SECURITY: buffer-overrun in apache2-ssl (CAN-2005-1268)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache2 (Debian) |
Fix Released
|
Unknown
|
|||
apache2 (Ubuntu) |
Fix Released
|
High
|
Adam Conrad |
Bug Description
Automatically imported from Debian bug report #320048 http://
In Debian Bug tracker #320048, Sven Mueller (debian-incase) wrote : Duplicate bug report | #1 |
In Debian Bug tracker #320048, Sven Mueller (debian-incase) wrote : try to fix previous merge | #2 |
unmerge 320048
submitter 320048 <email address hidden>
merge 320063 320048
thanks
In Debian Bug tracker #320048, Stefan Fritsch (sf-sfritsch) wrote : buffer-overrun in apache2-ssl | #3 |
Note that the problematic code is inside
if (s->loglevel >= APLOG_DEBUG) {
}
It seems a simple workaround is lowering the loglevel to something
below debug. Production systems won't have loglevel debug in most
cases.
In Debian Bug tracker #320048, Christian Hammers (ch) wrote : retitling | #4 |
retitle 320048 SECURITY: buffer-overrun in apache2-ssl (CAN-2005-1268)
retitle 316173 SECURITY: HTTP proxy responses with both Transfer-Encoding and Content-Length headers (CAN-2005-2088)
severity 316173 critical
thanks
Added CAN-Numbers as seen in Ubuntu's USN-160-1 advisory for easier
reference.
bye,
-christian-
In Debian Bug tracker #320048, Sven Mueller (debian-incase) wrote : NMU prepared to fix these bugs (316173, 320048/320063) | #5 |
Hi.
During my NM process, I prepared a NMU for the bugs mentioned in the
subject and CC'ed. I didn't upload it (or rather: ask for upload by a
sponsor) yet, but the packages I prepared are publicly available at
http://
I will wait a week or so and then ask for upload by a sponsor since I
think these bugs really need to be fixed as soon as possible.
regards,
Sven
Debian Bug Importer (debzilla) wrote : | #6 |
Automatically imported from Debian bug report #320048 http://
Debian Bug Importer (debzilla) wrote : | #7 |
*** Bug 19888 has been marked as a duplicate of this bug. ***
Tollef Fog Heen (tfheen) wrote : | #8 |
apache2 (2.0.54-4ubuntu2) breezy; urgency=low
* SECURITY UPDATE: Fix two vulnerabilities.
* Add debian/
- Fix off-by-one error in the SSL certification validation callback.
- CAN-2005-1268
* Add debian/
- Proxy HTTP: If a response contains both Transfer-Encoding
and a Content-Length, remove the Content-Length to eliminate
an HTTP Request Smuggling vulnerability and don't reuse the
connection, stopping some HTTP Request Spoofing attacks.
- CAN-2005-2088
-- Martin Pitt <email address hidden> Mon, 8 Aug 2005 09:27:56 +0200
In Debian Bug tracker #320048, Adam Conrad (adconrad) wrote : Bug#320048: fixed in apache2 2.0.54-5 | #9 |
Source: apache2
Source-Version: 2.0.54-5
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2_
to pool/main/
apache2_
to pool/main/
apache2_
to pool/main/
libapr0-
to pool/main/
libapr0_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 2 Sep 2005 22:26:28 +1000
Source: apache2
Binary: apache2-utils apache2 apache2-prefork-dev apache2-mpm-prefork apache2-doc libapr0-dev apache2-
Architecture: source all i386
Version: 2.0.54-5
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <email address hidden>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description:
apache2 - next generation, scalable, extendable web server
apache2-common - next generation, scalable, extendable web server
apache2-doc - documentation for apache2
apache2-
apache2-
apache2-
apache2-mpm-worker - high speed threaded model for Apache2
apache2-
apache2-
apache2-utils - utility programs for webservers
libapr0 - the Apache Porta...
In Debian Bug tracker #320048, Adam Conrad (adconrad) wrote : Bug#320063: fixed in apache2 2.0.54-5 | #10 |
Source: apache2
Source-Version: 2.0.54-5
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2_
to pool/main/
apache2_
to pool/main/
apache2_
to pool/main/
libapr0-
to pool/main/
libapr0_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 2 Sep 2005 22:26:28 +1000
Source: apache2
Binary: apache2-utils apache2 apache2-prefork-dev apache2-mpm-prefork apache2-doc libapr0-dev apache2-
Architecture: source all i386
Version: 2.0.54-5
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <email address hidden>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description:
apache2 - next generation, scalable, extendable web server
apache2-common - next generation, scalable, extendable web server
apache2-doc - documentation for apache2
apache2-
apache2-
apache2-
apache2-mpm-worker - high speed threaded model for Apache2
apache2-
apache2-
apache2-utils - utility programs for webservers
libapr0 - the Apache Porta...
