Your message dated Fri, 04 Sep 2009 18:31:38 +0000
with message-id <e1mjdzs-00061i...@ries.debian.org>
and subject line Bug#536718: fixed in apache2 2.2.9-10+lenny4
has caused the Debian Bug report #536718,
regarding apache2: CVE-2009-1890 denial-of-service vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
536718: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536718
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apache2
Version: 2.2.3-4+etch6
Severity: serious
Tags: security , patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for apache2.
CVE-2009-1890[0]:
| The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy
| module in the Apache HTTP Server before 2.3.3, when a reverse proxy is
| configured, does not properly handle an amount of streamed data that
| exceeds the Content-Length value, which allows remote attackers to
| cause a denial of service (CPU consumption) via crafted requests.
Patches are available [0]. Please coordinate with the security team to
prepare updates for the stable releases.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890
http://security-tracker.debian.net/tracker/CVE-2009-1890
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.2.9-10+lenny4
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:
apache2-dbg_2.2.9-10+lenny4_i386.deb
to pool/main/a/apache2/apache2-dbg_2.2.9-10+lenny4_i386.deb
apache2-doc_2.2.9-10+lenny4_all.deb
to pool/main/a/apache2/apache2-doc_2.2.9-10+lenny4_all.deb
apache2-mpm-event_2.2.9-10+lenny4_i386.deb
to pool/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny4_i386.deb
apache2-mpm-prefork_2.2.9-10+lenny4_i386.deb
to pool/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny4_i386.deb
apache2-mpm-worker_2.2.9-10+lenny4_i386.deb
to pool/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny4_i386.deb
apache2-prefork-dev_2.2.9-10+lenny4_i386.deb
to pool/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny4_i386.deb
apache2-src_2.2.9-10+lenny4_all.deb
to pool/main/a/apache2/apache2-src_2.2.9-10+lenny4_all.deb
apache2-suexec-custom_2.2.9-10+lenny4_i386.deb
to pool/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny4_i386.deb
apache2-suexec_2.2.9-10+lenny4_i386.deb
to pool/main/a/apache2/apache2-suexec_2.2.9-10+lenny4_i386.deb
apache2-threaded-dev_2.2.9-10+lenny4_i386.deb
to pool/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny4_i386.deb
apache2-utils_2.2.9-10+lenny4_i386.deb
to pool/main/a/apache2/apache2-utils_2.2.9-10+lenny4_i386.deb
apache2.2-common_2.2.9-10+lenny4_i386.deb
to pool/main/a/apache2/apache2.2-common_2.2.9-10+lenny4_i386.deb
apache2_2.2.9-10+lenny4.diff.gz
to pool/main/a/apache2/apache2_2.2.9-10+lenny4.diff.gz
apache2_2.2.9-10+lenny4.dsc
to pool/main/a/apache2/apache2_2.2.9-10+lenny4.dsc
apache2_2.2.9-10+lenny4_all.deb
to pool/main/a/apache2/apache2_2.2.9-10+lenny4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 536...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <s...@debian.org> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 14 Jul 2009 21:53:01 +0200
Source: apache2
Binary: apache2.2-common apache2-mpm-worker apache2-mpm-prefork
apache2-mpm-event apache2-utils apache2-suexec apache2-suexec-custom apache2
apache2-doc apache2-prefork-dev apache2-threaded-dev apache2-src apache2-dbg
Architecture: source i386 all
Version: 2.2.9-10+lenny4
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apa...@lists.debian.org>
Changed-By: Stefan Fritsch <s...@debian.org>
Description:
apache2 - Apache HTTP Server metapackage
apache2-dbg - Apache debugging symbols
apache2-doc - Apache HTTP Server documentation
apache2-mpm-event - Apache HTTP Server - event driven model
apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
apache2-mpm-worker - Apache HTTP Server - high speed threaded model
apache2-prefork-dev - Apache development headers - non-threaded MPM
apache2-src - Apache source code
apache2-suexec - Standard suexec program for Apache 2 mod_suexec
apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
apache2-threaded-dev - Apache development headers - threaded MPM
apache2-utils - utility programs for webservers
apache2.2-common - Apache HTTP Server common files
Closes: 534712 536718
Changes:
apache2 (2.2.9-10+lenny4) stable-security; urgency=high
.
