Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 118541 - www-servers/pound: HTTP request smuggling vulnerability (CVE-2005-3751)
Summary: www-servers/pound: HTTP request smuggling vulnerability (CVE-2005-3751)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://www.apsis.ch/pound/pound_list/...
Whiteboard: B4 [glsa] DerCorny
Keywords:
Depends on:
Blocks:
 
Reported: 2006-01-10 09:00 UTC by Carsten Lohrke (RETIRED)
Modified: 2006-06-07 11:39 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
pound-2.x config (pound.cfg,916 bytes, text/plain)
2006-03-25 20:39 UTC, Mark Loeser (RETIRED)
no flags Details
patch ebuild to use pound-2.cfg (pound-2.0.3.ebuild.patch,326 bytes, patch)
2006-05-10 03:27 UTC, Mike Williams
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2006-01-10 09:00:12 UTC
DSA 934-1 deals with CVE-2005-1391 (fixed with bug 90851, if I'm not wrong) and CVE-2005-3751:

HTTP request smuggling vulnerability in Pound before 1.9.4 allows remote attackers to poison web caches, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with conflicting Content-length and Transfer-encoding headers.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-01-10 10:09:29 UTC
www-servers, please provide fixed packages. thx in advance.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2006-01-18 06:12:18 UTC
Fixed in 1.9.4, please bump to that version.
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2006-02-06 12:20:25 UTC
Taviso / Tigger / Solar / Vapier please try to provide an updated ebuild.
Comment 4 solar (RETIRED) gentoo-dev 2006-03-18 07:40:20 UTC
Package bumped to version 2.0.3 due to maintainer timeout. 2006-01-10 - today
1.9.4 no longer exists. 

Arch maintainers: 
Upstream marks 2.0 as the stable version but asks for testing on the 2.0.3 so 
please give that a run first. ( http://www.apsis.ch/pound/ ) 
If it's a problem copy the 2.0.3 to 2.0 and run with that one including checking it in. thanks.

www-servers if you are no longer interested in maintaining pound please 
update the metadata.xml accordingly.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2006-03-19 03:18:19 UTC
Archs please test and mark stable following comment #4
Comment 6 Thomas Cort (RETIRED) gentoo-dev 2006-03-19 07:45:16 UTC
Using the default config file (/etc/pound.cfg) pound does not start.

Mar 19 10:36:47 [pound] starting...
Mar 19 10:36:57 [pound] unknown directive "User__nobody" - aborted

I definitely have a user nobody...

topcat ~ # grep nobody /etc/passwd
nobody:x:65534:65534:nobody:/:/bin/false

It compiles without any warnings and installed on alpha, but I haven't done any other testing because of the config file issue. The config file doesn't work with pound 2.0 either.

# emerge --info
Portage 2.1_pre6-r2 (default-linux/alpha/no-nptl/2.4, gcc-3.4.4, glibc-2.3.5-r3, 2.4.32 alpha)
=================================================================
System uname: 2.4.32 alpha EV56
Gentoo Base System version 1.12.0_pre16
dev-lang/python:     2.3.5, 2.4.2-r1
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1-r2
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.4.26-r1
ACCEPT_KEYWORDS="alpha ~alpha"
AUTOCLEAN="yes"
CBUILD="alpha-unknown-linux-gnu"
CFLAGS="-mieee -pipe -O2 -mcpu=ev56"
CHOST="alpha-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/env.d"
CXXFLAGS="-mieee -pipe -O2 -mcpu=ev56"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect distlocks maketest metadata-transfer sandbox sfperms strict test"
GENTOO_MIRRORS="http://gentoo.osuosl.org/ http://adelie.polymtl.ca/ http://distro.ibiblio.org/pub/linux/distributions/gentoo/ http://www.gtlib.gatech.edu/pub/gentoo http://ftp.ucsb.edu/pub/mirrors/linux/gentoo/ http://gentoo.seren.com/gentoo http://gentoo.chem.wisc.edu/gentoo/ http://cudlug.cudenver.edu/gentoo/ http://gentoo.mirrors.pair.com/ http://gentoo.mirrors.tds.net/gentoo http://gentoo.netnitco.net http://mirror.espri.arizona.edu/gentoo/ http://mirrors.acm.cs.rpi.edu/gentoo/ http://gentoo.arcticnetwork.ca/ http://open-systems.ufl.edu/mirrors/gentoo http://gentoo.llarian.net/ http://gentoo.binarycompass.org http://gentoo.mirrored.ca/ http://mirror.datapipe.net/gentoo http://gentoo.cs.lewisu.edu/gentoo/ http://prometheus.cs.wmich.edu/gentoo http://modzer0.cs.uaf.edu/public/gentoo/ http://mirror.usu.edu/mirrors/gentoo/ http://mirror.phy.olemiss.edu/mirror/gentoo http://mirror.mcs.anl.gov/pub/gentoo/ http://gentoo.mirrors.easynews.com/linux/gentoo/ http://gentoo.cites.uiuc.edu/pub/gentoo/ http://mirror.clarkson.edu/pub/distributions/gentoo/ http://cdot.senecac.on.ca/software/gentoo/"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="alpha X aac aalib aim alsa apache2 artworkextra async audacious audiofile bash-completion berkdb binfilter bitmap-fonts bittorrent bl bonjour c++ cairo calendar cdinstall cdparanoia cdr cdrom chroot cli config_wizard cracklib crypt cscope csv ctype cups curl curlwrappers cvs cvsgraph dba dhcp dillo dri editor eds elf encode epiphany escreen esd ethereal expat extraicons extras fastbuild ffmpeg fftw figlet firefox flac force-cgi-redirect ftp gd gdb gdbm gif glep gnome gnutls gpm grammar gsl gstreamer gtalk gtk gtk2 gtkspell gvim gzip html icq id3 imlib ipv6 jabber javascript jpeg justify ladspa lame libg++ libsexy libwww lite lj logrotate lua mad mapeditor md5sum memlimit mikmod motif moznoirc moznomail moznoroaming mozsha1 mp3 mpeg mpeg2 mplayer msn msnextras music ncurses net nethack nls offensive ogg oggvorbis opengl openssh openssl oscar oss pam pcre pdflib perl png posix python quicktime quotes readline real recode reiserfs scp screen sdl session sftp simplexml skins sndfile soap sockets sounds sox speech spell spl ssl subversion symlink syslog tcpd threads tokenizer truetype truetype-fonts type1-fonts userlocales vcd videos vim vim-with-x vorbis wma wma123 xml xml2 xmlreader xmms xsl xv xvid yahoo zip zlib elibc_glibc kernel_linux userland_GNU"
Unset:  ASFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, LANG, LC_ALL, LDFLAGS, LINGUAS
Comment 7 Mark Loeser (RETIRED) gentoo-dev 2006-03-25 20:39:50 UTC
Created attachment 83133 [details]
pound-2.x config

The syntax looks like it changed.  This one seems to work for me.  Perhaps we can have a pound-2.cfg to copy to /etc/pound.cfg for the 2.x stuff.
Comment 8 Thomas Cort (RETIRED) gentoo-dev 2006-03-27 04:39:54 UTC
(In reply to comment #7)
> Created an attachment (id=83133) [edit]
> pound-2.x config

The config file works for me with pound 2.0.3, thanks!

I tested pound on alpha with apache as a backend, and I didn't encounter any problems. Alpha team, please mark stable.
Comment 9 Matti Bickel (RETIRED) gentoo-dev 2006-03-27 12:45:39 UTC
Tested with Apache. No troubles on ppc.
I had to use the posted pound-2.x config though. Could we provide those instead of the current one? 
Comment 10 Fernando J. Pereda (RETIRED) gentoo-dev 2006-03-29 09:23:08 UTC
I marked alpha the other day, but forgot to update this bug, sorry. Thanks to Thomas for testing.
Comment 11 Mark Loeser (RETIRED) gentoo-dev 2006-03-29 15:51:52 UTC
Before I mark it stable on x86, I'd really like the new config to be provided since the old one won't work at all.
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2006-03-30 07:42:18 UTC
Back to ebuild to get this fixed.

Maintainer/padawans please provide a fixed ebuild/patch.
Comment 13 solar (RETIRED) gentoo-dev 2006-03-30 07:45:45 UTC
This package does not seem to be maintained by www-servers anymore (comment #4)
despite what the metadata.xml says so just update the config and check it in 
please.
Comment 14 Mark Loeser (RETIRED) gentoo-dev 2006-03-30 07:49:10 UTC
Well, if no one is going to maintain it, we may want to consider just masking it then.  Either way works for me at this point in time though.
Comment 15 nixnut (RETIRED) gentoo-dev 2006-04-01 10:53:42 UTC
Stable on ppc

Thanks for testing Matti :)
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2006-04-15 05:14:45 UTC
We should call for a maintainer on gentoo-dev, and mask it if nobody comes.
Comment 17 Sune Kloppenborg Jeppesen gentoo-dev 2006-04-15 11:37:11 UTC
gentoo-dev mailed (and gentoo-core by accident).
Comment 18 Sune Kloppenborg Jeppesen gentoo-dev 2006-04-22 03:17:56 UTC
No answer received so I'd say we should mask.
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2006-04-28 12:19:43 UTC
Voting for masking too.
Comment 20 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-07 15:22:22 UTC
masked it, let's see if a new maintainer pops up or i guess we'll have to show this package the door soon.
Comment 21 Mike Williams 2006-05-10 03:27:08 UTC
Created attachment 86536 [details, diff]
patch ebuild to use pound-2.cfg

v2.0.3 works great for me on x86, using it in front of both mediawiki on apache, and sharepoint on IIS (not throughly tested here though, as I hate sharepoint).
Comment 22 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev 2006-05-16 04:36:53 UTC
thank you mike!

i just committed 2.0.5 (latest stable version upstream) - ARCHs please test and mark stable...

this includes the new config file and the necessary changes to the ebuild

(should 2.0.3 be fixed or just removed? i think upstream considers it experimental)
i'll remove the old ebuilds as soon as x86 marks 2.0.5 stable
Comment 23 Mike Williams 2006-05-16 05:57:35 UTC
2.0.5 works great for me.
Again tested on x86, against mediawiki and sharepoint.
Comment 24 Thierry Carrez (RETIRED) gentoo-dev 2006-05-16 09:20:16 UTC
(In reply to comment #22)
> i just committed 2.0.5 (latest stable version upstream) - ARCHs please test and
> mark stable...

Adding missing arches to cc
Comment 25 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev 2006-05-16 10:08:27 UTC
just added version 1.10 to the tree...
this is a version which is fixed wrt this security hole (AFAICT), but still uses the old configuration file syntax.

ARCH testers: please ignore 2.0.3 (it is experimental, borked and needs to go), but concentrate on 1.10 and 2.0.5

vulnerable versions 1.7 and 1.8.3 already removed. 1.9 will go as soon as 1.10 goes stable on x86...

2.0.3 will be removed as soon as 2.0.5 goes stable on ppc and alpha

thanks!
Comment 26 Thomas Cort (RETIRED) gentoo-dev 2006-05-16 23:01:24 UTC
(In reply to comment #25)
> concentrate on 1.10 and 2.0.5
> 2.0.3 will be removed as soon as 2.0.5 goes stable on ppc and alpha

I tested 2.0.5 with apache and marked it stable on alpha. If you want 1.10 stable on alpha, please re-add us.
Comment 27 Tobias Scherbaum (RETIRED) gentoo-dev 2006-05-19 11:53:15 UTC
2.0.5 ppc stable
Comment 28 Mark Loeser (RETIRED) gentoo-dev 2006-05-20 21:26:07 UTC
x86 done.  The p.mask entry is still there, it can be removed now :)
Comment 29 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev 2006-05-21 02:13:59 UTC
removed last vulnerable version

AFAICT all system set to go :)
Comment 30 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-21 07:15:34 UTC
Ok, unmasked - ready for GLSA vote. I'm not sure yet
Comment 31 Thierry Carrez (RETIRED) gentoo-dev 2006-05-21 09:58:59 UTC
I vote yes. This defeats the whole point of using pound by introducing a lot of vulnerabilities.
Comment 32 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-25 07:51:15 UTC
mmm... not sure, i don't understand all : i would vote a half-yes
Comment 33 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-25 08:47:12 UTC
voting yes, let's have a glsa
Comment 34 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-29 09:18:42 UTC
ok, seems like there is no maintainer and nobody bothers to bump it, so i masked it since the revbump takes longer than i thought ... will send a mail to -dev soon, if nobody replies in 24h then we'll probably have to issue a tempglsa (should've been done looong ago ...)
Comment 35 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-29 09:24:10 UTC
crap, wrong bug ... forget my comment above, sorry :(
Comment 36 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-07 11:39:20 UTC
GLSA 200606-05