Debian Bug report logs - #642956
pu: package apache2/2.2.16-6+squeeze4

version graph

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Sun, 25 Sep 2011 22:36:34 UTC

Severity: normal

Tags: confirmed, squeeze

Fixed in version 6.0.3

Done: Adam D. Barratt <adam@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#642956; Package release.debian.org. (Sun, 25 Sep 2011 22:36:36 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sun, 25 Sep 2011 22:36:37 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pu: package apache2/2.2.16-6+squeeze4
Date: Mon, 26 Sep 2011 00:34:47 +0200
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Please review apache2/2.2.16-6+squeeze4 for inclusion in s-p-u.
It fixes a minor DoS issue, some bugs in the init script and
adds some docs.

The changelog:

 apache2 (2.2.16-6+squeeze4) squeeze; urgency=low
 .
   * Fix CVE-2011-3348: Possible denial of service in mod_proxy_ajp
     if combined with mod_proxy_balancer.
   * Make exit code of '/etc/init.d/apache2 status' more LSB compatible.
     Closes: #613969
   * Fix typo in init script. Closes: #615866
   * For multiple instance setups, correctly determine the config dir in the
     init script if it is called via a start/stop link. Closes: #627061
   * Add hint in README.Debian about 403 error with mod_dav PUT.
     Closes: #613438
   * Add hint in README.Debian about how to increase max number of open
     files. Closes: #615632
   * Make it clear in README.multiple-instances that the MPMs are shipped
     in the apache2.2-bin package.
   * Tweak patch header to fix "dpatch unapply" with unstable's patch/dpatch.

Full debdiff is at

http://people.debian.org/~sf/2.2.16-6+squeeze4.debdiff

 debian/README.Debian                                  |   12 ++++++++++
 debian/README.multiple-instances                      |   11 +++++++--
 debian/apache2.2-common.apache2.init                  |   14 +++++++++---
 debian/changelog                                      |   19 +++++++++++++++++
 debian/patches/00list                                 |    1 
 debian/patches/034_apxs2_libtool_fixtastic            |    2 -
 debian/patches/087_mod_proxy_ajp_CVE-2011-3348.dpatch |   20 ++++++++++++++++++
 7 files changed, 71 insertions(+), 8 deletions(-)

Thanks.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#642956; Package release.debian.org. (Mon, 26 Sep 2011 13:58:29 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 26 Sep 2011 13:58:29 GMT) Full text and rfc822 format available.

Message #10 received at 642956@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Stefan Fritsch <sf@sfritsch.de>, 642956@bugs.debian.org
Subject: Re: Bug#642956: pu: package apache2/2.2.16-6+squeeze4
Date: Mon, 26 Sep 2011 14:44:40 +0100
On Mon, 2011-09-26 at 00:34 +0200, Stefan Fritsch wrote:
> Please review apache2/2.2.16-6+squeeze4 for inclusion in s-p-u.
> It fixes a minor DoS issue, some bugs in the init script and
> adds some docs.

Thanks for this.  A couple of queries:

>    * Fix CVE-2011-3348: Possible denial of service in mod_proxy_ajp
>      if combined with mod_proxy_balancer.

As far as I can tell from the upload history and the security tracker,
this is still unfixed in unstable - is that correct?

>    * Tweak patch header to fix "dpatch unapply" with unstable's patch/dpatch.

Does the result still work with squeeze's tools?

Regards,

Adam





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#642956; Package release.debian.org. (Mon, 26 Sep 2011 16:33:43 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 26 Sep 2011 16:33:43 GMT) Full text and rfc822 format available.

Message #15 received at 642956@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 642956@bugs.debian.org
Subject: Re: Bug#642956: pu: package apache2/2.2.16-6+squeeze4
Date: Mon, 26 Sep 2011 18:31:20 +0200
On Monday 26 September 2011, Adam D. Barratt wrote:
> On Mon, 2011-09-26 at 00:34 +0200, Stefan Fritsch wrote:
> > Please review apache2/2.2.16-6+squeeze4 for inclusion in s-p-u.
> > It fixes a minor DoS issue, some bugs in the init script and
> > adds some docs.
> 
> Thanks for this.  A couple of queries:
> >    * Fix CVE-2011-3348: Possible denial of service in
> >    mod_proxy_ajp
> >    
> >      if combined with mod_proxy_balancer.
> 
> As far as I can tell from the upload history and the security
> tracker, this is still unfixed in unstable - is that correct?

Yes. It's included in upstream 2.2.21 which I will upload to unstable 
shortly. So, the patch has already seen some use and is unlikely to 
introduce regressions.

> 
> >    * Tweak patch header to fix "dpatch unapply" with unstable's
> >    patch/dpatch.
> 
> Does the result still work with squeeze's tools?

Good question. Yes, I have just tried it.

Cheers,
Stefan




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#642956; Package release.debian.org. (Tue, 27 Sep 2011 09:46:00 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Tue, 27 Sep 2011 09:46:07 GMT) Full text and rfc822 format available.

Message #20 received at 642956@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Stefan Fritsch <sf@sfritsch.de>, 642956@bugs.debian.org
Subject: Re: Bug#642956: pu: package apache2/2.2.16-6+squeeze4
Date: Tue, 27 Sep 2011 10:41:35 +0100
tag 642956 + confirmed squeeze
thanks

On Mon, 2011-09-26 at 18:31 +0200, Stefan Fritsch wrote:
> On Monday 26 September 2011, Adam D. Barratt wrote:
> > On Mon, 2011-09-26 at 00:34 +0200, Stefan Fritsch wrote:
> > > Please review apache2/2.2.16-6+squeeze4 for inclusion in s-p-u.
> > > It fixes a minor DoS issue, some bugs in the init script and
> > > adds some docs.
> > 
> > Thanks for this.  A couple of queries:
> > >    * Fix CVE-2011-3348: Possible denial of service in
> > >    mod_proxy_ajp
> > >    
> > >      if combined with mod_proxy_balancer.
> > 
> > As far as I can tell from the upload history and the security
> > tracker, this is still unfixed in unstable - is that correct?
> 
> Yes. It's included in upstream 2.2.21 which I will upload to unstable 
> shortly. So, the patch has already seen some use and is unlikely to 
> introduce regressions.

Please go ahead; thanks.

Regards,

Adam





Added tag(s) squeeze and confirmed. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Tue, 27 Sep 2011 09:46:10 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Adam D. Barratt <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Fri, 07 Oct 2011 07:06:04 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 6.0.3, send any further explanations to Stefan Fritsch <sf@sfritsch.de> Request was from Adam D. Barratt <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sat, 08 Oct 2011 16:57:29 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 06 Nov 2011 07:37:49 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 22:12:08 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.