* Security fixes:
- CVE-2009-1890: denial of service in mod_proxy (closes: #536718)
- CVE-2009-1891: denial of service in mod_deflate (closes: #534712)
Also prevent compressing the content for HEAD requests.
Checksums-Sha1:
b6985c3c29faf52c7a593aa44cddf3b15981b864 1673 apache2_2.2.9-10+lenny4.dsc
89c68afe4a74abb0213e17be879155f4a95b5f85 138623 apache2_2.2.9-10+lenny4.diff.gz
9acb9f447940cbbfca2fae4de3638c3e04eb996a 782590
apache2.2-common_2.2.9-10+lenny4_i386.deb
c97554508708286d7305af28a53f412a42ac075b 240464
apache2-mpm-worker_2.2.9-10+lenny4_i386.deb
1329a07a996735a140c67bb886a0584ac4bef237 236982
apache2-mpm-prefork_2.2.9-10+lenny4_i386.deb
cfdb8b27cba028a2718edb9cd17353b2877e7baa 240950
apache2-mpm-event_2.2.9-10+lenny4_i386.deb
2a7e88f106a86ae91c345b8c8d29e24c3fc52c79 142984
apache2-utils_2.2.9-10+lenny4_i386.deb
61451e675e2138780d18ed338ffed84c792c446b 81826
apache2-suexec_2.2.9-10+lenny4_i386.deb
a74cf4abd63f81074d524130264e711ccc4b1b33 83576
apache2-suexec-custom_2.2.9-10+lenny4_i386.deb
791dc787b001b16115ea53470d76b820b189ef40 210906
apache2-prefork-dev_2.2.9-10+lenny4_i386.deb
ed4185e8f8ecd5d08117b948d251a8198e977dd9 212226
apache2-threaded-dev_2.2.9-10+lenny4_i386.deb
730f886299d7e71d08bd03b23440981d949c5303 2321656
apache2-dbg_2.2.9-10+lenny4_i386.deb
d0b8c58630ca50924e7f0f62af75cc2bfe0b993c 44714 apache2_2.2.9-10+lenny4_all.deb
89017171b8c11b62e2bc12267585e54fb094f431 2060300
apache2-doc_2.2.9-10+lenny4_all.deb
f4121631849bf777c8302a3b674852cb579d2eeb 6734400
apache2-src_2.2.9-10+lenny4_all.deb
Checksums-Sha256:
2b696c8027e914658e15871c4ce8dd4fec5db7430f6e00d5f9b2197fd6997f51 1673
apache2_2.2.9-10+lenny4.dsc
27aa3da621bd4cbae660105aeeee5e5e6745f573c240546b223d42856a2615c4 138623
apache2_2.2.9-10+lenny4.diff.gz
3b2544bdaf52872eeb90df8f1b92dcf31bc3aabdefd78915fe3203c9a53ce501 782590
apache2.2-common_2.2.9-10+lenny4_i386.deb
5dc6201e8f96d36d00165c109f993a8e66a31053dd7a99fa86ffe0a6ef122153 240464
apache2-mpm-worker_2.2.9-10+lenny4_i386.deb
0363d9b28624bf3ce8ddbcaacde1ce28247217d7b4e3c016afaaea1502c0d016 236982
apache2-mpm-prefork_2.2.9-10+lenny4_i386.deb
c8c99837d0141b0c5186e2dcd91bd4f7a77ab5d36b45522d9a3372c6a89269f7 240950
apache2-mpm-event_2.2.9-10+lenny4_i386.deb
aa3b21c33fc44b91ebaa13c370b12a269871ac1c12cbf1573a38ce5601f9182c 142984
apache2-utils_2.2.9-10+lenny4_i386.deb
0fd933959dfceb197a7cd6a1a795757d6367426a71317b5f7a7d6fa321e3e3c1 81826
