| 2018-02-19 11:28:50 |
Graham Leggett |
bug |
|
|
added bug |
| 2018-02-19 11:30:49 |
Graham Leggett |
tags |
|
xenial |
|
| 2018-02-23 13:42:22 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Server Team |
| 2018-02-23 13:42:28 |
Christian Ehrhardt |
tags |
xenial |
server-next xenial |
|
| 2018-02-23 13:42:31 |
Christian Ehrhardt |
apache2 (Ubuntu): status |
New |
Triaged |
|
| 2018-06-27 14:23:36 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Bionic |
|
| 2018-06-27 14:23:36 |
Andreas Hasenack |
bug task added |
|
apache2 (Ubuntu Bionic) |
|
| 2018-06-27 14:23:43 |
Andreas Hasenack |
apache2 (Ubuntu Bionic): status |
New |
Triaged |
|
| 2018-06-27 14:23:46 |
Andreas Hasenack |
apache2 (Ubuntu): status |
Triaged |
Fix Released |
|
| 2018-06-27 14:35:59 |
Andreas Hasenack |
bug watch added |
|
https://bz.apache.org/bugzilla/show_bug.cgi?id=62085 |
|
| 2018-06-27 14:35:59 |
Andreas Hasenack |
bug task added |
|
apache2 |
|
| 2018-06-27 15:44:55 |
Bug Watch Updater |
apache2: status |
Unknown |
Fix Released |
|
| 2018-06-27 15:44:55 |
Bug Watch Updater |
apache2: importance |
Unknown |
Medium |
|
| 2018-06-27 15:44:59 |
Bug Watch Updater |
bug watch added |
|
https://bz.apache.org/bugzilla/show_bug.cgi?id=53218 |
|
| 2018-06-27 17:49:42 |
Andreas Hasenack |
apache2 (Ubuntu Bionic): assignee |
|
Andreas Hasenack (ahasenack) |
|
| 2018-06-27 17:49:46 |
Andreas Hasenack |
apache2 (Ubuntu Bionic): status |
Triaged |
In Progress |
|
| 2018-06-27 17:49:50 |
Andreas Hasenack |
apache2 (Ubuntu Bionic): importance |
Undecided |
Low |
|
| 2018-06-27 18:21:37 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/348632 |
|
| 2018-06-27 18:26:43 |
Andreas Hasenack |
description |
If the BalancerMember directive contains a URL with a hostname longer than X characters, we fail as follows:
BalancerMember worker hostname (65.character.host.name) too long
The size of the hostname needs to be raised so it is RFC1035 compliant.
Bug fixed upstream at https://bz.apache.org/bugzilla/show_bug.cgi?id=62085, patches backported to v2.4.30:
http://svn.apache.org/r1824455
http://svn.apache.org/r1824504
(Both patches required, first is extended by second). |
[Impact]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
== Original Description ==
If the BalancerMember directive contains a URL with a hostname longer than X characters, we fail as follows:
BalancerMember worker hostname (65.character.host.name) too long
The size of the hostname needs to be raised so it is RFC1035 compliant.
Bug fixed upstream at https://bz.apache.org/bugzilla/show_bug.cgi?id=62085, patches backported to v2.4.30:
http://svn.apache.org/r1824455
http://svn.apache.org/r1824504
(Both patches required, first is extended by second). |
|
| 2018-06-27 18:40:41 |
Andreas Hasenack |
description |
[Impact]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
== Original Description ==
If the BalancerMember directive contains a URL with a hostname longer than X characters, we fail as follows:
BalancerMember worker hostname (65.character.host.name) too long
The size of the hostname needs to be raised so it is RFC1035 compliant.
Bug fixed upstream at https://bz.apache.org/bugzilla/show_bug.cgi?id=62085, patches backported to v2.4.30:
http://svn.apache.org/r1824455
http://svn.apache.org/r1824504
(Both patches required, first is extended by second). |
[Impact]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
* Install the packages:
sudo apt install apache
* Edit /etc/apache2/sites-available/000-default.conf and add the following block inside the VirtualHost block:
<Proxy "balancer://test">
BalancerMember "http://xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx:90/"
BalancerMember "http://xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx:91/"
</Proxy>
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
RewriteEngine On
RewriteRule ^/foo balancer://test/foo [P,L]
* Enable the necessary apache modules:
sudo a2enmod proxy_balancer proxy lbmethod_byrequests proxy_http rewrite
* Restart apache2, which will fail:
sudo systemctl restart apache2
* Run the status action and expect an error like this:
sudo systemctl status apache2.service
...
