CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| apache2 (Ubuntu) |
Undecided
|
Unassigned | ||
| Hardy |
Undecided
|
Steve Beattie | ||
| Lucid |
Undecided
|
Steve Beattie | ||
| Maverick |
Undecided
|
Steve Beattie | ||
| Natty |
Undecided
|
Steve Beattie | ||
| Oneiric |
Undecided
|
Steve Beattie |
Bug Description
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.
visibility: | private → public |
Michael Jeanson (mjeanson) wrote : | #1 |
Steve Beattie (sbeattie) wrote : | #2 |
This was fixed in precise in 2.2.21-2ubuntu1 (see bug 872000). Assigning the other releases to myself.
Changed in apache2 (Ubuntu): | |
status: | New → Fix Released |
Changed in apache2 (Ubuntu Hardy): | |
status: | New → In Progress |
Changed in apache2 (Ubuntu Lucid): | |
status: | New → In Progress |
Changed in apache2 (Ubuntu Maverick): | |
status: | New → In Progress |
Changed in apache2 (Ubuntu Natty): | |
status: | New → In Progress |
Changed in apache2 (Ubuntu Oneiric): | |
status: | New → In Progress |
Changed in apache2 (Ubuntu Hardy): | |
assignee: | nobody → Steve Beattie (sbeattie) |
Changed in apache2 (Ubuntu Lucid): | |
assignee: | nobody → Steve Beattie (sbeattie) |
Changed in apache2 (Ubuntu Maverick): | |
assignee: | nobody → Steve Beattie (sbeattie) |
Changed in apache2 (Ubuntu Natty): | |
assignee: | nobody → Steve Beattie (sbeattie) |
Changed in apache2 (Ubuntu Oneiric): | |
assignee: | nobody → Steve Beattie (sbeattie) |
Michael Jeanson (mjeanson) wrote : | #3 |
I built a fixed package for hardy in my ppa (2.2.8-
Michael Jeanson (mjeanson) wrote : | #4 |
Debdiff for lucid, also available in my ppa.
Steve Beattie (sbeattie) wrote : | #5 |
Thanks, Michael, I expect packages to go out in the next couple of days. FYI, the lucid debdiff you posted did not include an edit to debian/
Michael Jeanson (mjeanson) wrote : | #6 |
My bad, sorry if anyone tried this package, I had only tested on hardy. I uploaded a fixed package to my ppa.
Launchpad Janitor (janitor) wrote : | #7 |
This bug was fixed in the package apache2 - 2.2.20-1ubuntu1.1
---------------
apache2 (2.2.20-1ubuntu1.1) oneiric-security; urgency=low
* SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
- debian/
on invalid requests. (patch courtesy of Michael Jeanson)
- CVE-2011-3368
* SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
- debian/
HTTP_
- CVE-2011-3348
* Include additional fixes for regressions introduced by
CVE-2011-3192 fixes
- debian/
take upstream fixes for byterange_filter.c through the 2.2.21
release except for the added MaxRanges configuration option, along
with a staged fix for the 2.2.22 release.
-- Steve Beattie <email address hidden> Mon, 07 Nov 2011 14:01:10 -0800
Launchpad Janitor (janitor) wrote : | #8 |
This bug was fixed in the package apache2 - 2.2.17-1ubuntu1.4
---------------
apache2 (2.2.17-1ubuntu1.4) natty-security; urgency=low
* SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
- debian/
on invalid requests. (patch courtesy of Michael Jeanson)
- debian/
0.9 protocol
- CVE-2011-3368
* SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
- debian/
HTTP_
- CVE-2011-3348
* SECURITY UPDATE: mpm-itk failure to drop privileges in certain
configurations
- debian/
configura
- CVE-2011-1176
* Include additional fixes for regressions introduced by
CVE-2011-3192 fixes
- debian/
take upstream fixes for byterange_filter.c through the 2.2.21
release except for the added MaxRanges configuration option along
with a fix staged for 2.2.22.
-- Steve Beattie <email address hidden> Wed, 02 Nov 2011 17:21:04 -0700
Launchpad Janitor (janitor) wrote : | #9 |
This bug was fixed in the package apache2 - 2.2.16-1ubuntu3.4
---------------
apache2 (2.2.16-1ubuntu3.4) maverick-security; urgency=low
* SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
- debian/
on invalid requests. (patch courtesy of Michael Jeanson)
- debian/
0.9 protocol
- CVE-2011-3368
* SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
- debian/
HTTP_
- CVE-2011-3348
* SECURITY UPDATE: mpm-itk failure to drop privileges in certain
configurations
- debian/
configura
- CVE-2011-1176
* Include additional fixes for regressions introduced by
CVE-2011-3192 fixes
- debian/
take upstream fixes for byterange_filter.c through the 2.2.21
release except for the added MaxRanges configuration option along
with a fix staged for 2.2.22.
-- Steve Beattie <email address hidden> Wed, 02 Nov 2011 17:23:07 -0700
Launchpad Janitor (janitor) wrote : | #10 |
This bug was fixed in the package apache2 - 2.2.14-5ubuntu8.7
---------------
apache2 (2.2.14-5ubuntu8.7) lucid-security; urgency=low
[ Michael Jeanson ]
* SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
- debian/
on invalid requests.
- debian/
0.9 protocol
- CVE-2011-3368
[ Steve Beattie ]
* SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
- debian/
HTTP_
- CVE-2011-3348
* SECURITY UPDATE: mpm-itk failure to drop privileges in certain
configurations
- debian/
configura
- CVE-2011-1176
* Include additional fixes for regressions introduced by
CVE-2011-3192 fixes
- debian/
take upstream fixes for byterange_filter.c through the 2.2.21
release except for the added MaxRanges configuration option along
with a fix staged for 2.2.22.
-- Steve Beattie <email address hidden> Wed, 02 Nov 2011 17:27:07 -0700
Changed in apache2 (Ubuntu Lucid): | |
status: | In Progress → Fix Released |
Changed in apache2 (Ubuntu Maverick): | |
status: | In Progress → Fix Released |
Changed in apache2 (Ubuntu Natty): | |
status: | In Progress → Fix Released |
Changed in apache2 (Ubuntu Oneiric): | |
status: | In Progress → Fix Released |
Steve Beattie (sbeattie) wrote : | #11 |
This was fixed for Ubuntu 8.04 LTS (hardy) in 2.2.8-1ubuntu0.22 as referred to in USN http://
Changed in apache2 (Ubuntu Hardy): | |
status: | In Progress → Fix Released |
Debdiff for hardy, including patch from http:// www.apache. org/dist/ httpd/patches/ apply_to_ 2.2.21/ CVE-2011- 3368.patch