Package: apache2-bin Version: 2.4.25-3+deb9u4 Severity: important Tags: patch upstream
Dear Maintainer, Some of our Debian Stretch based Apache webservers suffer from intermittent connection timeouts. We have been trying to pin down the problem for a while, and eventually, we found this bug report in Apache's Bugzilla, that seems to fit our problem perfectly: https://bz.apache.org/bugzilla/show_bug.cgi?id=60956 The short version of the story is, that under very specific circumstances, Apache will stop accepting new connections until a certain timeout has occurred. The source of this behaviour is in the event MPM's code for cleaning up stale connections, which may block in an unexpected way. It seems that the bug has been present in Apache since v2.4.12, and has been fixed in v2.4.28. The bug report above contains a patch that fixes the problem. I suspect that this isn't a real problem for many users, because it took the upstream community a long time to find it, and it doesn't seem to be a common issue, if you start looking around. However, I have been able to identify this problem on almost all of our Stretch webservers, even if its occurrences are quite rare. Some of our less-loaded servers only show it once every few weeks. One of them, however, has been suffering from it multiple times daily for the past couple of weeks, up to a point that Apache was considered unusable. Also, we are not the only ones having this problem, for example see: https://serverfault.com/questions/819717/apache-event-mpm-hangs-sporadicly On top of that, if the circumstances are right, the bug can be triggered from a malicious client, leading to denial of service. As such, I would think this can be considered a security vulnerability. Given that this is a real bug, having the scent of a security problem, that causes a real problem for us and at least a few other people, I kindly request to see if the patch from the mentioned Bugzilla report can be applied to Apache 2.4.25 in Stretch. I already know it doesn't apply cleanly, and I don't have the necessary C-skills to reliably backport the changes, I'm afraid. We 'solved' the problem in our shop by backporting Apache 2.4.33 from Buster to Stretch, but you'll understand this this is not a great solution from a security perspective. -- Package-specific info: -- System Information: Debian Release: 9.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-6-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apache2-bin depends on: ii libapr1 1.5.2-5 ii libaprutil1 1.5.4-3 ii libaprutil1-dbd-sqlite3 1.5.4-3 ii libaprutil1-ldap 1.5.4-3 ii libc6 2.24-11+deb9u3 ii libldap-2.4-2 2.4.44+dfsg-5+deb9u1 ii liblua5.2-0 5.2.4-1.1+b2 ii libnghttp2-14 1.18.1-1 ii libpcre3 2:8.39-3 ii libssl1.0.2 1.0.2l-2+deb9u3 ii libxml2 2.9.4+dfsg1-2.2+deb9u2 ii perl 5.24.1-3+deb9u4 ii zlib1g 1:1.2.8.dfsg-5 apache2-bin recommends no packages. Versions of packages apache2-bin suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> ii lynx [www-browser] 2.8.9dev11-1 Versions of packages apache2 depends on: ii apache2-data 2.4.25-3+deb9u4 ii apache2-utils 2.4.25-3+deb9u4 ii dpkg 1.18.24 ii init-system-helpers 1.48 ii lsb-base 9.20161125 ii mime-support 3.60 ii perl 5.24.1-3+deb9u4 ii procps 2:3.3.12-3+deb9u1 Versions of packages apache2 recommends: ii ssl-cert 1.0.39 Versions of packages apache2 suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> ii lynx [www-browser] 2.8.9dev11-1 Versions of packages apache2-bin is related to: ii apache2 2.4.25-3+deb9u4 ii apache2-bin 2.4.25-3+deb9u4 -- no debconf information
