[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
** Changed in: apache2 Status: Unknown = Fix Released ** Changed in: apache2 Importance: Unknown = Medium -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. https://bugs.launchpad.net/bugs/609290 Title: overlapping memcpy in ssl_io_input_read -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
** Branch linked: lp:debian/sid/apache2 ** Branch linked: lp:ubuntu/lucid-proposed/apache2 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. https://bugs.launchpad.net/bugs/609290 Title: overlapping memcpy in ssl_io_input_read -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
Great. It's a very quick bugfix for this high importance bug - after 3 months from the known solutions. -- overlapping memcpy in ssl_io_input_read https://bugs.launchpad.net/bugs/609290 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
This bug was fixed in the package apache2 - 2.2.14-5ubuntu8.3 --- apache2 (2.2.14-5ubuntu8.3) lucid-proposed; urgency=low * debian/apache2.2-common.postinst: Don't fail if you can load the reqtimeout module. (LP: #621837) * debian/patches/Backport fix for upstream bug PR 45444: https://issues.apache.org/bugzilla/show_bug.cgi?id=45444. (LP: #609290, #589611, #595116) -- Chuck Short zul...@ubuntu.com Mon, 27 Sep 2010 14:06:57 -0400 ** Changed in: apache2 (Ubuntu Lucid) Status: Fix Committed = Fix Released -- overlapping memcpy in ssl_io_input_read https://bugs.launchpad.net/bugs/609290 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
Accepted apache2 into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance! ** Changed in: apache2 (Ubuntu Lucid) Status: Triaged = Fix Committed ** Tags added: verification-needed -- overlapping memcpy in ssl_io_input_read https://bugs.launchpad.net/bugs/609290 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
Thx. Fixing this bug is next in queue. See https://bugs.launchpad.net/ubuntu/lucid/+source/apache2/+bug/589611 -- overlapping memcpy in ssl_io_input_read https://bugs.launchpad.net/bugs/609290 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
Jiří: your binary seems do to the trick, I haven't seen the error anymore since updating to it, so thanks, even though I don't really feel comfortable using an unofficial binary fix for this.. -- overlapping memcpy in ssl_io_input_read https://bugs.launchpad.net/bugs/609290 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
Hello. Because ubuntu team is not able to release the bugfix over 1 month, I compiled patched mod_ssl. For those who want to try it, it's at http://engy.dyndns.org/mod_ssl.so -- overlapping memcpy in ssl_io_input_read https://bugs.launchpad.net/bugs/609290 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
Jiří: What happened with the patch you posted 2010-08-04? Was it rejected? -- overlapping memcpy in ssl_io_input_read https://bugs.launchpad.net/bugs/609290 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
Jiri, I'm trying it out and will watch my logfiles for a few days. -- overlapping memcpy in ssl_io_input_read https://bugs.launchpad.net/bugs/609290 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
They used patch from https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/589611 comment #35, but it contains error - comment #14 from this bug. -- overlapping memcpy in ssl_io_input_read https://bugs.launchpad.net/bugs/609290 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
Can someone please release a fix for this. I have several servers here facing this error. -- overlapping memcpy in ssl_io_input_read https://bugs.launchpad.net/bugs/609290 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
2.2.14-5ubuntu8.2 doesn't contain fix for this bug. -- overlapping memcpy in ssl_io_input_read https://bugs.launchpad.net/bugs/609290 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
still no news on this issue? I've installed the attempted fix 2.2.14-5ubuntu8.2, from #595116.. But I'm still getting the same error. -- overlapping memcpy in ssl_io_input_read https://bugs.launchpad.net/bugs/609290 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
Matthias, I reject your upload and take Chuck's, which also refers to two other bugs. ** Changed in: apache2 (Ubuntu Lucid) Status: In Progress = Fix Committed ** Tags added: verification-needed -- overlapping memcpy in ssl_io_input_read https://bugs.launchpad.net/bugs/609290 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
has anyone been able to build the new apache2 from lucid-proposed? I'm getting an error while building... $apt-get -b source apache2 .. applying patch 206-report-max-client-mpm-worker to ./ ... ok. applying patch 209-backport-mod-reqtimeout to ./ ... ok. applying patch 210-backport-mod-reqtimeout-ftbfs to ./ ... ok. applying patch upstream-fix-for-lp-609290.patch to ./ ...diff: httpd-2.2.14.orig//modules/ssl/ssl_engine_io.c: No such file or directory diff: httpd-2.2.14//modules/ssl/ssl_engine_io.c: No such file or directory /home/administrator/apache-ssl-fix/apache2-2.2.14/debian/patches/upstream-fix-for-lp-609290.patch: line 2: ---: command not found /home/administrator/apache-ssl-fix/apache2-2.2.14/debian/patches/upstream-fix-for-lp-609290.patch: line 3: +++: command not found /home/administrator/apache-ssl-fix/apache2-2.2.14/debian/patches/upstream-fix-for-lp-609290.patch: line 4: @@: command not found /home/administrator/apache-ssl-fix/apache2-2.2.14/debian/patches/upstream-fix-for-lp-609290.patch: line 5: ABOUT_APACHE: command not found /home/administrator/apache-ssl-fix/apache2-2.2.14/debian/patches/upstream-fix-for-lp-609290.patch: line 21: syntax error near unexpected token `(' /home/administrator/apache-ssl-fix/apache2-2.2.14/debian/patches/upstream-fix-for-lp-609290.patch: line 21: `-memcpy(in, buffer-value, inl);' failed. make: *** [patch-stamp] Error 1 dpkg-buildpackage: error: debian/rules build gave error exit status 2 Build command 'cd apache2-2.2.14 dpkg-buildpackage -b -uc' failed. -- overlapping memcpy in ssl_io_input_read https://bugs.launchpad.net/bugs/609290 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
