apache2: DoS in apache httpd 2.0.49 issue (CAN-2004-0493)

Automatically imported from Debian bug report #256963 http://bugs.debian.org/256963

Message-Id: <20040630081947.4F33F4488@mebius>
Date: Wed, 30 Jun 2004 17:19:47 +0900
From: Hideki Yamane <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: apache2: DoS in apache httpd 2.0.49 issue (CAN-2004-0493)

Package: apache2
Severity: normal
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear apache2 maintainer team,

 Probably you know, but FYI.
 (I cannot find discussion in debian-apache ML and new packages
  in incoming, so I posted this in BTS. This post makes users to
  track security issue more easier, I think).

 Georgi Guninski found security flaw about DoS attack in apache 2.0.49.
 (http://www.guninski.com/httpd1.html)

 and patch is here.
 http://www.apache.org/dist/httpd/patches/apply_to_2.0.49/CAN-2004-0493.patch
 Is there any plan to apply this patch?

 If I had overlooked your working about this issue, please let me know
 what I should see.

- --
Regards,

 Hideki Yamane henrich @ samba.gr.jp/iijmio-mail.jp

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA4neiIu0hy8THJksRAh7mAJ9kkr5I4dFmmNaxL75UPXxvMVOWQQCfZmlT
CF+W3gAGJVL5SShaiZ5Ktho=
=dBpV
-----END PGP SIGNATURE-----

Message-ID: <email address hidden>
Date: Tue, 6 Jul 2004 00:08:51 +0000
From: <email address hidden>
To: <email address hidden>
Subject: Upgrading severity for CAN-2004-0493

severity 256963 critical

Remove myself from all these CCs now that we have the warty-bugs mailing list

Message-ID: <email address hidden>
Date: Wed, 7 Jul 2004 00:04:57 +0100
From: Thom May <email address hidden>
To: Hideki Yamane <email address hidden>, <email address hidden>
Subject: Re: Bug#256963: apache2: DoS in apache httpd 2.0.49 issue (CAN-2004-0493)

I just uploaded 2.0.50 which fixes this.
-Thom

Message-Id: <email address hidden>
Date: Wed, 07 Jul 2004 14:51:55 +0900
From: Hideki Yamane <email address hidden>
To: Thom May <email address hidden>
Cc: Hideki Yamane <email address hidden>, <email address hidden>
Subject: Re: Bug#256963: apache2: DoS in apache httpd 2.0.49 issue (CAN-2004-0493)

Hi,

  "Wed, 7 Jul 2004 00:04:57 +0100", "Thom May"
  "Re: Bug#256963: apache2: DoS in apache httpd 2.0.49 issue (CAN-2004-0493)"
>I just uploaded 2.0.50 which fixes this.

 OK, Thanks. It makes me and other debian apache users happy.
 I'll wait it.

--
Regards,

 Hideki Yamane mailto:henrich @ samba.gr.jp/iijmio-mail.jp

Mailed Matt and James to request sync with sid

This has been synced now.

Message-ID: <email address hidden>
Date: Fri, 16 Jul 2004 11:16:16 +0200
From: Renaud Duhaut <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: apache2: How about apache 2.0.50 in Sarge ?

Package: apache2
Followup-For: Bug #256963

Hi,
Apache 2.0.50 is in "unstable" since 07-07, thanks for your reactivity.
Il would know when can we expect 2.0.50 in Sarge ?

Thanks.

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.7
Locale: LANG=C, LC_CTYPE=C

Message-ID: <20040717001607.GK1026@sport750>
Date: Fri, 16 Jul 2004 17:16:07 -0700
From: Martin Quinson <email address hidden>
To: Renaud Duhaut <email address hidden>, <email address hidden>
Subject: Re: Bug#256963: apache2: How about apache 2.0.50 in Sarge ?

On Fri, Jul 16, 2004 at 11:16:16AM +0200, Renaud Duhaut wrote:
> Package: apache2
> Followup-For: Bug #256963
>
> Hi,
> Apache 2.0.50 is in "unstable" since 07-07, thanks for your reactivity.
> Il would know when can we expect 2.0.50 in Sarge ?

It may take some time. This version would be able to go into testing, but
the compilation on arm failed.
http://packages.qa.debian.org/a/apache2.html

This is because of a missing dependency on a openssh library, as far as I can tell.

http://buildd.debian.org/fetch.php?&pkg=apache2&ver=2.0.50-5&arch=arm&stamp=1089675899&file=log&as=raw

Sorry about that, I hope the maintainers will be able to upload a fixed
version soon.
Mt.

--
There is enough for the need of everyone in this world,
but not for the greed of everyone.
   --- Mahatma Gandhi

Message-ID: <email address hidden>
Date: Sat, 17 Jul 2004 18:24:21 +0100
From: Thom May <email address hidden>
To: Martin Quinson <email address hidden>, <email address hidden>
Cc: Renaud Duhaut <email address hidden>
Subject: Re: Bug#256963: apache2: How about apache 2.0.50 in Sarge ?

* Martin Quinson (<email address hidden>) wrote :
> On Fri, Jul 16, 2004 at 11:16:16AM +0200, Renaud Duhaut wrote:
> > Package: apache2
> > Followup-For: Bug #256963
> >
> > Hi,
> > Apache 2.0.50 is in "unstable" since 07-07, thanks for your reactivity.
> > Il would know when can we expect 2.0.50 in Sarge ?
>
> It may take some time. This version would be able to go into testing, but
> the compilation on arm failed.
> http://packages.qa.debian.org/a/apache2.html
>
> This is because of a missing dependency on a openssh library, as far as I can tell.
>
> http://buildd.debian.org/fetch.php?&pkg=apache2&ver=2.0.50-5&arch=arm&stamp=1089675899&file=log&as=raw
>
> Sorry about that, I hope the maintainers will be able to upload a fixed
> version soon.
Wrong. If you read the bug associated with this problem, the cause is
openssl segfaulting when built with O3 optimisations on arm. I NMUd OpenSSL
a few days ago, so I'll do an upload to get apache2 rebuilt shortly.
Not much I can do past that, sadly.
-Thom