Jun 27 18:31:16 bionic-apache-1750356 apachectl[2218]: BalancerMember worker hostname (xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx) too long
* Update the apache2 packages to the ones available in proposed. As part of the upgrade, apache2 will be restarted again, and in this time it will work. Confirm with systemctl status apache2 that there are no errors this time:
sudo systemctl status apache2
* Try to access http://localhost/foo to trigger the load balancer configuration. It will trigger a DNS error as we don't have an entry for the BalancerMember hostname, but it shows that the configuration worked:
ubuntu@bionic-apache-1750356:~$ wget http://localhost/foo
--2018-06-27 18:39:58-- http://localhost/foo
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 502 Proxy Error
2018-06-27 18:39:58 ERROR 502: Proxy Error.
ubuntu@bionic-apache-1750356:~$ tail /var/log/apache2/error.log -n 1
[Wed Jun 27 18:39:58.732097 2018] [proxy:error] [pid 3628:tid 139981565716224] [client 127.0.0.1:42508] AH00898: DNS lookup failure for: xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx returned by /foo
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
== Original Description ==
If the BalancerMember directive contains a URL with a hostname longer than X characters, we fail as follows:
BalancerMember worker hostname (65.character.host.name) too long
The size of the hostname needs to be raised so it is RFC1035 compliant.
Bug fixed upstream at https://bz.apache.org/bugzilla/show_bug.cgi?id=62085, patches backported to v2.4.30:
http://svn.apache.org/r1824455
http://svn.apache.org/r1824504
(Both patches required, first is extended by second). |
|
| 2018-06-27 18:45:26 |
Andreas Hasenack |
description |
[Impact]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
* Install the packages:
sudo apt install apache
* Edit /etc/apache2/sites-available/000-default.conf and add the following block inside the VirtualHost block:
<Proxy "balancer://test">
BalancerMember "http://xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx:90/"
BalancerMember "http://xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx:91/"
</Proxy>
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
RewriteEngine On
RewriteRule ^/foo balancer://test/foo [P,L]
* Enable the necessary apache modules:
sudo a2enmod proxy_balancer proxy lbmethod_byrequests proxy_http rewrite
* Restart apache2, which will fail:
sudo systemctl restart apache2
* Run the status action and expect an error like this:
sudo systemctl status apache2.service
...
Jun 27 18:31:16 bionic-apache-1750356 apachectl[2218]: BalancerMember worker hostname (xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx) too long
* Update the apache2 packages to the ones available in proposed. As part of the upgrade, apache2 will be restarted again, and in this time it will work. Confirm with systemctl status apache2 that there are no errors this time:
sudo systemctl status apache2
* Try to access http://localhost/foo to trigger the load balancer configuration. It will trigger a DNS error as we don't have an entry for the BalancerMember hostname, but it shows that the configuration worked:
ubuntu@bionic-apache-1750356:~$ wget http://localhost/foo
--2018-06-27 18:39:58-- http://localhost/foo
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 502 Proxy Error
2018-06-27 18:39:58 ERROR 502: Proxy Error.
ubuntu@bionic-apache-1750356:~$ tail /var/log/apache2/error.log -n 1
[Wed Jun 27 18:39:58.732097 2018] [proxy:error] [pid 3628:tid 139981565716224] [client 127.0.0.1:42508] AH00898: DNS lookup failure for: xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx returned by /foo
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
== Original Description ==
If the BalancerMember directive contains a URL with a hostname longer than X characters, we fail as follows:
BalancerMember worker hostname (65.character.host.name) too long
The size of the hostname needs to be raised so it is RFC1035 compliant.
Bug fixed upstream at https://bz.apache.org/bugzilla/show_bug.cgi?id=62085, patches backported to v2.4.30:
http://svn.apache.org/r1824455
http://svn.apache.org/r1824504
(Both patches required, first is extended by second). |
[Impact]
If the BalancerMember directive contains a URL with a hostname longer than X characters, apache2 will fail to start with the following error:
BalancerMember worker hostname (65.character.host.name) too long
RFC1035 allows for longer hostnames, and apache upstream has this fix already.
