Re: Apache 0-day / apache-uaf / use after free bugs
Thanks for the update, Stefan! > Am 22.01.2019 um 13:42 schrieb Stefan Sperling : > > On Tue, Jan 22, 2019 at 01:31:43PM +0100, Rainer Jung wrote: >> Here's the response we have compiled from Daniel, Stefan and others: >> >> https://bz.apache.org/bugzilla/show_bug.cgi?id=63098 > > FYI, I have disabled pool debugging in OpenBSD's port of APR. > We are now using Yann's patch to force the default allocator to > call free(3) when APR pools are cleared: > https://marc.info/?l=openbsd-ports-cvs&m=154815812713288&w=2 > > This change only affects OpenBSD -current. > I do not plan to backport a patch to the OpenBSD 6.4 release. > We have had no reports indicating that http2 was crashing on OpenBSD. > The likely reason is that nobody is actually running such a setup. > If people intend to run such a setup, they should use -current for now, > or wait until OpenBSD 6.5 is released.
Re: Apache 0-day / apache-uaf / use after free bugs
On Tue, Jan 22, 2019 at 01:31:43PM +0100, Rainer Jung wrote: > Here's the response we have compiled from Daniel, Stefan and others: > > https://bz.apache.org/bugzilla/show_bug.cgi?id=63098 FYI, I have disabled pool debugging in OpenBSD's port of APR. We are now using Yann's patch to force the default allocator to call free(3) when APR pools are cleared: https://marc.info/?l=openbsd-ports-cvs&m=154815812713288&w=2 This change only affects OpenBSD -current. I do not plan to backport a patch to the OpenBSD 6.4 release. We have had no reports indicating that http2 was crashing on OpenBSD. The likely reason is that nobody is actually running such a setup. If people intend to run such a setup, they should use -current for now, or wait until OpenBSD 6.5 is released.
Re: Apache 0-day / apache-uaf / use after free bugs
Thanks! I also wrote about the h2 related parts at https://icing.github.io/mod_h2/pool-debugging.html > Am 22.01.2019 um 13:31 schrieb Rainer Jung : > > Am 22.01.2019 um 10:33 schrieb Daniel Gruno: >> On 1/22/19 8:09 AM, Stefan Priebe - Profihost AG wrote: >>> Hi, >>> >>> in twitter and other social media channels they're talking about a >>> current apache 0 day: >>> https://twitter.com/i/web/status/1087593706444730369 >>> >>> which wasn't handled / isn't currently fixed. >>> >>> Some details are here: >>> https://github.com/hannob/apache-uaf >>> >>> If this is true there will be exploits soon. Is there anything planned? >>> Does 2.4.38 fix those issues? >>> >>> Greets, >>> Stefan >>> >> Hi Stefan, and good morning. >> I figured I should write something to calm people that might be concerned. >> I will reply in length in a while (coffee is needed first), it takes time to >> write a proper response that explains our processes and considerations with >> issues like this, especially when people start hyping the matter. Such is >> social media, I guess. >> Until then, I will say quickly that we do not at present consider this >> something you should be alarmed about. Boring elaboration to follow in a >> while when I have compiled it :) >> With regards, >> Daniel, speaking as just a normal committer. > > Here's the response we have compiled from Daniel, Stefan and others: > > https://bz.apache.org/bugzilla/show_bug.cgi?id=63098 > > Regards, > > Rainer
Re: Apache 0-day / apache-uaf / use after free bugs
Am 22.01.2019 um 10:33 schrieb Daniel Gruno: On 1/22/19 8:09 AM, Stefan Priebe - Profihost AG wrote: Hi, in twitter and other social media channels they're talking about a current apache 0 day: https://twitter.com/i/web/status/1087593706444730369 which wasn't handled / isn't currently fixed. Some details are here: https://github.com/hannob/apache-uaf If this is true there will be exploits soon. Is there anything planned? Does 2.4.38 fix those issues? Greets, Stefan Hi Stefan, and good morning. I figured I should write something to calm people that might be concerned. I will reply in length in a while (coffee is needed first), it takes time to write a proper response that explains our processes and considerations with issues like this, especially when people start hyping the matter. Such is social media, I guess. Until then, I will say quickly that we do not at present consider this something you should be alarmed about. Boring elaboration to follow in a while when I have compiled it :) With regards, Daniel, speaking as just a normal committer. Here's the response we have compiled from Daniel, Stefan and others: https://bz.apache.org/bugzilla/show_bug.cgi?id=63098 Regards, Rainer
Re: Apache 0-day / apache-uaf / use after free bugs
On 1/22/19 8:09 AM, Stefan Priebe - Profihost AG wrote: Hi, in twitter and other social media channels they're talking about a current apache 0 day: https://twitter.com/i/web/status/1087593706444730369 which wasn't handled / isn't currently fixed. Some details are here: https://github.com/hannob/apache-uaf If this is true there will be exploits soon. Is there anything planned? Does 2.4.38 fix those issues? Greets, Stefan Hi Stefan, and good morning. I figured I should write something to calm people that might be concerned. I will reply in length in a while (coffee is needed first), it takes time to write a proper response that explains our processes and considerations with issues like this, especially when people start hyping the matter. Such is social media, I guess. Until then, I will say quickly that we do not at present consider this something you should be alarmed about. Boring elaboration to follow in a while when I have compiled it :) With regards, Daniel, speaking as just a normal committer.