.apache.org/bugzilla/show_bug.cgi?id=60275
+# https://svn.apache.org/r1778050
+--- apache2.orig/server/util_fcgi.c
++++ apache2/server/util_fcgi.c
+@@ -153,7 +153,7 @@ AP_DECLARE(apr_size_t) ap_fcgi_encoded_e
+
+ envlen += keylen;
+
+- vallen = strlen(elts[i].val);
++ vallen = elts[i].val ? strlen(elts[i].val) : 0;
+
+ if (vallen >> 7 == 0) {
+ envlen += 1;
+@@ -226,7 +226,7 @@ AP_DECLARE(apr_status_t) ap_fcgi_encode_
+ buflen -= 4;
+ }
+
+- vallen = strlen(elts[i].val);
++ vallen = elts[i].val ? strlen(elts[i].val) : 0;
+
+ if (vallen >> 7 == 0) {
+ if (buflen < 1) {
+@@ -262,8 +262,11 @@ AP_DECLARE(apr_status_t) ap_fcgi_encode_
+ rv = APR_ENOSPC; /* overflow */
+ break;
+ }
+- memcpy(itr, elts[i].val, vallen);
+- itr += vallen;
++
++ if (elts[i].val) {
++ memcpy(itr, elts[i].val, vallen);
++ itr += vallen;
++ }
+
+ if (buflen == vallen) {
+ (*starting_elem)++;
diff -Nru apache2-2.4.25/debian/patches/series
apache2-2.4.25/debian/patches/series
--- apache2-2.4.25/debian/patches/series 2018-06-02 09:48:33.000000000
+0200
+++ apache2-2.4.25/debian/patches/series 2018-11-03 19:42:40.000000000
+0100
@@ -27,3 +27,6 @@
mod_http2-upgrade-to-2.4.33.diff
mod_http2-revert-new-proxy-features.diff
mod_http2_mem_usage_32bit.diff
+fcgi_crash.diff
+CVE-2018-1333-mod_http2_DoS.diff
+CVE-2018-11763-mod_http2_DoS-SETTINGS.diff
--- End Message ---
