Thanks for everyone's work on this - much appreciated.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1366174
Title:
apache2 SEGV with multiple SSL sites
To manage notifications about this bug go to
This bug was fixed in the package apache2 - 2.4.7-1ubuntu4.4
---
apache2 (2.4.7-1ubuntu4.4) trusty-security; urgency=medium
* SECURITY UPDATE: HTTP header replacement via HTTP trailers (LP: #1425141)
- debian/patches/CVE-2013-5704.patch: don't merge trailers by default
and
http://people.canonical.com/~ubuntu-archive/pending-sru.html indicates
there is allegedly a regression in svn. Last build is here:
https://jenkins.qa.ubuntu.com/job/trusty-adt-
subversion/lastBuild/ARCH=amd64,label=adt/ and indeed the build log
shows a failure here: https://jenkins.qa.ubuntu.com/jo
Thanks. Verified that this works with the original test cases, and
marked verification-done.
** Tags removed: verification-needed
** Tags added: verification-done
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.
Hello Alex, or anyone else affected,
Accepted apache2 into trusty-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/apache2/2.4.7-1ubuntu4.2 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://w
Thanks Robie.
If it helps, we have been running this patch on many tens of machines of
machines since early Nov 2014 (so approximately 4 months) without any
ill effects, with and without SSL (though we don't use stapling).
--
You received this bug notification because you are a member of Ubuntu
I've spent a few hours over the last couple of days reviewing this in
detail. I've gone over Alex's proposed patch to Trusty carefully, making
sure I understand every line in the context of the existing code. I've
also carefully gone through upstream's review comments, and upstream's
commit to thei
Any update on this one?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1366174
Title:
apache2 SEGV with multiple SSL sites
To manage notifications about this bug go to:
https://bugs.launchpad.net/ap
Robie: can I ping you once more re the backport to trusty?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1366174
Title:
apache2 SEGV with multiple SSL sites
To manage notifications about this bug g
Robie: I've verified that the Vivid version works fine. Can I ping you
re getting the SRU done for Trusty?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1366174
Title:
apache2 SEGV with multiple SSL
This bug was fixed in the package apache2 - 2.4.10-8ubuntu2
---
apache2 (2.4.10-8ubuntu2) vivid; urgency=medium
* Allow "triggers-awaited" and "triggers-pending" states in addition to
"installed" when determining whether to defer actions or process
deferred actions (LP: #139
2.4.10-8ubuntu1 is now in vivid-proposed and should fix this bug for
Vivid and for future releases, but it won't land in Vivid itself until
bug 1393832 is fixed. I'd like to focus on this SRU before working on
that bug.
Alex, could you please verify that the bug is fixed in vivid-proposed
for you?
Thanks Stefan, I didn't consider that.
I started with a merge of 2.4.10-7 that's now stuck in vivid-proposed
due to bug 1393832 which I've just filed. I could re-merge 2.4.10-8
though, and then continue with the SRU - no need to block the SRU on
this.
--
You received this bug notification becaus
> Looks like Vivid will need to either cherry-pick this, or a merge may be
> sufficient
> since your message says you picked r1629372, r1629485, r1629519 and Debian
> 2.4.10-6 reports to have picked everything up to r1632831 but I need to check
> this.
The commits mentioned by Alex are in the tr
Robie: no apology needed, and yes I would be happy to check Vivid.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1366174
Title:
apache2 SEGV with multiple SSL sites
To manage notifications about th
Thanks Alex. I'm sorry I've been slow. I'm still not back at work as
normal but I'll try to look at this now.
Just to log what I've seen so far:
Looks like Vivid will need to either cherry-pick this, or a merge may be
sufficient since your message says you picked r1629372, r1629485,
r1629519 and
Robie: this is me poking you after a couple of weeks, as requested.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1366174
Title:
apache2 SEGV with multiple SSL sites
To manage notifications about t
I have added [Impact] and [Regression potential] sections.
Do the SRU requirements mean we need a patch for U too? I'm not sure
what "current development release" means right now given that U is out.
