Likely related (or even duplicate): LP: #1939678.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1842701
Title:
Apache2 Balancer Manager mod_proxy_balancer not working after Update
To manage notific
To close this out, fixed in Groovy
apache2 | 2.4.46-1ubuntu1 | groovy | source, amd64,
arm64, armhf, i386, ppc64el, riscv64, s390x
** Changed in: apache2 (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member
Looks like this is still open for Groovy, but will be resolved when we
merge 2.4.42.
** Tags removed: server-next
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1842701
Title:
Apache2 Balancer Manag
** Changed in: apache2
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1842701
Title:
Apache2 Balancer Manager mod_proxy_balancer not working after Update
To
** Changed in: apache2 (Debian)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1842701
Title:
Apache2 Balancer Manager mod_proxy_balancer not working afte
** Changed in: apache2 (Debian)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1842701
Title:
Apache2 Balancer Manager mod_proxy_balancer not working after Update
** Changed in: apache2 (Debian)
Status: Unknown => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1842701
Title:
Apache2 Balancer Manager mod_proxy_balancer not working after Update
To ma
** Bug watch added: Debian Bug tracker #941202
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941202
** Also affects: apache2 (Debian) via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941202
Importance: Unknown
Status: Unknown
--
You received this bug notification because
I'll if I hear something, but I'll leave that task mostly to Steve who
said that he wanted to keep an eye on it (for potentially backporting
the hardening once we know how to handle the regression).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed
hi Christian,
thx for the info and please let me know if there is a posibility
solution for the future releases.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1842701
Title:
Apache2 Balancer Manage
Hi Horst,
yes I checked and the issue is in Eoan 2.4.41 - I checked that already last
week and let Steve now.
Steve wanted to track the upstream discussions on this as going forward
we most likely want to follow upstreams guidance on this (e.g. want to
have it broken for better security).
But th
with the new packages my problem is solved.
on more question in the next Ubuntu release for example 20.04 with a
newer apache version. it is possible that this kind of problem is
comming back again? because the patches are in the newer version from
apache.org.
thx again, regards horst
--
You re
This bug was fixed in the package apache2 - 2.4.38-2ubuntu2.3
---
apache2 (2.4.38-2ubuntu2.3) disco-security; urgency=medium
* SECURITY REGRESSION: mod_proxy balancer XSS/CSRF hardening broke
browsers which change case in headers and breaks balancers
loading in some configu
This bug was fixed in the package apache2 - 2.4.18-2ubuntu3.13
---
apache2 (2.4.18-2ubuntu3.13) xenial-security; urgency=medium
* SECURITY REGRESSION: mod_proxy balancer XSS/CSRF hardening broke
browsers which change case in headers and breaks balancers
loading in some conf
This bug was fixed in the package apache2 - 2.4.29-1ubuntu4.11
---
apache2 (2.4.29-1ubuntu4.11) bionic-security; urgency=medium
* SECURITY REGRESSION: mod_proxy balancer XSS/CSRF hardening broke
browsers which change case in headers and breaks balancers
loading in some conf
** Changed in: apache2 (Ubuntu)
Assignee: (unassigned) => Steve Beattie (sbeattie)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1842701
Title:
Apache2 Balancer Manager mod_proxy_balancer not w
** Changed in: apache2 (Ubuntu)
Status: New => Triaged
** Changed in: apache2 (Ubuntu)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1842701
Title:
Apache2
unfortunately the ppa solve also not the behind a proxy problem.
usualy in my produktion in front (bastion/proxy host) is debian 9
so i test both with debian 9 and ubuntu 18.04 ppa at on the proxy
host.
i modified a littel the configuration to get closer for the
production env.
VM with LB Manager
sorry i can't use your PPAs in the production. for a quick test i used
my patched compiled module where only one line is changing from the
patch i discribed above
:$ diff mod_proxy_balancer.c_org mod_proxy_balancer.c
1081c1081
< && (!ref || !safe_referer(r, ref))) {
---
> && (ref &
First of all, thanks to the great steps by Horst I was able to reproduce this
on X/B/D releases.
like:
[Tue Sep 10 06:39:37.715128 2019] [proxy_balancer:error] [pid 3314:tid
140601611724544] [client 127.0.0.1:50998] AH10187: ignoring params in
balancer-manager cross-site accessWith
With that se
Thanks for the explanations Steve.
I almost assumed something like this (adding related hardening) and this should
not have been any blaming. I was just dissecting the case one step at a time.
Thanks for doing the next step already with the builds for all affected
releases.
In that case I can st
Sorry for the problems that people are experiencing.
Christian, the Ubuntu Security Team will sometimes incorporate a
hardening measure like the extra XSRF that upstream included in the
2.4.41 release, if it appears to address similar issues as the original
vulnerability. Looking at the history of
Launchpad has imported 8 comments from the remote bug at
https://bz.apache.org/bugzilla/show_bug.cgi?id=63688.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://he
@Horst
I have put a preliminary build of the packaged Apache to the PPA [1] with the
fix that was suggested on the upstream bug [2]. Could you give that one a try?
[1]: https://launchpad.net/~paelzer/+archive/ubuntu/bug-1842701-mod-proxy-xsrf
[2]: https://bz.apache.org/bugzilla/show_bug.cgi?id=63
Thanks for linking the upstream bug and your experiments Horst!
In the bug there it was mentioned that this would not be related to the CVE fix
CVE-2019-10092.
But it made me think as Horst clearly found it to be related to that update.
I did some of the same checks Horst did (in which patch is
with that patch from here
https://bz.apache.org/bugzilla/show_bug.cgi?id=63688#c3
and with the ubuntu 18.04 apache2 sources
:~$ apt-get source apache2
:~$ find . -name mod_proxy_balancer.c
./apache2-2.4.29/.pc/balance-member-long-hostname-part2.patch/modules/proxy/mod_proxy_balancer.c
./apache2
https://bz.apache.org/bugzilla/show_bug.cgi?id=63688#c5
and there is a Patch available
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1842701
Title:
Apache2 Balancer Manager mod_proxy_balancer not w
i found https://bz.apache.org/bugzilla/show_bug.cgi?id=63688 and this
sounds like of a similar problem and i can reporduce that within debian
10 which i described there.
** Bug watch added: bz.apache.org/bugzilla/ #63688
https://bz.apache.org/bugzilla/show_bug.cgi?id=63688
--
You received th
I subscribed and pinged ubuntu-security on this one, let's see if they
chime in and what their opinion is.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1842701
Title:
Apache2 Balancer Manager mod_p
** Tags removed: server-triage-discuss
** Tags added: server-next
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1842701
Title:
Apache2 Balancer Manager mod_proxy_balancer not working after Update
T
** Tags added: server-next
** Tags removed: server-next
** Tags added: regression-update
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1842701
Title:
Apache2 Balancer Manager mod_proxy_balancer not
Thanks for your bug report. The "ignoring params in balancer-manager
cross-site access" error message has been introduced as part of the
patchset fixing CVE-2019-10092, see [1], so this definitely looks like a
regression.
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-10092
--
[1]
https://git.launchpad.net/ubuntu/+source/apache2/tree/debian/patches/CVE-2019-10092-3.patch?id=e7a4a4340e4c6bae39d8f974aab81fdc05518e62
** Tags added: server-triage-discuss
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://b
33 matches
Mail list logo
