Public bug reported:
Starting with Apache 2.4.52-1ubuntu4.18 in 22.04 (and I suspect in all
other supported Ubuntu releases, since the changelogs are similar), the
mod_md setting MDStapleOthers is ignored.
When enabled, this should cause mod_md to try to retrieve OCSP responses
from CAs, and serve them to https clients for OCSP stapling. Prior to
2.4.52-1ubuntu4.18, this was working correctly. (I believe this bug only
applies to domains whose certificate renewals are *not* managed by
mod_md.)
(MDStapleOthers status can be checked by examining the output of:
openssl s_client -status "$domain":443
or by checking the file /etc/apache2/md/ocsp/other/job.json which should
contain entries in a "log" section.)
The Ubuntu changelog for 2.4.52-1ubuntu4.18 notes:
* SECURITY UPDATE: Integer overflow in the case of failed ACME
certificate renewal
- debian/patches/CVE-2025-55753.patch: update mod_md to version
2.6.6 in modules/md/*
The mod_md changelog, available at
https://github.com/icing/mod_md/blob/master/ChangeLog, notes that 2.6.6
has a bug:
v2.6.7
----------------------------------------------------------------------------------------------------
* Fix a regression in `MDStapleOthers` which broke in v2.6.0 and no longer
applied, no matter the configuration.
I can confirm that compiling mod_md 2.6.8 from source (configure/make),
and using that module in 2.4.52-1ubuntu4.18, works as expected.
** Affects: apache2 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2142766
Title:
mod_md setting MDStapleOthers is ignored breaking OCSP for some
domains
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2142766/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
