SECURITY: HTTP proxy responses with both Transfer-Encoding and Content-Length headers (CAN-2005-2088)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache (Debian) |
Fix Released
|
Unknown
|
|||
apache (Ubuntu) |
Fix Released
|
High
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #322607 http://
In Debian Bug tracker #322607, Steve Kemp (skx) wrote : Re: Bug#316173: apache2: Security issues in HTTP proxy responses with both Transfer-Encoding and Content-Length headers | #1 |
In Debian Bug tracker #322607, Adam Conrad (adconrad) wrote : | #2 |
Steve Kemp wrote:
>
> Can I be the first to say that I don't understand the nature of this
> issue?
The description sounds reasonably straightforward, though I'd classify
this as a vulnerability of pretty low importance, from a "will people be
exploited by this" viewpoint.
> Is this also present in 2.0.54 which is the latest stable release?
> There's no mention of it in the changelog there..
It looks like it's in 2.0.54, and there's a backport in SVN for the 2.0.55
release, but the backport looks more like a massive feature backport, not
just a small security patch, so I may look at if there's a way to fix this
a bit less intrusively.
Actually, it's worth nothing that we muck with Content-Length at another
point, thanks to a Debian-specific patch, so we may accidentally not be
vulnerable to this anyway. I'll follow the code around a little later
today and see if that's the case.
... Adam
In Debian Bug tracker #322607, Moritz Muehlenhoff (jmm-inutil) wrote : | #3 |
Steve Kemp wrote:
> > | Proxy HTTP: If a response contains both Transfer-Encoding
> > | and a Content-Length, remove the Content-Length to eliminate
> > | an HTTP Request Smuggling vulnerability and don't reuse the
> > | connection, stopping some HTTP Request Spoofing attacks.
>
> Can I be the first to say that I don't understand the nature of this
> issue?
This seems to be an Apache specific variation of the HTTP Request Smuggling
attacks described in the original Watchfire paper:
http://
Apache rejects packets with multiple Content-Length headers, but it
seems as if it uses size information constructed from the Transfer-
Encoding headers instead, which make this attack possible?
Cheers,
Moritz
In Debian Bug tracker #322607, Borut Mrak (b9bit) wrote : | #4 |
I hope this will be of some help.
If it's OK, someone tag this bug with PATCH or whatever is appropriate:
sorry about the long URL:
and from there:
http://
Pasting in case that URL goes 404:
Index: server/protocol.c
=======
--- server/protocol.c (revision 208743)
+++ server/protocol.c (working copy)
@@ -885,6 +885,15 @@
return r;
}
+
+ if (apr_table_
+ && apr_table_
+ /* 2616 section 4.4, point 3: "if both Transfer-Encoding
+ * and Content-Length are received, the latter MUST be
+ * ignored"; so unset it here to prevent any confusion
+ * later. */
+ apr_table_
+ }
}
else {
if (r->header_only) {
It seems this is the vulnerability-
In Debian Bug tracker #322607, Sven Mueller (debian-incase) wrote : | #5 |
Package apache2
Tags 316173 +patch
thanks
Borut Mrak wrote on 08/07/2005 17:25:
> I hope this will be of some help.
Me too ;-)
> If it's OK, someone tag this bug with PATCH or whatever is appropriate:
>
> sorry about the long URL:
>
> http://
>
> and from there:
>
> http://
>
> Pasting in case that URL goes 404:
>
> Index: server/protocol.c
> =======
> --- server/protocol.c (revision 208743)
> +++ server/protocol.c (working copy)
[...]
> It seems this is the vulnerability-
To me, this seems to be a similar patch, but unrelated to the proxy
issue this bug is about. In my opinion,
http://
or http://
looks more like it. That changeset (attached below) also contains an
entry in CHANGES which reads:
*) proxy HTTP: If a response contains both Transfer-Encoding and a
Content-
connection, mitigating some HTTP Response Splitting attacks.