[Test Case]
* Install the packages:
sudo apt install apache
* Edit /etc/apache2/sites-available/000-default.conf and add the following block inside the VirtualHost block:
<Proxy "balancer://test">
BalancerMember "http://xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx:90/"
BalancerMember "http://xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx:91/"
</Proxy>
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
RewriteEngine On
RewriteRule ^/foo balancer://test/foo [P,L]
* Enable the necessary apache modules:
sudo a2enmod proxy_balancer proxy lbmethod_byrequests proxy_http rewrite
* Restart apache2, which will fail:
sudo systemctl restart apache2
* Run the status action and expect an error like this:
sudo systemctl status apache2.service
...
Jun 27 18:31:16 bionic-apache-1750356 apachectl[2218]: BalancerMember worker hostname (xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx) too long
* Update the apache2 packages to the ones available in proposed. As part of the upgrade, apache2 will be restarted again, and in this time it will work. Confirm with systemctl status apache2 that there are no errors this time:
sudo systemctl status apache2
* Try to access http://localhost/foo to trigger the load balancer configuration. It will trigger a DNS error as we don't have an entry for the BalancerMember hostname, but it shows that the configuration worked:
ubuntu@bionic-apache-1750356:~$ wget http://localhost/foo
--2018-06-27 18:39:58-- http://localhost/foo
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 502 Proxy Error
2018-06-27 18:39:58 ERROR 502: Proxy Error.
ubuntu@bionic-apache-1750356:~$ tail /var/log/apache2/error.log -n 1
[Wed Jun 27 18:39:58.732097 2018] [proxy:error] [pid 3628:tid 139981565716224] [client 127.0.0.1:42508] AH00898: DNS lookup failure for: xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx returned by /foo
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
== Original Description ==
If the BalancerMember directive contains a URL with a hostname longer than X characters, we fail as follows:
BalancerMember worker hostname (65.character.host.name) too long
The size of the hostname needs to be raised so it is RFC1035 compliant.
Bug fixed upstream at https://bz.apache.org/bugzilla/show_bug.cgi?id=62085, patches backported to v2.4.30:
http://svn.apache.org/r1824455
http://svn.apache.org/r1824504
(Both patches required, first is extended by second). |
|
| 2018-06-27 18:57:02 |
Andreas Hasenack |
description |
[Impact]
If the BalancerMember directive contains a URL with a hostname longer than X characters, apache2 will fail to start with the following error:
BalancerMember worker hostname (65.character.host.name) too long
RFC1035 allows for longer hostnames, and apache upstream has this fix already.
[Test Case]
* Install the packages:
sudo apt install apache
* Edit /etc/apache2/sites-available/000-default.conf and add the following block inside the VirtualHost block:
<Proxy "balancer://test">
BalancerMember "http://xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx:90/"
BalancerMember "http://xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx:91/"
</Proxy>
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
RewriteEngine On
RewriteRule ^/foo balancer://test/foo [P,L]
* Enable the necessary apache modules:
sudo a2enmod proxy_balancer proxy lbmethod_byrequests proxy_http rewrite
* Restart apache2, which will fail:
sudo systemctl restart apache2
* Run the status action and expect an error like this:
sudo systemctl status apache2.service
...
Jun 27 18:31:16 bionic-apache-1750356 apachectl[2218]: BalancerMember worker hostname (xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx) too long
* Update the apache2 packages to the ones available in proposed. As part of the upgrade, apache2 will be restarted again, and in this time it will work. Confirm with systemctl status apache2 that there are no errors this time:
sudo systemctl status apache2
* Try to access http://localhost/foo to trigger the load balancer configuration. It will trigger a DNS error as we don't have an entry for the BalancerMember hostname, but it shows that the configuration worked:
ubuntu@bionic-apache-1750356:~$ wget http://localhost/foo
--2018-06-27 18:39:58-- http://localhost/foo
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 502 Proxy Error
2018-06-27 18:39:58 ERROR 502: Proxy Error.
ubuntu@bionic-apache-1750356:~$ tail /var/log/apache2/error.log -n 1
[Wed Jun 27 18:39:58.732097 2018] [proxy:error] [pid 3628:tid 139981565716224] [client 127.0.0.1:42508] AH00898: DNS lookup failure for: xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx returned by /foo
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
== Original Description ==
If the BalancerMember directive contains a URL with a hostname longer than X characters, we fail as follows:
BalancerMember worker hostname (65.character.host.name) too long
The size of the hostname needs to be raised so it is RFC1035 compliant.
