CVE-2008-2364 Apache2 mod_proxy_http.c DOS

Bug #239894 reported by Emanuele Gentili on 2008-06-14
256
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Low
Emanuele Gentili
Dapper
Low
Marc Deslauriers
Feisty
Low
Emanuele Gentili
Gutsy
Low
Marc Deslauriers
Hardy
Low
Marc Deslauriers
Intrepid
Low
Emanuele Gentili

Bug Description

The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses.

Changed in apache2:
assignee: nobody → emgent
importance: Undecided → High
status: New → Confirmed
Emanuele Gentili (emgent) wrote :

Intrepid fix avaiable by upstream and work fine to solve the problem.

Actually build faild:
libaprutil1-dev: Depends: libdb4.6-dev but it is not installable

more info:
https://edge.launchpad.net/ubuntu/intrepid/i386/libdb4.6-dev

(i will attach it later)

Emanuele Gentili (emgent) wrote :
Changed in apache2:
status: Confirmed → In Progress
Emanuele Gentili (emgent) wrote :

@Pitti: can you write here when you solve libdb4.6-dev problem in intrepid?

Emanuele Gentili (emgent) wrote :

according to CVE/upstream dapper apache2 version not affected.

ent@amnistia:~$ rmadison apache2
   apache2 | 2.0.55-4ubuntu2 | dapper | source, amd64, i386, powerpc
   apache2 | 2.0.55-4ubuntu2.3 | dapper-security | source, amd64, i386, powerpc
   apache2 | 2.0.55-4ubuntu2.3 | dapper-updates | source, amd64, i386, powerpc
   apache2 | 2.2.3-3.2build1 | feisty | source, all
   apache2 | 2.2.3-3.2ubuntu2.1 | feisty-security | source, all
   apache2 | 2.2.3-3.2ubuntu2.1 | feisty-updates | source, all
   apache2 | 2.2.4-3build1 | gutsy | source, all
   apache2 | 2.2.4-3ubuntu0.1 | gutsy-security | source, all
   apache2 | 2.2.4-3ubuntu0.1 | gutsy-updates | source, all
   apache2 | 2.2.8-1 | hardy | source, all
   apache2 | 2.2.8-1ubuntu0.2 | hardy-updates | source, all
   apache2 | 2.2.8-4ubuntu2 | intrepid | source, all

Michael Bienia (geser) wrote :

libdb4.6-dev (source: db4.6) is in intrepid again (and should appear soon on the archive).

Stefan Fritsch (sf-sfritsch) wrote :

fixed in 2.2.9, which has been uploaded to Debian

Changed in apache2:
importance: Undecided → High
status: New → In Progress
importance: Undecided → High
status: New → In Progress
importance: Undecided → High
status: New → In Progress
Martin Pitt (pitti) wrote :

Packages should build-depend on libdb-dev, not a specific version. The new standard db version in Intrepid is 4.7, we shouldn't proliferate 4.6.

Emanuele Gentili (emgent) wrote :

Security issue in Intrepid Ibex fixed by Chuck Short with Debian Merge.

Changed in apache2:
assignee: nobody → emgent
assignee: nobody → emgent
assignee: nobody → emgent
Kees Cook (kees) on 2008-06-17
Changed in apache2:
status: In Progress → Fix Released
Kees Cook (kees) wrote :

Based on the CVE, apache2 in Dapper *is* vulnerable, but the backporting of this fix isn't trivial. Emgent, can you describe your testing environment? That would help in testing the Dapper backport.

Changed in apache2:
status: New → Confirmed
Kees Cook (kees) wrote :

Upstream has no plans to backport the fix due to how unlikely the situation is.

Emanuele Gentili (emgent) wrote :

Upstream fix for apache 2.0.X.

http://archive.apache.org/dist/httpd/patches/apply_to_2.0.63/CVE-2008-2364-patch-2.0.txt

I will complete dapper fix and tests tomorrow.

E.

Changed in apache2:
importance: Undecided → High
status: Confirmed → In Progress
assignee: nobody → emgent

Please could someone mark this as Won't Fix for Feisty?

