Please merge apache2 2.2.20-1 to fix CVE-2011-3192+regressions
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| apache2 (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
| Oneiric |
Fix Released
|
High
|
Unassigned | ||
Bug Description
CVE-2011-3192 relates to an exploit in Apache that could cause Denial of Service through use of excess range headers.
Debian has released an update that fixes this problem (apache2 2.2.19-2) - http://
Debian version 2.2.20-1 includes the upstream fix for CVE-2011-3192 as well as a fix for a regression introduced by that fix (http://
+apache2 (2.2.20-1) unstable; urgency=low
+
+ * New upstream release.
+ * Fix some regressions related to Range requests caused by the CVE-2011-3192
+ fix. Closes: #639825
+ * Add build-arch and build-indep rules targets to make Lintian happy.
+ * Bump Standards-Version (no changes).
+
+ -- Stefan Fritsch <email address hidden> Sun, 04 Sep 2011 21:50:22 +0200
+
+apache2 (2.2.19-2) unstable; urgency=high
+
+ * Fix CVE-2011-3192: DoS by high memory usage for a large number of
+ overlapping ranges.
+ * Reduce default KeepAliveTimeout from 15 to 5 seconds.
+ * Use "linux-any" in build-deps. Closes: #634709
+ * Improve reload message of a2enmod. Closes: #639291
+ * Improve description of the prefork MPM. Closes: #634242
+ * Mention .conf files in a2enmod man page. Closes: #634834
+
+ -- Stefan Fritsch <email address hidden> Mon, 29 Aug 2011 17:08:17 +0200
and the upstream revision 2.2.20 is a bugfix only release as well, see: http://
There is one user (sysadmin) visible change in 2.2.19-2 to the a2enmod command's output:
-info("To to activate the new configuration, you need to run:\n /etc/init.d/apache2 $reload\n")
+info("To activate the new configuration, you need to run:\n service apache2 $reload\n")
I've verified that the output string does not show up in the current version of the Ubuntu Server Guide, and contacted the person working on the apache portion of the Ubuntu Server Guide according to http://
Related branches
CVE References
| Changed in apache2 (Ubuntu): | |
| status: | New → Confirmed |
| description: | updated |
| summary: |
- Update apache2 to 2.2.19-2 to fix CVE-2011-3192 + Please merge apache2 2.2.20-1 to fix CVE-2011-3192+regressions |
| Steve Beattie (sbeattie) wrote | #1 |
| Steve Beattie (sbeattie) wrote | #2 |
| Changed in apache2 (Ubuntu): | |
| milestone: | none → ubuntu-11.10-beta-2 |
| importance: | Undecided → High |
| status: | Confirmed → In Progress |
| Launchpad Janitor (janitor) wrote | #3 |
| Changed in apache2 (Ubuntu Oneiric): | |
| status: | In Progress → Fix Released |
Attached is a debdiff for the merge of apache 2.2.20-1 (I was unable to do this via bzr due to bug 842144). I've verified that the package builds on i386 and amd64 and ran the lp:qa-regression-testing tests against that package, and confirmed that no regressions occur.