Bug fixed upstream at https://bz.apache.org/bugzilla/show_bug.cgi?id=62085, patches backported to v2.4.30:
http://svn.apache.org/r1824455
http://svn.apache.org/r1824504
(Both patches required, first is extended by second). |
[Impact]
If the BalancerMember directive contains a URL with a hostname longer than X characters, apache2 will fail to start with the following error:
BalancerMember worker hostname (65.character.host.name) too long
RFC1035 allows for longer hostnames, and apache upstream has this fix already.
[Test Case]
* Install the packages:
sudo apt install apache
* Edit /etc/apache2/sites-available/000-default.conf and add the following block inside the VirtualHost block:
<Proxy "balancer://test">
BalancerMember "http://xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx:90/"
BalancerMember "http://xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx:91/"
</Proxy>
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
RewriteEngine On
RewriteRule ^/foo balancer://test/foo [P,L]
* Enable the necessary apache modules:
sudo a2enmod proxy_balancer proxy lbmethod_byrequests proxy_http rewrite
* Restart apache2, which will fail:
sudo systemctl restart apache2
* Run the status action and expect an error like this:
sudo systemctl status apache2.service
...
Jun 27 18:31:16 bionic-apache-1750356 apachectl[2218]: BalancerMember worker hostname (xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx) too long
* Update the apache2 packages to the ones available in proposed. As part of the upgrade, apache2 will be restarted again, and in this time it will work. Confirm with systemctl status apache2 that there are no errors this time:
sudo systemctl status apache2
* Try to access http://localhost/foo to trigger the load balancer configuration. It will trigger a DNS error as we don't have an entry for the BalancerMember hostname, but it shows that the configuration worked:
ubuntu@bionic-apache-1750356:~$ wget http://localhost/foo
--2018-06-27 18:39:58-- http://localhost/foo
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 502 Proxy Error
2018-06-27 18:39:58 ERROR 502: Proxy Error.
ubuntu@bionic-apache-1750356:~$ tail /var/log/apache2/error.log -n 1
[Wed Jun 27 18:39:58.732097 2018] [proxy:error] [pid 3628:tid 139981565716224] [client 127.0.0.1:42508] AH00898: DNS lookup failure for: xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx returned by /foo
[Regression Potential]
This change is twofold: it allows for longer hostnames, and apache won't fail to start anymore if that length is exceeded. In the latter case, however, the hostname is truncated. With that in mind, here are some scenarios:
- hostnames larger than 65 characters but less than 255: before apache2 would fail to start, now it works.
- hostname larger than 255 characters. Before apache would fail to start; now, it starts but truncates that hostname, logging a warning. The configuration is likely to not work due to the truncation, which will lead to DNS errors. If the admin was only relying on (re)start errors to become aware of configuration problems, he/she might miss this until it's too late. But at least the log will be clear about what happened.
- third party modules that use apache's mod_proxy structure might not be aware of the new hostname_ex member which can hold the longer string, since we didn't update the MODULE_MAGIC_NUMBER_MINOR number with this patchset, and will probably remain exhibiting the problem described in this bug.
[Other Info]
The security team's regression test suite for apache2 (http://launchpad.net/qa-regression-testing) was run with the test packages from the PPA at https://launchpad.net/~ahasenack/+archive/ubuntu/apache-balance-member-hostname-1750356/+packages and passed: https://pastebin.ubuntu.com/p/nZ6GGHXgwQ/
== Original Description ==
If the BalancerMember directive contains a URL with a hostname longer than X characters, we fail as follows:
BalancerMember worker hostname (65.character.host.name) too long
The size of the hostname needs to be raised so it is RFC1035 compliant.