[Jeff Trawick]
So in my opinion, this would be the real fix to this bug. But given that
the issue is so similar, I would suggest to also incorporate the fix to
server/protocol.c mentioned above.
cu,
sven
In Debian Bug tracker #322607, Christian Hammers (ch) wrote : retitling | #6 |
retitle 320048 SECURITY: buffer-overrun in apache2-ssl (CAN-2005-1268)
retitle 316173 SECURITY: HTTP proxy responses with both Transfer-Encoding and Content-Length headers (CAN-2005-2088)
severity 316173 critical
thanks
Added CAN-Numbers as seen in Ubuntu's USN-160-1 advisory for easier
reference.
bye,
-christian-
In Debian Bug tracker #322607, Christian Hammers (ch) wrote : Apache 1.3 also vulnerable? | #7 |
clone 316173 -1
clone 320048 -2
reassign -1 apache
reassign -2 apache
thanks
In the RedHat/Fedora security announcement, I saw today, their 1.3.27
also received an update so maybe that branch is also vulnerable.
More information may be found here:
https:/
bye,
-christian-
Debian Bug Importer (debzilla) wrote : | #8 |
Automatically imported from Debian bug report #322607 http://
Debian Bug Importer (debzilla) wrote : | #9 |
Message-Id: <email address hidden>
Date: Wed, 29 Jun 2005 00:49:31 +0200
From: Moritz Muehlenhoff <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: apache2: Security issues in HTTP proxy responses with both Transfer-Encoding
and Content-Length headers
Package: apache2
Severity: grave
Tags: security
Justification: user security hole
Latest 2.1.6-alpha fixes a security in the proxy HTTP code:
| The 2.1.6-alpha release addresses a security vulnerability present
| in all previous 2.x versions. This fault did not affect Apache 1.3.x
| (which did not proxy keepalives or chunked transfer encoding);
| Proxy HTTP: If a response contains both Transfer-Encoding
| and a Content-Length, remove the Content-Length to eliminate
| an HTTP Request Smuggling vulnerability and don't reuse the
| connection, stopping some HTTP Request Spoofing attacks.
Cheers,
Moritz
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, LC_CTYPE=
Debian Bug Importer (debzilla) wrote : | #10 |
Message-ID: <email address hidden>
Date: Wed, 29 Jun 2005 00:11:56 +0100
From: Steve Kemp <email address hidden>
To: Moritz Muehlenhoff <email address hidden>, <email address hidden>
Subject: Re: Bug#316173: apache2: Security issues in HTTP proxy responses with both
Transfer-Encoding and Content-Length headers
On Wed, Jun 29, 2005 at 12:49:31AM +0200, Moritz Muehlenhoff wrote:
> Package: apache2
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Latest 2.1.6-alpha fixes a security in the proxy HTTP code:
>
> | The 2.1.6-alpha release addresses a security vulnerability present
> | in all previous 2.x versions. This fault did not affect Apache 1.3.x
> | (which did not proxy keepalives or chunked transfer encoding);
>
> | Proxy HTTP: If a response contains both Transfer-Encoding
> | and a Content-Length, remove the Content-Length to eliminate
> | an HTTP Request Smuggling vulnerability and don't reuse the
> | connection, stopping some HTTP Request Spoofing attacks.
>
Can I be the first to say that I don't understand the nature of this
issue?
Is this also present in 2.0.54 which is the latest stable release?
There's no mention of it in the changelog there..
Steve
--
Debian Bug Importer (debzilla) wrote : | #11 |
Message-ID: <email address hidden>
Date: Wed, 29 Jun 2005 10:50:54 +1000 (EST)
From: "Adam Conrad" <adconrad@0c3.net>
To: "Steve Kemp" <email address hidden>
Cc: "Moritz Muehlenhoff" <email address hidden>,
<email address hidden>
Subject: Re: Bug#316173: apache2: Security issues in HTTP proxy responses with both
Transfer-Encoding and Content-Length headers
Steve Kemp wrote:
>
> Can I be the first to say that I don't understand the nature of this
> issue?
The description sounds reasonably straightforward, though I'd classify
this as a vulnerability of pretty low importance, from a "will people be
exploited by this" viewpoint.
> Is this also present in 2.0.54 which is the latest stable release?
> There's no mention of it in the changelog there..
