Activity log for bug #837991

Date Who What changed Old value New value Message
2011-08-31 10:49:22 James Gregory bug added bug
2011-08-31 10:49:35 James Gregory cve linked 2011-3192
2011-08-31 11:37:33 otto06217 bug added subscriber otto06217
2011-08-31 12:15:03 Launchpad Janitor apache2 (Ubuntu): status New Confirmed
2011-08-31 12:17:29 nairboon bug added subscriber nairboon
2011-08-31 14:57:37 Kev bug added subscriber Kev
2011-08-31 17:21:01 Oleg Avdeev bug added subscriber Oleg Avdeev
2011-09-01 00:51:57 Benjamin Heil bug added subscriber Benjamin Heil
2011-09-02 01:42:36 staticsafe bug added subscriber Sadiq Saif
2011-09-06 17:25:26 Steve Beattie bug added subscriber Steve Beattie
2011-09-06 17:35:14 Steve Beattie description CVE-2011-3192 relates to an exploit in Apache that could cause Denial of Service through use of excess range headers. Debian has released an update that fixes this problem (apache2 2.2.19-2) - http://security-tracker.debian.org/tracker/CVE-2011-3192 CVE-2011-3192 relates to an exploit in Apache that could cause Denial of Service through use of excess range headers. Debian has released an update that fixes this problem (apache2 2.2.19-2) - http://security-tracker.debian.org/tracker/CVE-2011-3192 Debian version 2.2.20-1 includes the upstream fix for CVE-2011-3192 as well as a fix for a regression introduced by that fix (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=639825). Both 2.2.19-2 and 2.2.20-1 are bugfix-only releases: +apache2 (2.2.20-1) unstable; urgency=low + + * New upstream release. + * Fix some regressions related to Range requests caused by the CVE-2011-3192 + fix. Closes: #639825 + * Add build-arch and build-indep rules targets to make Lintian happy. + * Bump Standards-Version (no changes). + + -- Stefan Fritsch <sf@debian.org> Sun, 04 Sep 2011 21:50:22 +0200 + +apache2 (2.2.19-2) unstable; urgency=high + + * Fix CVE-2011-3192: DoS by high memory usage for a large number of + overlapping ranges. + * Reduce default KeepAliveTimeout from 15 to 5 seconds. + * Use "linux-any" in build-deps. Closes: #634709 + * Improve reload message of a2enmod. Closes: #639291 + * Improve description of the prefork MPM. Closes: #634242 + * Mention .conf files in a2enmod man page. Closes: #634834 + + -- Stefan Fritsch <sf@debian.org> Mon, 29 Aug 2011 17:08:17 +0200 and the upstream revision 2.2.20 is a bugfix only release as well, see: http://www.apache.org/dist/httpd/CHANGES_2.2.20 There is one user (sysadmin) visible change in 2.2.19-2 to the a2enmod command's output: -info("To to activate the new configuration, you need to run:\n /etc/init.d/apache2 $reload\n") +info("To activate the new configuration, you need to run:\n  service apache2 $reload\n") I've verified that the output string does not show up in the current version of the Ubuntu Server Guide, and contacted the person working on the apache portion of the Ubuntu Server Guide according to http://pad.ubuntu.com/serverguide , Gary Roberts (https://launchpad.net/~ag1t) and confirmed that this change does not interfere with his intended updates.
2011-09-06 17:36:04 Steve Beattie summary Update apache2 to 2.2.19-2 to fix CVE-2011-3192 Please merge apache2 2.2.20-1 to fix CVE-2011-3192+regressions
2011-09-06 17:41:49 Steve Beattie attachment added apache2_2.2.20-1ubuntu1.debdiff https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/837991/+attachment/2362702/+files/apache2_2.2.20-1ubuntu1.debdiff
2011-09-06 17:43:34 Steve Beattie attachment added apache2-2.2.20-1_2.2.20-1ubuntu1.diff https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/837991/+attachment/2362703/+files/apache2-2.2.20-1_2.2.20-1ubuntu1.diff
2011-09-06 17:43:52 Steve Beattie apache2 (Ubuntu): milestone ubuntu-11.10-beta-2
2011-09-06 17:43:59 Steve Beattie nominated for series Ubuntu Oneiric
2011-09-06 17:44:09 Steve Beattie apache2 (Ubuntu): importance Undecided High
2011-09-06 17:44:26 Steve Beattie bug added subscriber Ubuntu Sponsors Team
2011-09-06 17:45:35 Steve Beattie apache2 (Ubuntu): status Confirmed In Progress
2011-09-06 17:46:32 Dave Walker bug task added apache2 (Ubuntu Oneiric)
2011-09-06 18:30:12 Launchpad Janitor apache2 (Ubuntu Oneiric): status In Progress Fix Released
2011-09-06 19:11:28 Launchpad Janitor branch linked lp:ubuntu/apache2
2012-01-18 17:40:13 Benjamin Drung removed subscriber Ubuntu Sponsors Team