Debian Bug Importer (debzilla) wrote : | #11 |
Message-Id: <email address hidden>
Date: Tue, 26 Jul 2005 19:10:44 +0200
From: Sven Mueller <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: security: Buffer overflow in ssl_engine_kernel.c
--=====
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-
Content-
Package: apache2
Version: 2.0.54-4
Severity: grave
Tags: security, patch
Justification: possible DoS
There is a buffer overflow (off-by-one in buffer size checks) in
ssl_engine_kernel.c which could be exploited to DoS the server.
Upstream bug report at
http://
(SVN revision 179781)
patch which can be dropped into the Debian package as
043_fix_
-- System Information:
Debian Release: 3.1
APT prefers stable
Architecture: i386 (i686)
Kernel: Linux 2.6.11.12-incase
Locale: LANG=C, LC_CTYPE=C (charmap=
Versions of packages apache2 depends on:
ii apache2-mpm-prefork 2.0.54-4 traditional model for Apache2
-- no debconf information
--=====
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-
Content-
filename=
diff -ruN -x Makefile.in -x configure -x '*~' -x build-tree.orig -x '*.rej' build-tree.
--- build-tree.
+++ build-tree/
@@ -1408,7 +1408,7 @@
- n = BIO_read(bio, buff, sizeof(buff));
+ n = BIO_read(bio, buff, sizeof(buff) - 1);
--=====
Debian Bug Importer (debzilla) wrote : | #12 |
Message-ID: <email address hidden>
Date: Tue, 26 Jul 2005 23:06:35 +0200
From: Sven Mueller <email address hidden>
To: <email address hidden>
Subject: Duplicate bug report
Package: apache2
severity 320048 critical
Tags 320048 +fixed-upstream
Retitle 320048 Security: buffer-overrun in apache2-ssl
Tags 320063 +patch
Merge 320048 320063
thanks
Debian Bug Importer (debzilla) wrote : | #13 |
Message-ID: <email address hidden>
Date: Wed, 27 Jul 2005 01:24:24 +0200
From: Sven Mueller <email address hidden>
To: <email address hidden>
Subject: try to fix previous merge
unmerge 320048
submitter 320048 <email address hidden>
merge 320063 320048
thanks
Debian Bug Importer (debzilla) wrote : | #14 |
Message-Id: <email address hidden>
Date: Fri, 5 Aug 2005 23:42:12 +0200
From: Stefan Fritsch <email address hidden>
To: <email address hidden>,
<email address hidden>
Subject: buffer-overrun in apache2-ssl
Note that the problematic code is inside
if (s->loglevel >= APLOG_DEBUG) {
}
It seems a simple workaround is lowering the loglevel to something
below debug. Production systems won't have loglevel debug in most
cases.
Debian Bug Importer (debzilla) wrote : | #15 |
Message-ID: <email address hidden>
Date: Wed, 10 Aug 2005 17:03:55 +0200
From: Christian Hammers <email address hidden>
To: <email address hidden>
Subject: retitling
retitle 320048 SECURITY: buffer-overrun in apache2-ssl (CAN-2005-1268)
retitle 316173 SECURITY: HTTP proxy responses with both Transfer-Encoding and Content-Length headers (CAN-2005-2088)
severity 316173 critical
thanks
Added CAN-Numbers as seen in Ubuntu's USN-160-1 advisory for easier
reference.
bye,
-christian-
Debian Bug Importer (debzilla) wrote : | #16 |
Message-ID: <email address hidden>
Date: Fri, 12 Aug 2005 20:43:25 +0200
From: Sven Mueller <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, Eduard Bloch <email address hidden>
Subject: NMU prepared to fix these bugs (316173, 320048/320063)
-------
Content-Type: text/plain; charset=ISO-8859-15
Content-
Hi.
During my NM process, I prepared a NMU for the bugs mentioned in the
subject and CC'ed. I didn't upload it (or rather: ask for upload by a
sponsor) yet, but the packages I prepared are publicly available at
http://
I will wait a week or so and then ask for upload by a sponsor since I
think these bugs really need to be fixed as soon as possible.
regards,
Sven
-------
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Cygwin)
iD8DBQFC/
iYK9u5aIZufZtuX
=f1cf
-----END PGP SIGNATURE-----
-------
Debian Bug Importer (debzilla) wrote : | #17 |
Message-Id: <email address hidden>
Date: Thu, 08 Sep 2005 11:17:06 -0700
From: Adam Conrad <adconrad@0c3.net>
To: <email address hidden>
Subject: Bug#320048: fixed in apache2 2.0.54-5
Source: apache2
Source-Version: 2.0.54-5
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2_
to pool/main/
apache2_
to pool/main/
apache2_
to pool/main/
libapr0-
to pool/main/
libapr0_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 2 Sep 2005 22:26:28 +1000
Source: apache2
Binary: apache2-utils apache2 apache2-prefork-dev apache2-mpm-prefork apache2-doc libapr0-dev apache2-
Architecture: source all i386
Version: 2.0.54-5
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <email address hidden>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description:
apache2 - next generation, scalable, extendable web server
apache2-common - next generation, scalable, extendable web server
apache2-doc - documentation for apache2
apache2-
apache2-
apache2-
apache2-mpm-worker - high speed threaded mod...