It looks like it's in 2.0.54, and there's a backport in SVN for the 2.0.55
release, but the backport looks more like a massive feature backport, not
just a small security patch, so I may look at if there's a way to fix this
a bit less intrusively.
Actually, it's worth nothing that we muck with Content-Length at another
point, thanks to a Debian-specific patch, so we may accidentally not be
vulnerable to this anyway. I'll follow the code around a little later
today and see if that's the case.
... Adam
Debian Bug Importer (debzilla) wrote : | #12 |
Message-ID: <email address hidden>
Date: Wed, 29 Jun 2005 15:10:56 +0200
From: Moritz Muehlenhoff <email address hidden>
To: Steve Kemp <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#316173: apache2: Security issues in HTTP proxy responses with both
Transfer-Encoding and Content-Length headers
Steve Kemp wrote:
> > | Proxy HTTP: If a response contains both Transfer-Encoding
> > | and a Content-Length, remove the Content-Length to eliminate
> > | an HTTP Request Smuggling vulnerability and don't reuse the
> > | connection, stopping some HTTP Request Spoofing attacks.
>
> Can I be the first to say that I don't understand the nature of this
> issue?
This seems to be an Apache specific variation of the HTTP Request Smuggling
attacks described in the original Watchfire paper:
http://
Apache rejects packets with multiple Content-Length headers, but it
seems as if it uses size information constructed from the Transfer-
Encoding headers instead, which make this attack possible?
Cheers,
Moritz
Debian Bug Importer (debzilla) wrote : | #13 |
Message-Id: <200507081725.
Date: Fri, 8 Jul 2005 17:25:31 +0200
From: Borut Mrak <b@9bit.biz>
To: <email address hidden>
Subject: Re: Bug#316173: apache2: Security issues in HTTP proxy responses with both
Transfer-Encoding and Content-Length headers
I hope this will be of some help.
If it's OK, someone tag this bug with PATCH or whatever is appropriate:
sorry about the long URL:
and from there:
http://
Pasting in case that URL goes 404:
Index: server/protocol.c
=======
--- server/protocol.c (revision 208743)
+++ server/protocol.c (working copy)
@@ -885,6 +885,15 @@
return r;
}
+
+ if (apr_table_
+ && apr_table_
+ /* 2616 section 4.4, point 3: "if both Transfer-Encoding
+ * and Content-Length are received, the latter MUST be
+ * ignored"; so unset it here to prevent any confusion
+ * later. */
+ apr_table_
+ }
}
else {
if (r->header_only) {
It seems this is the vulnerability-
Debian Bug Importer (debzilla) wrote : | #14 |
Message-ID: <email address hidden>
Date: Tue, 26 Jul 2005 20:02:44 +0200
From: Sven Mueller <email address hidden>
To: Borut Mrak <b@9bit.biz>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#316173: apache2: Security issues in HTTP proxy responses
with both Transfer-Encoding and Content-Length headers
-------
Content-Type: text/plain; charset=ISO-8859-1
Content-
Package apache2
Tags 316173 +patch
thanks
Borut Mrak wrote on 08/07/2005 17:25:
> I hope this will be of some help.
Me too ;-)
> If it's OK, someone tag this bug with PATCH or whatever is appropriate:
>
> sorry about the long URL:
>
> http://
>
> and from there:
>
> http://
>
> Pasting in case that URL goes 404:
>
> Index: server/protocol.c
> =======
> --- server/protocol.c (revision 208743)
> +++ server/protocol.c (working copy)
[...]
> It seems this is the vulnerability-
To me, this seems to be a similar patch, but unrelated to the proxy
issue this bug is about. In my opinion,
http://
or http://
looks more like it. That changeset (attached below) also contains an
entry in CHANGES which reads:
*) proxy HTTP: If a response contains both Transfer-Encoding and a
Content-
connection, mitigating some HTTP Response Splitting attacks.
