Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 62626 - net-www/apache <=2.0.50: input filter bug in mod_ssl
Summary: net-www/apache <=2.0.50: input filter bug in mod_ssl
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal
Assignee: Gentoo Security
URL: http://rhn.redhat.com/errata/RHSA-200...
Whiteboard: A3 [glsa] vorlon
Keywords:
: 62623 63605 (view as bug list)
Depends on:
Blocks: 63948 64145
  Show dependency tree
 
Reported: 2004-09-02 07:48 UTC by Matthias Geerdsen (RETIRED)
Modified: 2011-10-30 22:38 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-02 07:48:18 UTC
Hope this isn't a dupe again ;-) but I couldn't find the patch from the apache bugzilla being used.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=29964

Debian fixed it with this upload on 23 Aug:
"apache2 (2.0.50-11) unstable; urgency=high
 .
   * Add two patches from upstream to address two vulnerabilities in mod_ssl:
     - CAN-2004-0748 is a potential infinite loop in the SSL input filter
       which can be triggered by an aborted connection.
     - CAN-2004-0751 is a potential segfault in the SSL input filter which
       can be triggered by the response to request which is proxied to a
       remote SSL server.
"

The RH advisory (errata) reads as follows:

Updated httpd packages fix mod_ssl security flaw
Advisory: 	RHSA-2004:349-10
Last updated on: 	2004-09-01
CVEs (cve.mitre.org): 	CAN-2004-0748

[...]

Details:

Updated httpd packages that include a security fix for mod_ssl and various
enhancements are now available.

The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server.

An input filter bug in mod_ssl was discovered in Apache httpd version
2.0.50 and earlier. A remote attacker could force an SSL connection to be
aborted in a particular state and cause an Apache child process to enter an
infinite loop, consuming CPU resources. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0748 to
this issue.

Additionally, this update includes the following enhancements and bug fixes:
[...]

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0748
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=29964
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-09-02 08:02:10 UTC
*** Bug 62623 has been marked as a duplicate of this bug. ***
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-09-02 08:04:57 UTC
Zul: this one if for you. 2.0.50-r1 is needed :)
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-06 09:08:47 UTC
zul is not responding, please bump.
Comment 4 Stuart Herbert (RETIRED) gentoo-dev 2004-09-06 13:18:31 UTC
Please assign Apache security bugs to the apache herd next time ;-)

Best regards,
Stu
Comment 5 Stuart Herbert (RETIRED) gentoo-dev 2004-09-07 15:08:24 UTC
Thanks to ferringb's help to work around a repoman bug, apache-2.0.50-r1 is now in the tree, and ready for the arch teams to do their stuff.

Best regards,
Stu
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-08 00:17:17 UTC
Arches please mark apache-2.0.50-r1 stable
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2004-09-08 07:08:38 UTC
sparc stable.
Comment 8 Pieter Van den Abeele (RETIRED) gentoo-dev 2004-09-08 13:26:58 UTC
ppc stable
Comment 9 Olivier Crete (RETIRED) gentoo-dev 2004-09-08 15:12:06 UTC
x86 stable
Comment 10 Bryan Østergaard (RETIRED) gentoo-dev 2004-09-08 19:04:48 UTC
Stable on alpha.
Comment 11 SpanKY gentoo-dev 2004-09-08 19:47:45 UTC
amd64/arm/hppa/ia64 stable now ... was there a particular reason 2.0.50-r1 didnt have ~ KEYWORDS in them ?  i would have noticed the upgrade on all my machines a lot earlier if it had ...
Comment 12 Joshua Kinard gentoo-dev 2004-09-08 21:49:29 UTC
Stable on mips.
Comment 13 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-09 02:27:02 UTC
This only fixed CAN-2004-0748 afaik. There is still CAN-2004-0751 as mentioned in the debian changelog and this Secunia advisory: http://secunia.com/advisories/12434/

Debian seems to patch CAN-2004-0751 with "diff -u -r1.125 -r1.126" as proposed in 
http://issues.apache.org/bugzilla/show_bug.cgi?id=30134
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-09 05:08:22 UTC
apache-bugs please confirm that CAN-2004-0751 is also fixed or apply patches.

Secunia propose these two patches to fix the issues:

http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.121&r2=1.122

http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.125&r2=1.126
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2004-09-11 02:48:47 UTC
*** Bug 63605 has been marked as a duplicate of this bug. ***
Comment 16 Stuart Herbert (RETIRED) gentoo-dev 2004-09-13 06:44:44 UTC
Patches updated; added to apache-2.0.50-r2.

Best regards,
Stu
Comment 17 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-13 07:33:57 UTC
arches, please mark apache-2.0.50-r2 stable

current KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86"
target KEYWORDS="x86 ppc sparc mips alpha arm hppa amd64 ia64 s390 ppc64"
Comment 18 Gustavo Zacarias (RETIRED) gentoo-dev 2004-09-13 08:24:17 UTC
Sparc stable.
Comment 19 Pieter Van den Abeele (RETIRED) gentoo-dev 2004-09-13 08:26:59 UTC
stable on ppc
Comment 20 Guy Martin (RETIRED) gentoo-dev 2004-09-13 11:05:39 UTC
Stable on hppa.
Comment 21 Danny van Dyk (RETIRED) gentoo-dev 2004-09-13 16:05:13 UTC
Stable on amd64
Comment 22 Thierry Carrez (RETIRED) gentoo-dev 2004-09-14 01:08:04 UTC
Arches: due to bug 63948, we'll have to issue a new rev for Apache2, so you can stop testing the current one... Sorry about that.
Comment 23 Thierry Carrez (RETIRED) gentoo-dev 2004-09-14 01:42:14 UTC
2.0.50-r3 is in... that version should be marked stable to also fix bug 63948
Comment 24 Gustavo Zacarias (RETIRED) gentoo-dev 2004-09-14 07:16:26 UTC
Sparc done with -r3.
Comment 25 Pieter Van den Abeele (RETIRED) gentoo-dev 2004-09-14 17:21:25 UTC
stable on ppc. 
Comment 26 Danny van Dyk (RETIRED) gentoo-dev 2004-09-14 17:52:45 UTC
stable on amd64.

Apache herd: i get 13 file.size complaints from repoman FYI !

You've got around 450kB uncompressed patches in the tree ! (and that's only the sum of those files which are larger than 20kb)
Comment 27 Guy Martin (RETIRED) gentoo-dev 2004-09-15 02:42:49 UTC
Stable on hppa.
Comment 28 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-15 06:39:30 UTC
x86 and amd64 please mark apache-2.0.50-r3 stable
x86, please also mark net-www/mod_dav-1.0.3-r2 stable for bug #63948, so that an GLSA for these issues can be sent, since this bug was opened 2004-09-02
---
status apache-2.0.50-r2 :

current KEYWORDS="~alpha ~amd64 arm hppa ia64 ~mips ppc ~ppc64 sparc ~x86"
target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc  ppc64 sparc s390 x86"

---
btw net-www/mod_dav-1.0.3-r2 is marked ~amd64 which just got introduced in this revision
Comment 29 Danny van Dyk (RETIRED) gentoo-dev 2004-09-15 07:40:24 UTC
-r3 is stable on amd64.
Comment 30 Stuart Herbert (RETIRED) gentoo-dev 2004-09-15 15:32:21 UTC
apache-2.0.51 is now in the tree.  We need another round of stable marking, and I suggest the GLSA goes out suggesting everyone goes from .50 straight to .51.

Best regards,
Stu
Comment 31 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-16 00:36:44 UTC
Welcome to a new round of stable marking...
Thanks to bug #64145 it's time for a run on apache-2.0.51.

current KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86"
target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc  ppc64 sparc s390 x86"


Better hurry before the next one comes... ;-)
Comment 32 Jochen Maes (RETIRED) gentoo-dev 2004-09-16 01:55:46 UTC
stable on ppc
Comment 33 Stuart Herbert (RETIRED) gentoo-dev 2004-09-16 03:35:54 UTC
Stable on x86.

Kugelfang reports that -51 doesn't start on amd64, but he's had no time to investigate why.  So atm we don't know whether it's a config problem or a code problem.

Best regards,
Stu
Comment 34 Gustavo Zacarias (RETIRED) gentoo-dev 2004-09-16 09:08:26 UTC
apache-2.0.51 sparc stable.
Comment 35 Olivier Crete (RETIRED) gentoo-dev 2004-09-16 09:35:51 UTC
x86 has both apache 2.0.51 and mod_dav 1.0.3-r2 stable..
Comment 36 Thierry Carrez (RETIRED) gentoo-dev 2004-09-16 13:46:16 UTC
Kugelfang marked 2.0.51 on amd64, this is GLSA-ready
Comment 37 Thierry Carrez (RETIRED) gentoo-dev 2004-09-16 13:58:58 UTC
GLSA 200409-21
alpha arm hppa ia64 mips ppc64 s390 : please mark stable to benefit from GLSA
Comment 38 Guy Martin (RETIRED) gentoo-dev 2004-09-16 14:52:39 UTC
Forced quick stablilisation on hppa ...
Comment 39 Gustavo Zacarias (RETIRED) gentoo-dev 2004-09-16 15:26:53 UTC
ppc64 stable.
Comment 40 Bryan Østergaard (RETIRED) gentoo-dev 2004-09-17 01:28:12 UTC
Stable on alpha.
Comment 41 Joshua Kinard gentoo-dev 2004-09-20 12:31:30 UTC
mips stable.