Your message dated Wed, 22 Aug 2012 21:32:04 +0000 with message-id <e1t4iwy-00009w...@franck.debian.org> and subject line Bug#683984: fixed in libapache2-mod-rpaf 0.5-3+squeeze1 has caused the Debian Bug report #683984, regarding libapache2-mod-rpaf: potential Denial of Service to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 683984: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683984 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libapache2-mod-rpaf Severity: critical Tags: security Version: 0.5-3 Sébastien Bocahu reported to the security team: > (...) > A single request makes Apache segfault. On some of the environments I tested, > it even kills all Apache processes (they become zombies). > > I tested three environments, all of them running Debian squeeze with latests > Apache and mod_rpaf packages, MPM prefork only, behind haproxy. > > To what I understand, there is a bug in version 0.5 of mod_rpaf, but the IPv6 > patch that was applied by Debian exposes Apache to segfaults under specific > crafted requests. > > The magick request is the following: > curl -H "x-forwarded-for: 1'\"5000" -H "Host: a.vhost.example.com" > reverseproxy > > Apache processes will segfault, hence a potential DOS issue. > > I have taken notes for myself and people I am working with. > You can find these notes on > http://zecrazytux.net/troubleshooting/apache2-segfault-debugging-tutorial > > From my experiments, version 0.6 fixes the issue (IPv6 patched or unpatched). Please, prepare a minimal patch for stable and contact the security team to update the package. Thanks, luciano
--- End Message ---
--- Begin Message ---Source: libapache2-mod-rpaf Source-Version: 0.5-3+squeeze1 We believe that the bug you reported is fixed in the latest version of libapache2-mod-rpaf, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 683...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sergey B Kirpichev <skirpic...@gmail.com> (supplier of updated libapache2-mod-rpaf package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Thu, 09 Aug 2012 23:51:10 +0400 Source: libapache2-mod-rpaf Binary: libapache2-mod-rpaf Architecture: source amd64 Version: 0.5-3+squeeze1 Distribution: stable-security Urgency: high Maintainer: Sergey B Kirpichev <skirpic...@gmail.com> Changed-By: Sergey B Kirpichev <skirpic...@gmail.com> Description: libapache2-mod-rpaf - module for Apache2 which takes the last IP from the 'X-Forwarded- Closes: 683984 Changes: libapache2-mod-rpaf (0.5-3+squeeze1) stable-security; urgency=high . * New maintainer (See: #636732) * Edit 030_ipv6.patch to fix DOS via crafted X-Forwarded-For header (Closes: #683984, thanks to Sébastien Bocahu) Checksums-Sha1: e9350b99dbd979ffbe08d892808b8be2ad459eef 1601 libapache2-mod-rpaf_0.5-3+squeeze1.dsc 0a0763c7c146e83288d2a621056da20d7b85b6cc 4482 libapache2-mod-rpaf_0.5.orig.tar.gz 7d4767bc7ab87255bd9f0d18e09b9e1a012444c3 7957 libapache2-mod-rpaf_0.5-3+squeeze1.diff.gz b099b21690c9fed47f90a3044f68d1826f74de37 8184 libapache2-mod-rpaf_0.5-3+squeeze1_amd64.deb Checksums-Sha256: 604632405f7b6486461e0d3328ccebb265b76cfa9ed6be61c909e85abb5341c9 1601 libapache2-mod-rpaf_0.5-3+squeeze1.dsc 5b9257b69fccd11d573b34d3a4014086abc9f2558e819005f71e44b094f5b2a5 4482 libapache2-mod-rpaf_0.5.orig.tar.gz 08726e00b6708d6e2893b802e706b6608e0c654f49b21bc2f081d40f8a338c28 7957 libapache2-mod-rpaf_0.5-3+squeeze1.diff.gz e031b110bfa0e3ed5653c89a5f7a0267a561575bccbb63a161d5aebb89505536 8184 libapache2-mod-rpaf_0.5-3+squeeze1_amd64.deb Files: 951a2e8feb93020c738151cf8a45e93d 1601 web extra libapache2-mod-rpaf_0.5-3+squeeze1.dsc 471fb059d6223a394f319b7c8ab45c4d 4482 web extra libapache2-mod-rpaf_0.5.orig.tar.gz 7bd926ee403fe9922c283f36eea4f055 7957 web extra libapache2-mod-rpaf_0.5-3+squeeze1.diff.gz b436d3b11e62be2224f4429623a47d7c 8184 web extra libapache2-mod-rpaf_0.5-3+squeeze1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJQKqvcAAoJEFb2GnlAHawEcbgH/At1oaVRo9cvi5fgdrraGXa0 ZQsIwhXtEL6xFKuHqJ9PS7FndbhqP4FoXik7xJxUtF9ESb0XjNjAxownsXzlhkwU zbQ46ybP7RhbBMeirs6jTYquDzTi29E9fp57MHLUNrCChDfcSReuna2DHYn7f0In x5im9rvmpQyrEe6Fjb+jQZF5w/a9IYVJkwsrPerJuPwMp1oOrpND9e5vJ/M7SN9u Vgd0eTpRxhaPYOGLaJ2bZRaQBS6A8FvEHbSsIUUqUSybILaDROuicVzkCK7BxoDc qHoNDJNUlGWUlA9GETv9RFe0aPrd7G11RI5R+877RULD/nXDAGoRCsIjXnx0Cg0= =Z/6v -----END PGP SIGNATURE-----
--- End Message ---