[Jeff Trawick]
So in my opinion, this would be the real fix to this bug. But given that
the issue is so similar, I would suggest to also incorporate the fix to
server/protocol.c mentioned above.
cu,
sven
-------
Content-Type: text/plain;
name="
Content-
Content-
filename=
--- /httpd/
+++ httpd/httpd/
@@ -1,5 +1,10 @@
Changes with Apache 2.0.55
+ *) proxy HTTP: If a response contains both Transfer-Encoding and a
+ Content-Length, remove the Content-Length and don't reuse the
+ connection, mitigating some HTTP Response Splitting attacks.
+ [Jeff Trawick]
+
*) Prevent hangs of child processes when writing to piped loggers at
the time of graceful restart. PR 26467. [Jeff Trawick]
--- /httpd/
+++ httpd/httpd/
@@ -111,10 +111,6 @@
* Various fixes to T-E and C-L processing from trunk
- + proxy HTTP - ignore C-L and disable keepalive to origin server
- ...
Debian Bug Importer (debzilla) wrote : | #15 |
Message-ID: <email address hidden>
Date: Wed, 10 Aug 2005 17:03:55 +0200
From: Christian Hammers <email address hidden>
To: <email address hidden>
Subject: retitling
retitle 320048 SECURITY: buffer-overrun in apache2-ssl (CAN-2005-1268)
retitle 316173 SECURITY: HTTP proxy responses with both Transfer-Encoding and Content-Length headers (CAN-2005-2088)
severity 316173 critical
thanks
Added CAN-Numbers as seen in Ubuntu's USN-160-1 advisory for easier
reference.
bye,
-christian-
Debian Bug Importer (debzilla) wrote : | #16 |
Message-ID: <email address hidden>
Date: Thu, 11 Aug 2005 20:01:16 +0200
From: Christian Hammers <email address hidden>
To: <email address hidden>
Subject: Apache 1.3 also vulnerable?
clone 316173 -1
clone 320048 -2
reassign -1 apache
reassign -2 apache
thanks
In the RedHat/Fedora security announcement, I saw today, their 1.3.27
also received an update so maybe that branch is also vulnerable.
More information may be found here:
https:/
bye,
-christian-
Martin Pitt (pitti) wrote : | #17 |
Apache 2 was fixed a while ago already. However, apache is still vulnerable
(although it is universe).
In Debian Bug tracker #322607, Adam Conrad (adconrad) wrote : Bug#322607: fixed in apache 1.3.33-8 | #18 |
Source: apache
Source-Version: 1.3.33-8
We believe that the bug you reported is fixed in the latest version of
apache, which is due to be installed in the Debian FTP archive:
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache_
to pool/main/
apache_1.3.33-8.dsc
to pool/main/
apache_
to pool/main/
libapache-
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 06 Sep 2005 23:25:55 +1000
Source: apache
Binary: apache-dev apache-common apache-doc apache-utils apache apache-dbg apache-perl libapache-mod-perl apache-ssl
Architecture: source powerpc all
Version: 1.3.33-8
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <email address hidden>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description:
apache - versatile, high-performance HTTP server
apache-common - support files for all Apache webservers
apache-dbg - debug versions of the Apache webservers
apache-dev - development kit for the Apache webserver
apache-doc - documentation for the Apache webserver
apache-perl - versatile, high-performance HTTP server with Perl support
apache-ssl - versatile, high-performance HTTP server with SSL support
apache-utils - utility programs for webservers (transitional package)
libapache-mod-perl - integration of perl with the Apache web server
Closes: 322607
Changes:
apache (1.3.33-8) unstable; urgency=medium
.
* Clean up debian/control, replacing hardcoded debconf dependencies with
${
version we want is in all of oldstable, stable, testing and unstable.
* Add 906_content_
where, when a response contains both Transfer-Encoding and Content-Length
headers, the connection can be used for HTTP request...
Martin Pitt (pitti) wrote : | #19 |
(In reply to comment #9)
> Apache 2 was fixed a while ago already. However, apache is still vulnerable
> (although it is universe).
apache has now been fixed, too.