Bug fixed upstream at https://bz.apache.org/bugzilla/show_bug.cgi?id=62085, patches backported to v2.4.30:
http://svn.apache.org/r1824455
http://svn.apache.org/r1824504
(Both patches required, first is extended by second). |
|
| 2018-07-11 16:56:44 |
Robie Basak |
bug |
|
|
added subscriber Robie Basak |
| 2018-07-28 06:28:16 |
Steve Langasek |
apache2 (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
| 2018-07-28 06:28:18 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2018-07-28 06:28:21 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
| 2018-07-28 06:28:28 |
Steve Langasek |
tags |
server-next xenial |
server-next verification-needed verification-needed-bionic xenial |
|
| 2018-08-28 17:19:56 |
Andreas Hasenack |
description |
[Impact]
If the BalancerMember directive contains a URL with a hostname longer than X characters, apache2 will fail to start with the following error:
BalancerMember worker hostname (65.character.host.name) too long
RFC1035 allows for longer hostnames, and apache upstream has this fix already.
[Test Case]
* Install the packages:
sudo apt install apache
* Edit /etc/apache2/sites-available/000-default.conf and add the following block inside the VirtualHost block:
<Proxy "balancer://test">
BalancerMember "http://xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx:90/"
BalancerMember "http://xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx:91/"
</Proxy>
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
RewriteEngine On
RewriteRule ^/foo balancer://test/foo [P,L]
* Enable the necessary apache modules:
sudo a2enmod proxy_balancer proxy lbmethod_byrequests proxy_http rewrite
* Restart apache2, which will fail:
sudo systemctl restart apache2
* Run the status action and expect an error like this:
sudo systemctl status apache2.service
...
Jun 27 18:31:16 bionic-apache-1750356 apachectl[2218]: BalancerMember worker hostname (xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx) too long
* Update the apache2 packages to the ones available in proposed. As part of the upgrade, apache2 will be restarted again, and in this time it will work. Confirm with systemctl status apache2 that there are no errors this time:
sudo systemctl status apache2
* Try to access http://localhost/foo to trigger the load balancer configuration. It will trigger a DNS error as we don't have an entry for the BalancerMember hostname, but it shows that the configuration worked:
ubuntu@bionic-apache-1750356:~$ wget http://localhost/foo
--2018-06-27 18:39:58-- http://localhost/foo
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 502 Proxy Error
2018-06-27 18:39:58 ERROR 502: Proxy Error.
ubuntu@bionic-apache-1750356:~$ tail /var/log/apache2/error.log -n 1
[Wed Jun 27 18:39:58.732097 2018] [proxy:error] [pid 3628:tid 139981565716224] [client 127.0.0.1:42508] AH00898: DNS lookup failure for: xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx returned by /foo
[Regression Potential]
This change is twofold: it allows for longer hostnames, and apache won't fail to start anymore if that length is exceeded. In the latter case, however, the hostname is truncated. With that in mind, here are some scenarios:
- hostnames larger than 65 characters but less than 255: before apache2 would fail to start, now it works.
- hostname larger than 255 characters. Before apache would fail to start; now, it starts but truncates that hostname, logging a warning. The configuration is likely to not work due to the truncation, which will lead to DNS errors. If the admin was only relying on (re)start errors to become aware of configuration problems, he/she might miss this until it's too late. But at least the log will be clear about what happened.
- third party modules that use apache's mod_proxy structure might not be aware of the new hostname_ex member which can hold the longer string, since we didn't update the MODULE_MAGIC_NUMBER_MINOR number with this patchset, and will probably remain exhibiting the problem described in this bug.
[Other Info]
The security team's regression test suite for apache2 (http://launchpad.net/qa-regression-testing) was run with the test packages from the PPA at https://launchpad.net/~ahasenack/+archive/ubuntu/apache-balance-member-hostname-1750356/+packages and passed: https://pastebin.ubuntu.com/p/nZ6GGHXgwQ/
== Original Description ==
If the BalancerMember directive contains a URL with a hostname longer than X characters, we fail as follows:
BalancerMember worker hostname (65.character.host.name) too long
The size of the hostname needs to be raised so it is RFC1035 compliant.
