Please merge apache2 2.2.20-1 to fix CVE-2011-3192+regressions

Bug #837991 reported by James Gregory on 2011-08-31
38
This bug affects 5 people
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
High
Unassigned
Oneiric
High
Unassigned

Bug Description

CVE-2011-3192 relates to an exploit in Apache that could cause Denial of Service through use of excess range headers.

Debian has released an update that fixes this problem (apache2 2.2.19-2) - http://security-tracker.debian.org/tracker/CVE-2011-3192

Debian version 2.2.20-1 includes the upstream fix for CVE-2011-3192 as well as a fix for a regression introduced by that fix (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=639825). Both 2.2.19-2 and 2.2.20-1 are bugfix-only releases:

+apache2 (2.2.20-1) unstable; urgency=low
+
+ * New upstream release.
+ * Fix some regressions related to Range requests caused by the CVE-2011-3192
+ fix. Closes: #639825
+ * Add build-arch and build-indep rules targets to make Lintian happy.
+ * Bump Standards-Version (no changes).
+
+ -- Stefan Fritsch <email address hidden> Sun, 04 Sep 2011 21:50:22 +0200
+
+apache2 (2.2.19-2) unstable; urgency=high
+
+ * Fix CVE-2011-3192: DoS by high memory usage for a large number of
+ overlapping ranges.
+ * Reduce default KeepAliveTimeout from 15 to 5 seconds.
+ * Use "linux-any" in build-deps. Closes: #634709
+ * Improve reload message of a2enmod. Closes: #639291
+ * Improve description of the prefork MPM. Closes: #634242
+ * Mention .conf files in a2enmod man page. Closes: #634834
+
+ -- Stefan Fritsch <email address hidden> Mon, 29 Aug 2011 17:08:17 +0200

and the upstream revision 2.2.20 is a bugfix only release as well, see: http://www.apache.org/dist/httpd/CHANGES_2.2.20

There is one user (sysadmin) visible change in 2.2.19-2 to the a2enmod command's output:

-info("To to activate the new configuration, you need to run:\n /etc/init.d/apache2 $reload\n")
+info("To activate the new configuration, you need to run:\n  service apache2 $reload\n")

I've verified that the output string does not show up in the current version of the Ubuntu Server Guide, and contacted the person working on the apache portion of the Ubuntu Server Guide according to http://pad.ubuntu.com/serverguide , Gary Roberts (https://launchpad.net/~ag1t) and confirmed that this change does not interfere with his intended updates.

Related branches

CVE References

Changed in apache2 (Ubuntu):
status: New → Confirmed
Steve Beattie (sbeattie) on 2011-09-06
description: updated
summary: - Update apache2 to 2.2.19-2 to fix CVE-2011-3192
+ Please merge apache2 2.2.20-1 to fix CVE-2011-3192+regressions
Steve Beattie (sbeattie) wrote :

Attached is a debdiff for the merge of apache 2.2.20-1 (I was unable to do this via bzr due to bug 842144). I've verified that the package builds on i386 and amd64 and ran the lp:qa-regression-testing tests against that package, and confirmed that no regressions occur.

Steve Beattie (sbeattie) wrote :

And here is the debdiff of 2.2.20-1ubuntu1 against 2.2.20-1, to show just the ubuntu changes to the package.

Changed in apache2 (Ubuntu):
milestone: none → ubuntu-11.10-beta-2
importance: Undecided → High
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.20-1ubuntu1

---------------
apache2 (2.2.20-1ubuntu1) oneiric; urgency=low

  * Merge from debian unstable to fix CVE-2011-3192 (LP: #837991).
    Remaining changes:
    - debian/{control, rules}: Enable PIE hardening.
    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
    - debian/control: Add bzr tag and point it to our tree
    - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
    - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
      Plymouth aware passphrase dialog program ask-for-passphrase.
 -- Steve Beattie <email address hidden> Tue, 06 Sep 2011 01:17:15 -0700

Changed in apache2 (Ubuntu Oneiric):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related questions