DSA 934-1 deals with CVE-2005-1391 (fixed with bug 90851, if I'm not wrong) and CVE-2005-3751: HTTP request smuggling vulnerability in Pound before 1.9.4 allows remote attackers to poison web caches, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with conflicting Content-length and Transfer-encoding headers.
www-servers, please provide fixed packages. thx in advance.
Fixed in 1.9.4, please bump to that version.
Taviso / Tigger / Solar / Vapier please try to provide an updated ebuild.
Package bumped to version 2.0.3 due to maintainer timeout. 2006-01-10 - today 1.9.4 no longer exists. Arch maintainers: Upstream marks 2.0 as the stable version but asks for testing on the 2.0.3 so please give that a run first. ( http://www.apsis.ch/pound/ ) If it's a problem copy the 2.0.3 to 2.0 and run with that one including checking it in. thanks. www-servers if you are no longer interested in maintaining pound please update the metadata.xml accordingly.
Archs please test and mark stable following comment #4
Using the default config file (/etc/pound.cfg) pound does not start. Mar 19 10:36:47 [pound] starting... Mar 19 10:36:57 [pound] unknown directive "User__nobody" - aborted I definitely have a user nobody... topcat ~ # grep nobody /etc/passwd nobody:x:65534:65534:nobody:/:/bin/false It compiles without any warnings and installed on alpha, but I haven't done any other testing because of the config file issue. The config file doesn't work with pound 2.0 either. # emerge --info Portage 2.1_pre6-r2 (default-linux/alpha/no-nptl/2.4, gcc-3.4.4, glibc-2.3.5-r3, 2.4.32 alpha) ================================================================= System uname: 2.4.32 alpha EV56 Gentoo Base System version 1.12.0_pre16 dev-lang/python: 2.3.5, 2.4.2-r1 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1-r2 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.4.26-r1 ACCEPT_KEYWORDS="alpha ~alpha" AUTOCLEAN="yes" CBUILD="alpha-unknown-linux-gnu" CFLAGS="-mieee -pipe -O2 -mcpu=ev56" CHOST="alpha-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/env.d" CXXFLAGS="-mieee -pipe -O2 -mcpu=ev56" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig collision-protect distlocks maketest metadata-transfer sandbox sfperms strict test" GENTOO_MIRRORS="http://gentoo.osuosl.org/ http://adelie.polymtl.ca/ http://distro.ibiblio.org/pub/linux/distributions/gentoo/ http://www.gtlib.gatech.edu/pub/gentoo http://ftp.ucsb.edu/pub/mirrors/linux/gentoo/ http://gentoo.seren.com/gentoo http://gentoo.chem.wisc.edu/gentoo/ http://cudlug.cudenver.edu/gentoo/ http://gentoo.mirrors.pair.com/ http://gentoo.mirrors.tds.net/gentoo http://gentoo.netnitco.net http://mirror.espri.arizona.edu/gentoo/ http://mirrors.acm.cs.rpi.edu/gentoo/ http://gentoo.arcticnetwork.ca/ http://open-systems.ufl.edu/mirrors/gentoo http://gentoo.llarian.net/ http://gentoo.binarycompass.org http://gentoo.mirrored.ca/ http://mirror.datapipe.net/gentoo http://gentoo.cs.lewisu.edu/gentoo/ http://prometheus.cs.wmich.edu/gentoo http://modzer0.cs.uaf.edu/public/gentoo/ http://mirror.usu.edu/mirrors/gentoo/ http://mirror.phy.olemiss.edu/mirror/gentoo http://mirror.mcs.anl.gov/pub/gentoo/ http://gentoo.mirrors.easynews.com/linux/gentoo/ http://gentoo.cites.uiuc.edu/pub/gentoo/ http://mirror.clarkson.edu/pub/distributions/gentoo/ http://cdot.senecac.on.ca/software/gentoo/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="alpha X aac aalib aim alsa apache2 artworkextra async audacious audiofile bash-completion berkdb binfilter bitmap-fonts bittorrent bl bonjour c++ cairo calendar cdinstall cdparanoia cdr cdrom chroot cli config_wizard cracklib crypt cscope csv ctype cups curl curlwrappers cvs cvsgraph dba dhcp dillo dri editor eds elf encode epiphany escreen esd ethereal expat extraicons extras fastbuild ffmpeg fftw figlet firefox flac force-cgi-redirect ftp gd gdb gdbm gif glep gnome gnutls gpm grammar gsl gstreamer gtalk gtk gtk2 gtkspell gvim gzip html icq id3 imlib ipv6 jabber javascript jpeg justify ladspa lame libg++ libsexy libwww lite lj logrotate lua mad mapeditor md5sum memlimit mikmod motif moznoirc moznomail moznoroaming mozsha1 mp3 mpeg mpeg2 mplayer msn msnextras music ncurses net nethack nls offensive ogg oggvorbis opengl openssh openssl oscar oss pam pcre pdflib perl png posix python quicktime quotes readline real recode reiserfs scp screen sdl session sftp simplexml skins sndfile soap sockets sounds sox speech spell spl ssl subversion symlink syslog tcpd threads tokenizer truetype truetype-fonts type1-fonts userlocales vcd videos vim vim-with-x vorbis wma wma123 xml xml2 xmlreader xmms xsl xv xvid yahoo zip zlib elibc_glibc kernel_linux userland_GNU" Unset: ASFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, LANG, LC_ALL, LDFLAGS, LINGUAS
Created attachment 83133 [details] pound-2.x config The syntax looks like it changed. This one seems to work for me. Perhaps we can have a pound-2.cfg to copy to /etc/pound.cfg for the 2.x stuff.
(In reply to comment #7) > Created an attachment (id=83133) [edit] > pound-2.x config The config file works for me with pound 2.0.3, thanks! I tested pound on alpha with apache as a backend, and I didn't encounter any problems. Alpha team, please mark stable.
Tested with Apache. No troubles on ppc. I had to use the posted pound-2.x config though. Could we provide those instead of the current one?
I marked alpha the other day, but forgot to update this bug, sorry. Thanks to Thomas for testing.
Before I mark it stable on x86, I'd really like the new config to be provided since the old one won't work at all.
Back to ebuild to get this fixed. Maintainer/padawans please provide a fixed ebuild/patch.
This package does not seem to be maintained by www-servers anymore (comment #4) despite what the metadata.xml says so just update the config and check it in please.
Well, if no one is going to maintain it, we may want to consider just masking it then. Either way works for me at this point in time though.
Stable on ppc Thanks for testing Matti :)
We should call for a maintainer on gentoo-dev, and mask it if nobody comes.
gentoo-dev mailed (and gentoo-core by accident).
No answer received so I'd say we should mask.
Voting for masking too.
masked it, let's see if a new maintainer pops up or i guess we'll have to show this package the door soon.
Created attachment 86536 [details, diff] patch ebuild to use pound-2.cfg v2.0.3 works great for me on x86, using it in front of both mediawiki on apache, and sharepoint on IIS (not throughly tested here though, as I hate sharepoint).
thank you mike! i just committed 2.0.5 (latest stable version upstream) - ARCHs please test and mark stable... this includes the new config file and the necessary changes to the ebuild (should 2.0.3 be fixed or just removed? i think upstream considers it experimental) i'll remove the old ebuilds as soon as x86 marks 2.0.5 stable
2.0.5 works great for me. Again tested on x86, against mediawiki and sharepoint.
(In reply to comment #22) > i just committed 2.0.5 (latest stable version upstream) - ARCHs please test and > mark stable... Adding missing arches to cc
just added version 1.10 to the tree... this is a version which is fixed wrt this security hole (AFAICT), but still uses the old configuration file syntax. ARCH testers: please ignore 2.0.3 (it is experimental, borked and needs to go), but concentrate on 1.10 and 2.0.5 vulnerable versions 1.7 and 1.8.3 already removed. 1.9 will go as soon as 1.10 goes stable on x86... 2.0.3 will be removed as soon as 2.0.5 goes stable on ppc and alpha thanks!
(In reply to comment #25) > concentrate on 1.10 and 2.0.5 > 2.0.3 will be removed as soon as 2.0.5 goes stable on ppc and alpha I tested 2.0.5 with apache and marked it stable on alpha. If you want 1.10 stable on alpha, please re-add us.
2.0.5 ppc stable
x86 done. The p.mask entry is still there, it can be removed now :)
removed last vulnerable version AFAICT all system set to go :)
Ok, unmasked - ready for GLSA vote. I'm not sure yet
I vote yes. This defeats the whole point of using pound by introducing a lot of vulnerabilities.
mmm... not sure, i don't understand all : i would vote a half-yes
voting yes, let's have a glsa
ok, seems like there is no maintainer and nobody bothers to bump it, so i masked it since the revbump takes longer than i thought ... will send a mail to -dev soon, if nobody replies in 24h then we'll probably have to issue a tempglsa (should've been done looong ago ...)
crap, wrong bug ... forget my comment above, sorry :(
GLSA 200606-05
