CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure

Debdiff for hardy, including patch from http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/CVE-2011-3368.patch

This was fixed in precise in 2.2.21-2ubuntu1 (see bug 872000). Assigning the other releases to myself.

I built a fixed package for hardy in my ppa (2.2.8-1ubuntu0.22~ppa1) and tested it in our environment, I confirm it fixes the exploit.

Debdiff for lucid, also available in my ppa.

Thanks, Michael, I expect packages to go out in the next couple of days. FYI, the lucid debdiff you posted did not include an edit to debian/patches/00list, so I don't believe it's getting applied in your ppa build.

My bad, sorry if anyone tried this package, I had only tested on hardy. I uploaded a fixed package to my ppa.

This bug was fixed in the package apache2 - 2.2.20-1ubuntu1.1

---------------
apache2 (2.2.20-1ubuntu1.1) oneiric-security; urgency=low

  * SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
    - debian/patches/212_CVE-2011-3368.dpatch: return 400
      on invalid requests. (patch courtesy of Michael Jeanson)
    - CVE-2011-3368
  * SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
    - debian/patches/213_CVE-2011-3348.dpatch: return
      HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
    - CVE-2011-3348
  * Include additional fixes for regressions introduced by
    CVE-2011-3192 fixes
    - debian/patches/214_CVE-2011-3192_regression.dpatch:
      take upstream fixes for byterange_filter.c through the 2.2.21
      release except for the added MaxRanges configuration option, along
      with a staged fix for the 2.2.22 release.
 -- Steve Beattie <email address hidden> Mon, 07 Nov 2011 14:01:10 -0800

This bug was fixed in the package apache2 - 2.2.17-1ubuntu1.4

---------------
apache2 (2.2.17-1ubuntu1.4) natty-security; urgency=low

  * SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
    - debian/patches/212_CVE-2011-3368.dpatch: return 400
      on invalid requests. (patch courtesy of Michael Jeanson)
    - debian/patches/214_CVE-2011-3368_part2.dpatch: fix same for http
      0.9 protocol
    - CVE-2011-3368
  * SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
    - debian/patches/213_CVE-2011-3348.dpatch: return
      HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
    - CVE-2011-3348
  * SECURITY UPDATE: mpm-itk failure to drop privileges in certain
    configurations
    - debian/mpm-itk/patches/11-CVE-2011-1176.patch: merge
      configurations correctly
    - CVE-2011-1176
  * Include additional fixes for regressions introduced by
    CVE-2011-3192 fixes
    - debian/patches/084_CVE-2011-3192_regression_part2.dpatch:
      take upstream fixes for byterange_filter.c through the 2.2.21
      release except for the added MaxRanges configuration option along
      with a fix staged for 2.2.22.
 -- Steve Beattie <email address hidden> Wed, 02 Nov 2011 17:21:04 -0700

This bug was fixed in the package apache2 - 2.2.16-1ubuntu3.4

---------------
apache2 (2.2.16-1ubuntu3.4) maverick-security; urgency=low

  * SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
    - debian/patches/212_CVE-2011-3368.dpatch: return 400
      on invalid requests. (patch courtesy of Michael Jeanson)
    - debian/patches/214_CVE-2011-3368_part2.dpatch: fix same for http
      0.9 protocol
    - CVE-2011-3368
  * SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
    - debian/patches/213_CVE-2011-3348.dpatch: return
      HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
    - CVE-2011-3348
  * SECURITY UPDATE: mpm-itk failure to drop privileges in certain
    configurations
    - debian/mpm-itk/patches/11-CVE-2011-1176.patch: merge
      configurations correctly
    - CVE-2011-1176
  * Include additional fixes for regressions introduced by
    CVE-2011-3192 fixes
    - debian/patches/085_CVE-2011-3192_regression_part2.dpatch:
      take upstream fixes for byterange_filter.c through the 2.2.21
      release except for the added MaxRanges configuration option along
      with a fix staged for 2.2.22.
 -- Steve Beattie <email address hidden> Wed, 02 Nov 2011 17:23:07 -0700

This bug was fixed in the package apache2 - 2.2.14-5ubuntu8.7

---------------
apache2 (2.2.14-5ubuntu8.7) lucid-security; urgency=low

  [ Michael Jeanson ]
  * SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
    - debian/patches/212_CVE-2011-3368.dpatch: return 400
      on invalid requests.
    - debian/patches/214_CVE-2011-3368_part2.dpatch: fix same for http
      0.9 protocol
    - CVE-2011-3368

  [ Steve Beattie ]
  * SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
    - debian/patches/213_CVE-2011-3348.dpatch: return
      HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
    - CVE-2011-3348
  * SECURITY UPDATE: mpm-itk failure to drop privileges in certain
    configurations
    - debian/mpm-itk/patches/11-CVE-2011-1176.patch: merge
      configurations correctly
    - CVE-2011-1176
  * Include additional fixes for regressions introduced by
    CVE-2011-3192 fixes
    - debian/patches/215_CVE-2011-3192_regression_part2.dpatch:
      take upstream fixes for byterange_filter.c through the 2.2.21
      release except for the added MaxRanges configuration option along
      with a fix staged for 2.2.22.
 -- Steve Beattie <email address hidden> Wed, 02 Nov 2011 17:27:07 -0700

This was fixed for Ubuntu 8.04 LTS (hardy) in 2.2.8-1ubuntu0.22 as referred to in USN http://www.ubuntu.com/usn/usn-1259-1 ; closing.