Debian Bug Importer (debzilla) wrote : | #18 |
Message-Id: <email address hidden>
Date: Thu, 08 Sep 2005 11:17:06 -0700
From: Adam Conrad <adconrad@0c3.net>
To: <email address hidden>
Subject: Bug#320063: fixed in apache2 2.0.54-5
Source: apache2
Source-Version: 2.0.54-5
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2_
to pool/main/
apache2_
to pool/main/
apache2_
to pool/main/
libapr0-
to pool/main/
libapr0_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 2 Sep 2005 22:26:28 +1000
Source: apache2
Binary: apache2-utils apache2 apache2-prefork-dev apache2-mpm-prefork apache2-doc libapr0-dev apache2-
Architecture: source all i386
Version: 2.0.54-5
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <email address hidden>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description:
apache2 - next generation, scalable, extendable web server
apache2-common - next generation, scalable, extendable web server
apache2-doc - documentation for apache2
apache2-
apache2-
apache2-
apache2-mpm-worker - high speed threaded mod...
In Debian Bug tracker #320048, Adam Conrad (adconrad) wrote : | #19 |
Source: apache2
Source-Version: 2.0.54-5
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2_
to pool/main/
apache2_
to pool/main/
apache2_
to pool/main/
libapr0-
to pool/main/
libapr0_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 2 Sep 2005 22:26:28 +1000
Source: apache2
Binary: apache2-utils apache2 apache2-prefork-dev apache2-mpm-prefork apache2-doc libapr0-dev apache2-
Architecture: source all i386
Version: 2.0.54-5
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <email address hidden>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description:
apache2 - next generation, scalable, extendable web server
apache2-common - next generation, scalable, extendable web server
apache2-doc - documentation for apache2
apache2-
apache2-
apache2-
apache2-mpm-worker - high speed threaded model for Apache2
apache2-
apache2-
apache2-utils - utility programs for webservers
libapr0 - the Apache Porta...
In Debian Bug tracker #320048, Adam Conrad (adconrad) wrote : Bug#320048: fixed in apache2 2.0.54-5 | #20 |
Source: apache2
Source-Version: 2.0.54-5
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2_
to pool/main/
apache2_
to pool/main/
apache2_
to pool/main/
libapr0-
to pool/main/
libapr0_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 2 Sep 2005 22:26:28 +1000
Source: apache2
Binary: apache2-utils apache2 apache2-prefork-dev apache2-mpm-prefork apache2-doc libapr0-dev apache2-
Architecture: source all i386
Version: 2.0.54-5
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <email address hidden>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description:
apache2 - next generation, scalable, extendable web server
apache2-common - next generation, scalable, extendable web server
apache2-doc - documentation for apache2
apache2-
apache2-
apache2-
apache2-mpm-worker - high speed threaded model for Apache2
apache2-
apache2-
apache2-utils - utility programs for webservers
libapr0 - the Apache Porta...
Debian Bug Importer (debzilla) wrote : | #21 |
Message-Id: <email address hidden>
Date: Sat, 17 Dec 2005 00:05:09 -0800
From: Adam Conrad <adconrad@0c3.net>
To: <email address hidden>
Subject: Bug#320048: fixed in apache2 2.0.54-5
Source: apache2
Source-Version: 2.0.54-5
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2_
to pool/main/
apache2_
to pool/main/
apache2_
to pool/main/
libapr0-
to pool/main/
libapr0_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 2 Sep 2005 22:26:28 +1000
Source: apache2
Binary: apache2-utils apache2 apache2-prefork-dev apache2-mpm-prefork apache2-doc libapr0-dev apache2-
Architecture: source all i386
Version: 2.0.54-5
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <email address hidden>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description:
apache2 - next generation, scalable, extendable web server
apache2-common - next generation, scalable, extendable web server
apache2-doc - documentation for apache2
apache2-
apache2-
apache2-
apache2-mpm-worker - high speed threaded mod...
Debian Bug Importer (debzilla) wrote : | #22 |
Message-Id: <email address hidden>
Date: Sat, 17 Dec 2005 00:05:09 -0800
From: Adam Conrad <adconrad@0c3.net>
To: <email address hidden>
Subject: Bug#320063: fixed in apache2 2.0.54-5
Source: apache2
Source-Version: 2.0.54-5
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2-
to pool/main/
apache2_
to pool/main/
apache2_
to pool/main/
apache2_
to pool/main/
libapr0-
to pool/main/
libapr0_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 2 Sep 2005 22:26:28 +1000
Source: apache2
Binary: apache2-utils apache2 apache2-prefork-dev apache2-mpm-prefork apache2-doc libapr0-dev apache2-
Architecture: source all i386
Version: 2.0.54-5
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <email address hidden>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description:
apache2 - next generation, scalable, extendable web server
apache2-common - next generation, scalable, extendable web server
apache2-doc - documentation for apache2
apache2-
apache2-
apache2-
apache2-mpm-worker - high speed threaded mod...
Package: apache2
severity 320048 critical
Tags 320048 +fixed-upstream
Retitle 320048 Security: buffer-overrun in apache2-ssl
Tags 320063 +patch
Merge 320048 320063
thanks