Bug#941202: apache2: Fix for CVE-2019-10092 results in AH10187 when hitting balancer-manager

[Daniel Cadden]

Package: apache2
Version: 2.4.25-3+deb9u8
Severity: normal

Dear Maintainer,

The fix for CVE-2019-10092 results in the following error when attempting
to access details of a member in a mod_proxy_balancer http balancer via the
balancer-manager web page:

"[Thu Sep 26 09:51:08.228312 2019] [proxy_balancer:error] [pid 13106:tid
139942457935616] [client 127.0.0.1:54712] AH10187: ignoring params in
balancer-manager cross-site access, referer:
http://httpbalancer01/httpbalancer/__balancer-manager?b=http-balancer&w=http://192.168.13.71&nonce=193a3e00-9795-f9bb-6cc2-d7f3ac222b68
"

The net effect of this is an inability to dynamically change the status of
members in the balancer via the balancer-manager.

Raised in Apache httpd-2 bug report 63688:
https://bz.apache.org/bugzilla/show_bug.cgi?id=63688

Committed upstream in r1865749:
https://svn.apache.org/viewvc?view=revision&revision=1865749

-- Package-specific info:

-- System Information:
Debian Release: 9.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-11-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apache2 depends on:
ii  apache2-bin          2.4.25-3+deb9u8
ii  apache2-data         2.4.25-3+deb9u8
ii  apache2-utils        2.4.25-3+deb9u8
ii  dpkg                 1.18.25
ii  init-system-helpers  1.48
ii  lsb-base             9.20161125
ii  mime-support         3.60
ii  perl                 5.24.1-3+deb9u5
ii  procps               2:3.3.12-3+deb9u1

Versions of packages apache2 recommends:
pn  ssl-cert  <none>

Versions of packages apache2 suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2-bin depends on:
ii  libapr1                  1.5.2-5
ii  libaprutil1              1.5.4-3
ii  libaprutil1-dbd-sqlite3  1.5.4-3
ii  libaprutil1-ldap         1.5.4-3
ii  libc6                    2.24-11+deb9u4
ii  libldap-2.4-2            2.4.44+dfsg-5+deb9u3
ii  liblua5.2-0              5.2.4-1.1+b2
ii  libnghttp2-14            1.18.1-1+deb9u1
ii  libpcre3                 2:8.39-3
ii  libssl1.0.2              1.0.2s-1~deb9u1
ii  libxml2                  2.9.4+dfsg1-2.2+deb9u2
ii  perl                     5.24.1-3+deb9u5
ii  zlib1g                   1:1.2.8.dfsg-5

Versions of packages apache2-bin suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2 is related to:
ii  apache2      2.4.25-3+deb9u8
ii  apache2-bin  2.4.25-3+deb9u8

-- no debconf information

--