Bug fixed upstream at https://bz.apache.org/bugzilla/show_bug.cgi?id=62085, patches backported to v2.4.30:
http://svn.apache.org/r1824455
http://svn.apache.org/r1824504
(Both patches required, first is extended by second). |
[Impact]
If the BalancerMember directive contains a URL with a hostname longer than X characters, apache2 will fail to start with the following error:
BalancerMember worker hostname (65.character.host.name) too long
RFC1035 allows for longer hostnames, and apache upstream has this fix already.
[Test Case]
* Install the packages:
sudo apt install apache2
* Edit /etc/apache2/sites-available/000-default.conf and add the following block inside the VirtualHost block:
<Proxy "balancer://test">
BalancerMember "http://xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx:90/"
BalancerMember "http://xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx:91/"
</Proxy>
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
RewriteEngine On
RewriteRule ^/foo balancer://test/foo [P,L]
* Enable the necessary apache modules:
sudo a2enmod proxy_balancer proxy lbmethod_byrequests proxy_http rewrite
* Restart apache2, which will fail:
sudo systemctl restart apache2
* Run the status action and expect an error like this:
sudo systemctl status apache2.service
...
Jun 27 18:31:16 bionic-apache-1750356 apachectl[2218]: BalancerMember worker hostname (xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx) too long
* Update the apache2 packages to the ones available in proposed. As part of the upgrade, apache2 will be restarted again, and in this time it will work. Confirm with systemctl status apache2 that there are no errors this time:
sudo systemctl status apache2
* Try to access http://localhost/foo to trigger the load balancer configuration. It will trigger a DNS error as we don't have an entry for the BalancerMember hostname, but it shows that the configuration worked:
ubuntu@bionic-apache-1750356:~$ wget http://localhost/foo
--2018-06-27 18:39:58-- http://localhost/foo
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 502 Proxy Error
2018-06-27 18:39:58 ERROR 502: Proxy Error.
ubuntu@bionic-apache-1750356:~$ tail /var/log/apache2/error.log -n 1
[Wed Jun 27 18:39:58.732097 2018] [proxy:error] [pid 3628:tid 139981565716224] [client 127.0.0.1:42508] AH00898: DNS lookup failure for: xxxxxx-xx-xxxxxxxx-xxxxx-xxxxx.xx-xxxx-x.xxxxx-xxx.xxx.xxxxx.xxxx returned by /foo
[Regression Potential]
This change is twofold: it allows for longer hostnames, and apache won't fail to start anymore if that length is exceeded. In the latter case, however, the hostname is truncated. With that in mind, here are some scenarios:
- hostnames larger than 65 characters but less than 255: before apache2 would fail to start, now it works.
- hostname larger than 255 characters. Before apache would fail to start; now, it starts but truncates that hostname, logging a warning. The configuration is likely to not work due to the truncation, which will lead to DNS errors. If the admin was only relying on (re)start errors to become aware of configuration problems, he/she might miss this until it's too late. But at least the log will be clear about what happened.
- third party modules that use apache's mod_proxy structure might not be aware of the new hostname_ex member which can hold the longer string, since we didn't update the MODULE_MAGIC_NUMBER_MINOR number with this patchset, and will probably remain exhibiting the problem described in this bug.
[Other Info]
The security team's regression test suite for apache2 (http://launchpad.net/qa-regression-testing) was run with the test packages from the PPA at https://launchpad.net/~ahasenack/+archive/ubuntu/apache-balance-member-hostname-1750356/+packages and passed: https://pastebin.ubuntu.com/p/nZ6GGHXgwQ/
== Original Description ==
If the BalancerMember directive contains a URL with a hostname longer than X characters, we fail as follows:
BalancerMember worker hostname (65.character.host.name) too long
The size of the hostname needs to be raised so it is RFC1035 compliant.
Bug fixed upstream at https://bz.apache.org/bugzilla/show_bug.cgi?id=62085, patches backported to v2.4.30:
http://svn.apache.org/r1824455
http://svn.apache.org/r1824504
(Both patches required, first is extended by second). |
|
| 2018-08-28 17:25:06 |
Andreas Hasenack |
tags |
server-next verification-needed verification-needed-bionic xenial |
server-next verification-done-bionic verification-needed xenial |
|
| 2018-09-03 08:02:37 |
Launchpad Janitor |
apache2 (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
| 2018-09-03 08:02:44 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