No, this package has failed to build on all architectures. I've pulled the package back out of lucid-proposed. Chuck, please build test packages before uploading them as SRUs. ** Changed in: apache2 (Ubuntu Lucid) Status: Fix Committed = Triaged ** Tags removed: verification-needed -- overlapping memcpy in ssl_io_input_read https://bugs.launchpad.net/bugs/609290 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
Is there any news on this issue? We're waiting anxiously for a fix =) What kind of test case should be added, wasn't this a bug which was fixed in apache-trunk over two years ago? -- overlapping memcpy in ssl_io_input_read https://bugs.launchpad.net/bugs/609290 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
ACK from SRU team, but I'd like a test case to be added for the meantime. The code for the test case is there, but the procedure is not. -- overlapping memcpy in ssl_io_input_read https://bugs.launchpad.net/bugs/609290 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
It's my first debdiff, so I don't know if it is correct. ** Patch added: apache.debdiff http://launchpadlibrarian.net/53045267/apache.debdiff -- overlapping memcpy in ssl_io_input_read https://bugs.launchpad.net/bugs/609290 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
Bug should have a debdiff and test case included Waiting in lucid-proposed unapproved queue for ubuntu-sru approval -- overlapping memcpy in ssl_io_input_read https://bugs.launchpad.net/bugs/609290 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
I hope this will be fixed as soon as possible. It's very simple patch. -- overlapping memcpy in ssl_io_input_read https://bugs.launchpad.net/bugs/609290 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
This bug was fixed in the package apache2 - 2.2.16-1ubuntu1 --- apache2 (2.2.16-1ubuntu1) maverick; urgency=low * Merge from debian unstable. Remaining changes: - debian/{control, rules}: Enable PIE hardening. - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. - debian/control: Add bzr tag and point it to our tree. - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381) apache2 (2.2.16-1) unstable; urgency=medium * Urgency medium for security fix. * New upstream release: - CVE-2010-1452: mod_dav, mod_cache: Fix denial of service vulnerability due to incorrect handling of requests without a path segment. - mod_dir: add FallbackResource directive, to enable admin to specify an action to happen when a URL maps to no file, without resorting to ErrorDocument or mod_rewrite * Fix mod_ssl header line corruption because of using memcpy for overlapping buffers. PR 45444. LP: #609290, #589611, #595116 apache2 (2.2.15-6) unstable; urgency=low * Fix init script not correctly killing htcacheclean. Closes: #580971 * Add a separate entry in README.Debian about the need to use apache2ctl for starting instead of calling apache2 directly. Closes: #580445 * Fix debug info to allow gdb loading it automatically. Closes: #581514 * Fix install target in Makefile created by apxs2 -n. Closes: #588787 * Fix ab sending more requests than specified by the -n parameter. Closes: #541158 * Add apache2 monit configuration to apache2.2-commons examples dir. Closes: #583127 * Build as PIE, since gdb in squeeze now supports it. * Update the postrm script to also purge the version of /var/www/index.html introduced in 2.2.11-7. * Bump Standards-Version (no changes). -- Chuck Short zul...@ubuntu.com Mon, 26 Jul 2010 20:21:37 +0100 ** Changed in: apache2 (Ubuntu Maverick) Status: Triaged = Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-1452 -- overlapping memcpy in ssl_io_input_read https://bugs.launchpad.net/bugs/609290 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
** Summary changed: - Critical bug in memcpy-ssse3-rep.S + overlapping memcpy in ssl_io_input_read ** Changed in: apache2 (Ubuntu Lucid) Importance: Undecided = High ** Changed in: apache2 (Ubuntu Lucid) Status: New = In Progress ** Changed in: apache2 (Ubuntu Lucid) Milestone: None = lucid-updates ** Also affects: apache2 via http://issues.apache.org/bugzilla/show_bug.cgi?id=45444 Importance: Unknown Status: Unknown ** Changed in: apache2 (Ubuntu Maverick) Importance: Undecided = High ** Changed in: apache2 (Ubuntu Maverick) Status: New = Triaged ** Changed in: apache2 (Ubuntu Maverick) Milestone: None = maverick-alpha-3 -- overlapping memcpy in ssl_io_input_read https://bugs.launchpad.net/bugs/609290 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 609290] Re: overlapping memcpy in ssl_io_input_read
Yes you are right. The bug was fixed in main trunk of apache but not in 2.2.x branch. memcpy-ssse3 has code for forward and reverse copy. Why? However, I suggest you add a debug statement to memcpy, to monitor overlapping calls, whether it's just the isolated case. Maybe some developers quietly ignore the note about overlapping in memcpy and then they are surprises. -- overlapping memcpy in ssl_io_input_read https://bugs.launchpad.net/bugs/609290 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs