Hope this isn't a dupe again ;-) but I couldn't find the patch from the apache bugzilla being used. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=29964 Debian fixed it with this upload on 23 Aug: "apache2 (2.0.50-11) unstable; urgency=high . * Add two patches from upstream to address two vulnerabilities in mod_ssl: - CAN-2004-0748 is a potential infinite loop in the SSL input filter which can be triggered by an aborted connection. - CAN-2004-0751 is a potential segfault in the SSL input filter which can be triggered by the response to request which is proxied to a remote SSL server. " The RH advisory (errata) reads as follows: Updated httpd packages fix mod_ssl security flaw Advisory: RHSA-2004:349-10 Last updated on: 2004-09-01 CVEs (cve.mitre.org): CAN-2004-0748 [...] Details: Updated httpd packages that include a security fix for mod_ssl and various enhancements are now available. The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. An input filter bug in mod_ssl was discovered in Apache httpd version 2.0.50 and earlier. A remote attacker could force an SSL connection to be aborted in a particular state and cause an Apache child process to enter an infinite loop, consuming CPU resources. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0748 to this issue. Additionally, this update includes the following enhancements and bug fixes: [...] References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0748 http://nagoya.apache.org/bugzilla/show_bug.cgi?id=29964
*** Bug 62623 has been marked as a duplicate of this bug. ***
Zul: this one if for you. 2.0.50-r1 is needed :)
zul is not responding, please bump.
Please assign Apache security bugs to the apache herd next time ;-) Best regards, Stu
Thanks to ferringb's help to work around a repoman bug, apache-2.0.50-r1 is now in the tree, and ready for the arch teams to do their stuff. Best regards, Stu
Arches please mark apache-2.0.50-r1 stable
sparc stable.
ppc stable
x86 stable
Stable on alpha.
amd64/arm/hppa/ia64 stable now ... was there a particular reason 2.0.50-r1 didnt have ~ KEYWORDS in them ? i would have noticed the upgrade on all my machines a lot earlier if it had ...
Stable on mips.
This only fixed CAN-2004-0748 afaik. There is still CAN-2004-0751 as mentioned in the debian changelog and this Secunia advisory: http://secunia.com/advisories/12434/ Debian seems to patch CAN-2004-0751 with "diff -u -r1.125 -r1.126" as proposed in http://issues.apache.org/bugzilla/show_bug.cgi?id=30134
apache-bugs please confirm that CAN-2004-0751 is also fixed or apply patches. Secunia propose these two patches to fix the issues: http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.121&r2=1.122 http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.125&r2=1.126
*** Bug 63605 has been marked as a duplicate of this bug. ***
Patches updated; added to apache-2.0.50-r2. Best regards, Stu
arches, please mark apache-2.0.50-r2 stable current KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86" target KEYWORDS="x86 ppc sparc mips alpha arm hppa amd64 ia64 s390 ppc64"
Sparc stable.
stable on ppc
Stable on hppa.
Stable on amd64
Arches: due to bug 63948, we'll have to issue a new rev for Apache2, so you can stop testing the current one... Sorry about that.
2.0.50-r3 is in... that version should be marked stable to also fix bug 63948
Sparc done with -r3.
stable on ppc.
stable on amd64. Apache herd: i get 13 file.size complaints from repoman FYI ! You've got around 450kB uncompressed patches in the tree ! (and that's only the sum of those files which are larger than 20kb)
x86 and amd64 please mark apache-2.0.50-r3 stable x86, please also mark net-www/mod_dav-1.0.3-r2 stable for bug #63948, so that an GLSA for these issues can be sent, since this bug was opened 2004-09-02 --- status apache-2.0.50-r2 : current KEYWORDS="~alpha ~amd64 arm hppa ia64 ~mips ppc ~ppc64 sparc ~x86" target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 sparc s390 x86" --- btw net-www/mod_dav-1.0.3-r2 is marked ~amd64 which just got introduced in this revision
-r3 is stable on amd64.
apache-2.0.51 is now in the tree. We need another round of stable marking, and I suggest the GLSA goes out suggesting everyone goes from .50 straight to .51. Best regards, Stu
Welcome to a new round of stable marking... Thanks to bug #64145 it's time for a run on apache-2.0.51. current KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86" target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 sparc s390 x86" Better hurry before the next one comes... ;-)
Stable on x86. Kugelfang reports that -51 doesn't start on amd64, but he's had no time to investigate why. So atm we don't know whether it's a config problem or a code problem. Best regards, Stu
apache-2.0.51 sparc stable.
x86 has both apache 2.0.51 and mod_dav 1.0.3-r2 stable..
Kugelfang marked 2.0.51 on amd64, this is GLSA-ready
GLSA 200409-21 alpha arm hppa ia64 mips ppc64 s390 : please mark stable to benefit from GLSA
Forced quick stablilisation on hppa ...
ppc64 stable.
mips stable.