Comment 17 for bug 1842701

Steve Beattie (sbeattie) wrote :

Sorry for the problems that people are experiencing.

Christian, the Ubuntu Security Team will sometimes incorporate a hardening measure like the extra XSRF that upstream included in the 2.4.41 release, if it appears to address similar issues as the original vulnerability. Looking at the history of modules/proxy/ in the 2.4.x branch made it look like they were mildly related. Unfortunately, upstream did not make explicitly clear in the 2.4.x branch which commits specifically addressed each vulnerability (and in fact, upstream managed to silently break an embargo with their fix for CVE-2019-9517).

The debian/patches/CVE-2019-10092-2.patch is a fixup to the first patch, because in the first patch, a couple of log numbers were missed in the emitted error messages.

The issues with the (so misnamed as CVE-2019-10092-3.patch) should affect xenial and disco as well, not just bionic, since it was backported to those releases as well.

I've made available pacakges which incorporate both patches mentioned in the upstream bug report (the one for the strcasecmp change and the change in the referrer test) in the ppa for testing. Please let me now if these address the issues that people are seeing.

Thanks, and again, my apologies.