Martin Pitt (pitti) on 2008-12-13
Changed in apache2:
status: In Progress → Won't Fix
Kees Cook (kees) on 2009-01-07
Changed in apache2:
importance: High → Low
importance: High → Low
importance: High → Low
importance: High → Low
importance: High → Low
importance: High → Low
Kees Cook (kees) on 2009-01-27
Changed in apache2:
status: Fix Released → New
status: New → In Progress
status: In Progress → Fix Released
Kees Cook (kees) on 2009-03-09
Changed in apache2:
assignee: emgent → mdeslaur
status: In Progress → Fix Committed
assignee: emgent → mdeslaur
status: In Progress → Fix Committed
assignee: emgent → mdeslaur
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.4-3ubuntu0.2

---------------
apache2 (2.2.4-3ubuntu0.2) gutsy-security; urgency=low

  [ Emanuele Gentili ]
  * SECURITY UPDATE:
   + debian/patches/111_CVE-2008-2364.dpatch (LP: #239894)
    - The ap_proxy_http_process_response function in mod_proxy_http.c
      in the mod_proxy module does not limit the number of forwarded
      interim responses, which allows remote HTTP servers to cause a
      denial of service (memory consumption) via a large number of
      interim responses.
   + References
    - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2364

  [ Marc Deslauriers ]
  * SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in "413 Request
    Entity Too Large" error message
    - debian/patches/107_CVE-2007-6203.dpatch: properly escape some error
      messages in modules/http/http_protocol.c.
    - CVE-2007-6203
  * SECURITY UPDATE: Cross-site request forgery (CSRF) in balancer-manager in
    mod_proxy_balancer
    - debian/patches/108_CVE-2007-6420.dpatch: generate and validate a nonce in
      modules/proxy/mod_proxy_balancer.c.
    - CVE-2007-6420
  * SECURITY UPDATE: Denial of service via memory leak in the zlib_stateful_init
    function (LP: #224945)
    - debian/patches/109_CVE-2008-1678.dpatch: don't call
      CRYPTO_cleanup_all_ex_data in modules/ssl/mod_ssl.c.
    - CVE-2008-1678
  * SECURITY UPDATE: Cross-site scripting (XSS) vulnerability via UTF-7 encoded
    URLs
    - debian/patches/110_CVE-2008-2168.dpatch: specify a default charset in
      modules/dav/main/mod_dav.c, modules/generators/mod_info.c and
      modules/proxy/mod_proxy_balancer.c.
    - CVE-2008-2168
  * SECURITY UPDATE: Denial of service via large number of interim responses in
    mod_proxy module (LP: #239894)
    - debian/patches/111_CVE-2008-2364.dpatch: updated patch to newer version.
    - CVE-2008-2364
  * SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in the
    mod_proxy_ftp module
    - debian/patches/112_CVE-2008-2939.dpatch: escape the html
      contained in the wildcard value in modules/proxy/mod_proxy_ftp.c.
    - CVE-2008-2939

 -- Marc Deslauriers <email address hidden> Thu, 05 Mar 2009 15:54:32 -0500

Changed in apache2:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.8-1ubuntu0.4

---------------
apache2 (2.2.8-1ubuntu0.4) hardy-security; urgency=low

  [ Emanuele Gentili ]
  * SECURITY UPDATE:
   + debian/patches/201_security_CVE-2008-2364.dpatch (LP: #239894)
    - The ap_proxy_http_process_response function in mod_proxy_http.c
      in the mod_proxy module does not limit the number of forwarded
      interim responses, which allows remote HTTP servers to cause a
      denial of service (memory consumption) via a large number of
      interim responses.
   + References
    - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2364

  [ Marc Deslauriers ]
  * SECURITY UPDATE: Cross-site request forgery (CSRF) in balancer-manager in
    mod_proxy_balancer
    - debian/patches/200_security_CVE-2007-6420.dpatch: generate and validate a
      nonce in modules/proxy/mod_proxy_balancer.c.
    - CVE-2007-6420
  * SECURITY UPDATE: Denial of service via large number of interim responses in
    mod_proxy module (LP: #239894)
    - debian/patches/201_security_CVE-2008-2364.dpatch: updated patch to newer
      version.
    - CVE-2008-2364
  * SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in the
    mod_proxy_ftp module
    - debian/patches/202_security_CVE-2008-2939.dpatch: escape the html
      contained in the wildcard value in modules/proxy/mod_proxy_ftp.c.
    - CVE-2008-2939

 -- Marc Deslauriers <email address hidden> Thu, 05 Mar 2009 17:20:17 -0500

Changed in apache2:
status: Fix Committed → Fix Released
Marc Deslauriers (mdeslaur) wrote :
Changed in apache2:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers