DSA 934-1 deals with CVE-2005-1391 (fixed with bug 90851, if I'm not wrong) and CVE-2005-3751:
HTTP request smuggling vulnerability in Pound before 1.9.4 allows remote attackers to poison web caches, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with conflicting Content-length and Transfer-encoding headers.
www-servers, please provide fixed packages. thx in advance.
Fixed in 1.9.4, please bump to that version.
Taviso / Tigger / Solar / Vapier please try to provide an updated ebuild.
Package bumped to version 2.0.3 due to maintainer timeout. 2006-01-10 - today
1.9.4 no longer exists.
Upstream marks 2.0 as the stable version but asks for testing on the 2.0.3 so
please give that a run first. ( http://www.apsis.ch/pound/ )
If it's a problem copy the 2.0.3 to 2.0 and run with that one including checking it in. thanks.
www-servers if you are no longer interested in maintaining pound please
update the metadata.xml accordingly.
Archs please test and mark stable following comment #4
Using the default config file (/etc/pound.cfg) pound does not start.
Mar 19 10:36:47 [pound] starting...
Mar 19 10:36:57 [pound] unknown directive "User__nobody" - aborted
I definitely have a user nobody...
topcat ~ # grep nobody /etc/passwd
It compiles without any warnings and installed on alpha, but I haven't done any other testing because of the config file issue. The config file doesn't work with pound 2.0 either.
# emerge --info
Portage 2.1_pre6-r2 (default-linux/alpha/no-nptl/2.4, gcc-3.4.4, glibc-2.3.5-r3, 2.4.32 alpha)
System uname: 2.4.32 alpha EV56
Gentoo Base System version 1.12.0_pre16
dev-lang/python: 2.3.5, 2.4.2-r1
sys-devel/autoconf: 2.13, 2.59-r7
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
CFLAGS="-mieee -pipe -O2 -mcpu=ev56"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/env.d"
CXXFLAGS="-mieee -pipe -O2 -mcpu=ev56"
FEATURES="autoconfig collision-protect distlocks maketest metadata-transfer sandbox sfperms strict test"
GENTOO_MIRRORS="http://gentoo.osuosl.org/ http://adelie.polymtl.ca/ http://distro.ibiblio.org/pub/linux/distributions/gentoo/ http://www.gtlib.gatech.edu/pub/gentoo http://ftp.ucsb.edu/pub/mirrors/linux/gentoo/ http://gentoo.seren.com/gentoo http://gentoo.chem.wisc.edu/gentoo/ http://cudlug.cudenver.edu/gentoo/ http://gentoo.mirrors.pair.com/ http://gentoo.mirrors.tds.net/gentoo http://gentoo.netnitco.net http://mirror.espri.arizona.edu/gentoo/ http://mirrors.acm.cs.rpi.edu/gentoo/ http://gentoo.arcticnetwork.ca/ http://open-systems.ufl.edu/mirrors/gentoo http://gentoo.llarian.net/ http://gentoo.binarycompass.org http://gentoo.mirrored.ca/ http://mirror.datapipe.net/gentoo http://gentoo.cs.lewisu.edu/gentoo/ http://prometheus.cs.wmich.edu/gentoo http://modzer0.cs.uaf.edu/public/gentoo/ http://mirror.usu.edu/mirrors/gentoo/ http://mirror.phy.olemiss.edu/mirror/gentoo http://mirror.mcs.anl.gov/pub/gentoo/ http://gentoo.mirrors.easynews.com/linux/gentoo/ http://gentoo.cites.uiuc.edu/pub/gentoo/ http://mirror.clarkson.edu/pub/distributions/gentoo/ http://cdot.senecac.on.ca/software/gentoo/"
Unset: ASFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, LANG, LC_ALL, LDFLAGS, LINGUAS
Created attachment 83133 [details]
The syntax looks like it changed. This one seems to work for me. Perhaps we can have a pound-2.cfg to copy to /etc/pound.cfg for the 2.x stuff.
(In reply to comment #7)
> Created an attachment (id=83133) 
> pound-2.x config
The config file works for me with pound 2.0.3, thanks!
I tested pound on alpha with apache as a backend, and I didn't encounter any problems. Alpha team, please mark stable.
Tested with Apache. No troubles on ppc.
I had to use the posted pound-2.x config though. Could we provide those instead of the current one?
I marked alpha the other day, but forgot to update this bug, sorry. Thanks to Thomas for testing.
Before I mark it stable on x86, I'd really like the new config to be provided since the old one won't work at all.
Back to ebuild to get this fixed.
Maintainer/padawans please provide a fixed ebuild/patch.
This package does not seem to be maintained by www-servers anymore (comment #4)
despite what the metadata.xml says so just update the config and check it in
Well, if no one is going to maintain it, we may want to consider just masking it then. Either way works for me at this point in time though.
Stable on ppc
Thanks for testing Matti :)
We should call for a maintainer on gentoo-dev, and mask it if nobody comes.
gentoo-dev mailed (and gentoo-core by accident).
No answer received so I'd say we should mask.
Voting for masking too.
masked it, let's see if a new maintainer pops up or i guess we'll have to show this package the door soon.
Created attachment 86536 [details, diff]
patch ebuild to use pound-2.cfg
v2.0.3 works great for me on x86, using it in front of both mediawiki on apache, and sharepoint on IIS (not throughly tested here though, as I hate sharepoint).
thank you mike!
i just committed 2.0.5 (latest stable version upstream) - ARCHs please test and mark stable...
this includes the new config file and the necessary changes to the ebuild
(should 2.0.3 be fixed or just removed? i think upstream considers it experimental)
i'll remove the old ebuilds as soon as x86 marks 2.0.5 stable
2.0.5 works great for me.
Again tested on x86, against mediawiki and sharepoint.
(In reply to comment #22)
> i just committed 2.0.5 (latest stable version upstream) - ARCHs please test and
> mark stable...
Adding missing arches to cc
just added version 1.10 to the tree...
this is a version which is fixed wrt this security hole (AFAICT), but still uses the old configuration file syntax.
ARCH testers: please ignore 2.0.3 (it is experimental, borked and needs to go), but concentrate on 1.10 and 2.0.5
vulnerable versions 1.7 and 1.8.3 already removed. 1.9 will go as soon as 1.10 goes stable on x86...
2.0.3 will be removed as soon as 2.0.5 goes stable on ppc and alpha
(In reply to comment #25)
> concentrate on 1.10 and 2.0.5
> 2.0.3 will be removed as soon as 2.0.5 goes stable on ppc and alpha
I tested 2.0.5 with apache and marked it stable on alpha. If you want 1.10 stable on alpha, please re-add us.
2.0.5 ppc stable
x86 done. The p.mask entry is still there, it can be removed now :)
removed last vulnerable version
AFAICT all system set to go :)
Ok, unmasked - ready for GLSA vote. I'm not sure yet
I vote yes. This defeats the whole point of using pound by introducing a lot of vulnerabilities.
mmm... not sure, i don't understand all : i would vote a half-yes
voting yes, let's have a glsa
ok, seems like there is no maintainer and nobody bothers to bump it, so i masked it since the revbump takes longer than i thought ... will send a mail to -dev soon, if nobody replies in 24h then we'll probably have to issue a tempglsa (should've been done looong ago ...)
crap, wrong bug ... forget my comment above, sorry :(