apache2-suexec_2.2.9-10+lenny4_i386.deb
3f61c6dbb6ffb0d4c50082cc818c18d6a4ab6355007321bd6d409a80dcf80442 83576
apache2-suexec-custom_2.2.9-10+lenny4_i386.deb
b4e79bd64fb3bd901c5e80c5683bc39eb83975a4b1dbf48dbe9b534d8177bc4d 210906
apache2-prefork-dev_2.2.9-10+lenny4_i386.deb
6aebd6d9e5de18fbcba1129fe8007a76202b12ceafab8ac2eeb408430c92e6c3 212226
apache2-threaded-dev_2.2.9-10+lenny4_i386.deb
97cac91b09821dd0dfb96759627bbde6f89fb7fc472e124088726dcff6ae7404 2321656
apache2-dbg_2.2.9-10+lenny4_i386.deb
e3f40fe80d7e348f6589897adfc677fdcbb8132d9fa7c49c7db76e66d1868b06 44714
apache2_2.2.9-10+lenny4_all.deb
9a59cc794efdebbd83a429b64941d776c2d1765922cc07a86a4d1600627f4a65 2060300
apache2-doc_2.2.9-10+lenny4_all.deb
4cdfad211b7200fa628e3ccb84f8790c7418ef2814218ef1e6aba65fc479a7c3 6734400
apache2-src_2.2.9-10+lenny4_all.deb
Files:
3edbeef1b78cdcb238a1b156b1e15bb3 1673 web optional apache2_2.2.9-10+lenny4.dsc
e83f70e3fe9dc21e23b9e12e0e3509a2 138623 web optional
apache2_2.2.9-10+lenny4.diff.gz
91c5374730252660a652998778f37d8d 782590 web optional
apache2.2-common_2.2.9-10+lenny4_i386.deb
5354fbeaf0547f9a42bb15093325f549 240464 web optional
apache2-mpm-worker_2.2.9-10+lenny4_i386.deb
db7f962144ad83c02e89cf774292288b 236982 web optional
apache2-mpm-prefork_2.2.9-10+lenny4_i386.deb
d071d125f52595d24d7ce27a700125b2 240950 web optional
apache2-mpm-event_2.2.9-10+lenny4_i386.deb
a5f47b4e360f4dfb1af40edc0fd4b029 142984 web optional
apache2-utils_2.2.9-10+lenny4_i386.deb
14dc03b9022352f6ca89cc18d5a0330e 81826 web optional
apache2-suexec_2.2.9-10+lenny4_i386.deb
1bada724cf9b6dd9f63c650467efeba9 83576 web extra
apache2-suexec-custom_2.2.9-10+lenny4_i386.deb
c3f8cc33efaf94bb394269a70c71a0d1 210906 devel extra
apache2-prefork-dev_2.2.9-10+lenny4_i386.deb
962c9711427d4b3040f2682cc76ab86a 212226 devel extra
apache2-threaded-dev_2.2.9-10+lenny4_i386.deb
ec028a4db5a43f4ed9ad5be64752d03a 2321656 libdevel extra
apache2-dbg_2.2.9-10+lenny4_i386.deb
bc0ebb5a9da11e825827315a6899abfb 44714 web optional
apache2_2.2.9-10+lenny4_all.deb
196001254f77a940ad90c9b71a852e77 2060300 doc optional
apache2-doc_2.2.9-10+lenny4_all.deb
79b3f9d5db6aa727567fbe8465ff90d4 6734400 devel extra
apache2-src_2.2.9-10+lenny4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKXOoabxelr8HyTqQRAifyAKCtMLqGJ+HNyverlKLoE+R064+afQCgnJog
0EY43IHPqNSnZ4ikE+ARipk=
=kCvs
-----END PGP SIGNATURE-----
--- End Message ---
