diff -u apache2-2.2.3/debian/changelog apache2-2.2.3/debian/changelog --- apache2-2.2.3/debian/changelog +++ apache2-2.2.3/debian/changelog @@ -1,3 +1,17 @@ +apache2 (2.2.3-3.2ubuntu2.2) feisty-security; urgency=high + + * SECURITY UPDATE: + + debian/patches/106_CVE-2008-2364.dpatch (LP: #239894) + - The ap_proxy_http_process_response function in mod_proxy_http.c + in the mod_proxy module does not limit the number of forwarded + interim responses, which allows remote HTTP servers to cause a + denial of service (memory consumption) via a large number of + interim responses. + + References + - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2364 + + -- Emanuele Gentili Sat, 14 Jun 2008 03:53:01 +0200 + apache2 (2.2.3-3.2ubuntu2.1) feisty-security; urgency=low * SECURITY UPDATE: denial of service (application crash) when using diff -u apache2-2.2.3/debian/patches/00list apache2-2.2.3/debian/patches/00list --- apache2-2.2.3/debian/patches/00list +++ apache2-2.2.3/debian/patches/00list @@ -25,0 +26 @@ +106_CVE-2008-2364 only in patch2: unchanged: --- apache2-2.2.3.orig/debian/patches/106_CVE-2008-2364.dpatch +++ apache2-2.2.3/debian/patches/106_CVE-2008-2364.dpatch @@ -0,0 +1,85 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 106_CVE-2008-2364.dpatch by Emanuele Gentili +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad apache2-2.2.3~/modules/proxy/mod_proxy_http.c apache2-2.2.3/modules/proxy/mod_proxy_http.c +--- apache2-2.2.3~/modules/proxy/mod_proxy_http.c 2006-07-12 05:38:44.000000000 +0200 ++++ apache2-2.2.3/modules/proxy/mod_proxy_http.c 2008-06-14 03:51:29.000000000 +0200 +@@ -1187,6 +1187,16 @@ + return 1; + } + ++/* ++ * Limit the number of interim respones we sent back to the client. Otherwise ++ * we suffer from a memory build up. Besides there is NO sense in sending back ++ * an unlimited number of interim responses to the client. Thus if we cross ++ * this limit send back a 502 (Bad Gateway). ++ */ ++#ifndef AP_MAX_INTERIM_RESPONSES ++#define AP_MAX_INTERIM_RESPONSES 10 ++#endif ++ + static + apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r, + proxy_conn_rec *backend, +@@ -1201,8 +1211,8 @@ + apr_bucket *e; + apr_bucket_brigade *bb; + int len, backasswards; +- int interim_response; /* non-zero whilst interim 1xx responses +- * are being read. */ ++ int interim_response = 0; /* non-zero whilst interim 1xx responses ++ * are being read. */ + int pread_len = 0; + apr_table_t *save_table; + int backend_broke = 0; +@@ -1214,6 +1224,7 @@ + */ + + rp = ap_proxy_make_fake_req(origin, r); ++ ap_proxy_pre_http_request(origin, rp); + /* In case anyone needs to know, this is a fake request that is really a + * response. + */ +@@ -1341,7 +1352,6 @@ + if ((buf = apr_table_get(r->headers_out, "Content-Type"))) { + ap_set_content_type(r, apr_pstrdup(p, buf)); + } +- ap_proxy_pre_http_request(origin,rp); + + /* handle Via header in response */ + if (conf->viaopt != via_off && conf->viaopt != via_block) { +@@ -1383,7 +1393,12 @@ + backend->close += 1; + } + +- interim_response = ap_is_HTTP_INFO(r->status); ++ if (ap_is_HTTP_INFO(r->status)) { ++ interim_response++; ++ } ++ else { ++ interim_response = 0; ++ } + if (interim_response) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, + "proxy: HTTP: received interim %d response", +@@ -1552,7 +1567,15 @@ + + apr_brigade_cleanup(bb); + } +- } while (interim_response); ++ } while (interim_response && (interim_response < AP_MAX_INTERIM_RESPONSES)); ++ ++ /* See define of AP_MAX_INTERIM_RESPONSES for why */ ++ if (interim_response >= AP_MAX_INTERIM_RESPONSES) { ++ return ap_proxyerror(r, HTTP_BAD_GATEWAY, ++ apr_psprintf(p, ++ "Too many (%d) interim responses from origin server", ++ interim_response)); ++ } + + /* If our connection with the client is to be aborted, return DONE. */ + if (c->aborted || backend_broke) {