In Debian Bug tracker #322607, Adam Conrad (adconrad) wrote : Bug#322607: fixed in apache 1.3.33-6sarge1 | #20 |
Source: apache
Source-Version: 1.3.33-6sarge1
We believe that the bug you reported is fixed in the latest version of
apache, which is due to be installed in the Debian FTP archive:
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache_
to pool/main/
apache_
to pool/main/
apache_
to pool/main/
libapache-
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 6 Sep 2005 23:02:02 +1000
Source: apache
Binary: apache-dev apache-common apache-doc apache-utils apache apache-dbg apache-perl libapache-mod-perl apache-ssl
Architecture: source i386 all
Version: 1.3.33-6sarge1
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <email address hidden>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description:
apache - versatile, high-performance HTTP server
apache-common - support files for all Apache webservers
apache-dbg - debug versions of the Apache webservers
apache-dev - development kit for the Apache webserver
apache-doc - documentation for the Apache webserver
apache-perl - versatile, high-performance HTTP server with Perl support
apache-ssl - versatile, high-performance HTTP server with SSL support
apache-utils - utility programs for webservers (transitional package)
libapache-mod-perl - integration of perl with the Apache web server
Closes: 322607
Changes:
apache (1.3.33-6sarge1) stable-security; urgency=high
.
* Add 906_content_
where, when a response contains both Transfer-Encoding and Content-Length
headers, the connection can be used for HTTP request smuggling and HTTP
request spoofing attacks; see CAN-2005-2088 (closes: #322607)
Files:
1fd30bda6f...
Debian Bug Importer (debzilla) wrote : | #21 |
Message-Id: <email address hidden>
Date: Tue, 06 Sep 2005 07:47:04 -0700
From: Adam Conrad <adconrad@0c3.net>
To: <email address hidden>
Subject: Bug#322607: fixed in apache 1.3.33-8
Source: apache
Source-Version: 1.3.33-8
We believe that the bug you reported is fixed in the latest version of
apache, which is due to be installed in the Debian FTP archive:
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache_
to pool/main/
apache_1.3.33-8.dsc
to pool/main/
apache_
to pool/main/
libapache-
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 06 Sep 2005 23:25:55 +1000
Source: apache
Binary: apache-dev apache-common apache-doc apache-utils apache apache-dbg apache-perl libapache-mod-perl apache-ssl
Architecture: source powerpc all
Version: 1.3.33-8
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <email address hidden>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description:
apache - versatile, high-performance HTTP server
apache-common - support files for all Apache webservers
apache-dbg - debug versions of the Apache webservers
apache-dev - development kit for the Apache webserver
apache-doc - documentation for the Apache webserver
apache-perl - versatile, high-performance HTTP server with Perl support
apache-ssl - versatile, high-performance HTTP server with SSL support
apache-utils - utility programs for webservers (transitional package)
libapache-mod-perl - integration of perl with the Apache web server
Closes: 322607
Changes:
apache (1.3.33-8) unstable; urgency=medium
.
* Clean up debian/control, replacing hardcoded debconf dependencies with
${
version we want is in all of oldstable, stable, testing and unstable.
* Ad...
Debian Bug Importer (debzilla) wrote : | #22 |
Message-Id: <email address hidden>
Date: Wed, 07 Sep 2005 23:02:12 -0700
From: Adam Conrad <adconrad@0c3.net>
To: <email address hidden>
Subject: Bug#322607: fixed in apache 1.3.33-6sarge1
Source: apache
Source-Version: 1.3.33-6sarge1
We believe that the bug you reported is fixed in the latest version of
apache, which is due to be installed in the Debian FTP archive:
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache_
to pool/main/
apache_
to pool/main/
apache_
to pool/main/
libapache-
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 6 Sep 2005 23:02:02 +1000
Source: apache
Binary: apache-dev apache-common apache-doc apache-utils apache apache-dbg apache-perl libapache-mod-perl apache-ssl
Architecture: source i386 all
Version: 1.3.33-6sarge1
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <email address hidden>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description:
apache - versatile, high-performance HTTP server
apache-common - support files for all Apache webservers
apache-dbg - debug versions of the Apache webservers
apache-dev - development kit for the Apache webserver
apache-doc - documentation for the Apache webserver
apache-perl - versatile, high-performance HTTP server with Perl support
apache-ssl - versatile, high-performance HTTP server with SSL support
apache-utils - utility programs for webservers (transitional package)
libapache-mod-perl - integration of perl with the Apache web server
Closes: 322607
Changes:
apache (1.3.33-6sarge1) stable-security; urgency=high
.
* Add 906_content_
where, when a response cont...
In Debian Bug tracker #322607, Adam Conrad (adconrad) wrote : | #23 |
Source: apache
Source-Version: 1.3.33-6sarge1
We believe that the bug you reported is fixed in the latest version of
apache, which is due to be installed in the Debian FTP archive:
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache_
to pool/main/
apache_
to pool/main/
apache_
to pool/main/
libapache-
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 6 Sep 2005 23:02:02 +1000
Source: apache
Binary: apache-dev apache-common apache-doc apache-utils apache apache-dbg apache-perl libapache-mod-perl apache-ssl
Architecture: source i386 all
Version: 1.3.33-6sarge1
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <email address hidden>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description:
apache - versatile, high-performance HTTP server
apache-common - support files for all Apache webservers
apache-dbg - debug versions of the Apache webservers
apache-dev - development kit for the Apache webserver
apache-doc - documentation for the Apache webserver
apache-perl - versatile, high-performance HTTP server with Perl support
apache-ssl - versatile, high-performance HTTP server with SSL support
apache-utils - utility programs for webservers (transitional package)
libapache-mod-perl - integration of perl with the Apache web server
Closes: 322607
Changes:
apache (1.3.33-6sarge1) stable-security; urgency=high
.
* Add 906_content_
where, when a response contains both Transfer-Encoding and Content-Length
headers, the connection can be used for HTTP request smuggling and HTTP
request spoofing attacks; see CAN-2005-2088 (closes: #322607)
Files:
1fd30bda6f...
Debian Bug Importer (debzilla) wrote : | #24 |
Message-Id: <email address hidden>
Date: Fri, 16 Dec 2005 21:19:02 -0800
From: Adam Conrad <adconrad@0c3.net>
To: <email address hidden>
Subject: Bug#322607: fixed in apache 1.3.33-6sarge1
Source: apache
Source-Version: 1.3.33-6sarge1
We believe that the bug you reported is fixed in the latest version of
apache, which is due to be installed in the Debian FTP archive:
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache-
to pool/main/
apache_
to pool/main/
apache_
to pool/main/
apache_
to pool/main/
libapache-
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 6 Sep 2005 23:02:02 +1000
Source: apache
Binary: apache-dev apache-common apache-doc apache-utils apache apache-dbg apache-perl libapache-mod-perl apache-ssl
Architecture: source i386 all
Version: 1.3.33-6sarge1
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <email address hidden>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description:
apache - versatile, high-performance HTTP server
apache-common - support files for all Apache webservers
apache-dbg - debug versions of the Apache webservers
apache-dev - development kit for the Apache webserver
apache-doc - documentation for the Apache webserver
apache-perl - versatile, high-performance HTTP server with Perl support
apache-ssl - versatile, high-performance HTTP server with SSL support
apache-utils - utility programs for webservers (transitional package)
libapache-mod-perl - integration of perl with the Apache web server
Closes: 322607
Changes:
apache (1.3.33-6sarge1) stable-security; urgency=high
.
* Add 906_content_
where, when a response cont...
On Wed, Jun 29, 2005 at 12:49:31AM +0200, Moritz Muehlenhoff wrote:
> Package: apache2
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Latest 2.1.6-alpha fixes a security in the proxy HTTP code:
>
> | The 2.1.6-alpha release addresses a security vulnerability present
> | in all previous 2.x versions. This fault did not affect Apache 1.3.x
> | (which did not proxy keepalives or chunked transfer encoding);
>
> | Proxy HTTP: If a response contains both Transfer-Encoding
> | and a Content-Length, remove the Content-Length to eliminate
> | an HTTP Request Smuggling vulnerability and don't reuse the
> | connection, stopping some HTTP Request Spoofing attacks.
>
Can I be the first to say that I don't understand the nature of this
issue?
Is this also present in 2.0.54 which is the latest stable release?
There's no mention of it in the changelog there..
Steve
--