I believe the upstream 2.4.10 patch should apply straight to U. It's
upstream, so V will presumab
I have attached a backport to 2.4.7 to this comment. This is a backport
of the backport to 2.4.x in upstream svn. More details in the commit
message.
This is a straight patch to the source (produced from git) rather than a
proper packaged up patch, if you see what I mean.
I've put this up on gith
> Any chance this can now be backported to Trusty? The impact is pretty
severe.
It sounds like a good candidate, though I haven't reviewed the patch
yet. I'm away at the moment, so if somebody else wants to work on this
in the meantime, please feel free. The process is documented at
https://wiki.u
This has now been merged into 2.4. See
https://issues.apache.org/bugzilla/show_bug.cgi?id=54357
Any chance this can now be backported to Trusty? The impact is pretty
severe.
** Bug watch added: Apache Software Foundation Bugzilla #54357
http://issues.apache.org/bugzilla/show_bug.cgi?id=54357
The fix for this is now committed in trunk. A 2.4 backport is
available. See:
https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?r1=1631030&r2=1631029
Patch (per the above) at:
https://people.apache.org/~kbrand/mod_ssl-2.4.x-PR54357.diff
--
You received this bug notification beca
Thanks Alex. I'd prefer to wait to see if a proper fix is committed
upstream in the next few weeks, so as we don't have to risk regressions
to Trusty users twice (and go through the SRU process twice, etc).
If a fix doesn't happen "soon", then maybe we should push your
workaround back to Trusty, a
The attachment "Patch to avoid calling certinfo_free (ugly workaround)"
seems to be a patch. If it isn't, please remove the "patch" flag from
the attachment, remove the "patch" tag, and if you are a member of the
~ubuntu-reviewers, unsubscribe the team.
[This is an automated message performed by
I can confirm that the above workaround fixes 2.4.7, both my testcase
and our real world version. I attach a patch. This is probably 'better
than nothing'.
** Patch added: "Patch to avoid calling certinfo_free (ugly workaround)"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1366174/+a
Robie: removing the reference to certinfo_free where
X509_get_ex_new_index is called within ssl_stapling_ex_init works around
the 2.4.10 bug at the expense of a memory leak. I haven't (yet) verified
this entirely fixes 2.4.7 though I suspect it will. I'll test that in a
bit.
Obviously this solutio
Thank you for the detailed investigation upstream.
> If it's going to be difficult to fix this against 2.4.7, would getting
2.4.10 (the Utopic version) into trusty-backports be permissible? That
way at least I'd get security updates. I can confirm this builds out of
the box with no issues.
I thin
Turns out 2.4.10 also has the bug after all (it's just more difficult to
trigger). I think I have found the root cause. I've put details
upstream.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1366174
Robie: that attitude is quite understandable. I'm willing to do some work
bisecting it, but I fear the root problem is going to be that addressed this
commit:
http://svn.apache.org/viewvc?view=revision&revision=1573360
The ssl_pphrase_Handle routine is misleadingly named, and in fact is pretty
m
Thank you for taking the time to report this bug and helping to make
Ubuntu better, and for filing the upstream bug and investigation
further.
I'm worried about the regression risk of pushing for an update to 2.4.10
in Ubuntu; the changelog looks scary here, I can see some entries that
suggest tha
** Also affects: apache2 via
http://issues.apache.org/bugzilla/show_bug.cgi?id=56919
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1366174
Title:
apa
The number of sites required appears to vary. Also it appears to be
necessary to have mod php5 enabled.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1366174
Title:
apache2 SEGV with multiple SSL si
Actually "DBDriver pgsql" causes the issue, but not "DBDriver mysql",
and it can be outside the virtual host block. So I think this might be a
pgsql driver issue.
Reported upstream at:
https://issues.apache.org/bugzilla/show_bug.cgi?id=56919
** Bug watch added: Apache Software Foundation Bugzill
I think I've got about the minimal case for replication. Attached is a
tiny perl script which generates a number of SSL sites of the form:
ServerName 127.0.0.1:$port
SSLEngine on
SSLCertificateFile/etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl
34 matches
Mail list logo
