Bug#240100: marked as done (apache2: multiple security vulnerabilities fixed in new upstream release)
Your message dated Sun, 04 Apr 2004 10:17:05 -0400
with message-id <E1BA8Qr-00069S-00@newraff.debian.org>
and subject line Bug#240100: fixed in apache2 2.0.49-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 25 Mar 2004 19:23:38 +0000
>From dilinger@voxel.net Thu Mar 25 11:23:38 2004
Return-path: <dilinger@voxel.net>
Received: from hq.voxel.net (wax.hq.voxel.net) [66.109.37.2]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1B6aS1-00023m-00; Thu, 25 Mar 2004 11:23:38 -0800
Received: by wax.hq.voxel.net (Postfix, from userid 1000)
id 72C661FB47; Thu, 25 Mar 2004 14:23:34 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Andres Salomon <dilinger@voxel.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apache2: multiple security vulnerabilities fixed in new upstream release
X-Mailer: reportbug 2.54
Date: Thu, 25 Mar 2004 14:23:34 -0500
Message-Id: <20040325192334.72C661FB47@wax.hq.voxel.net>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-7.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: apache2
Severity: grave
Apache2 2.0.49 fixes a few security bugs:
SECURITY: CAN-2004-0174 (cve.mitre.org) Fix starvation issue on
listening sockets where a short-lived connection on a rarely-accessed
listening socket will cause a child to hold the accept mutex and block
out new connections until another connection arrives on that
rarely-accessed listening socket. With Apache 2.x there is no
performance concern about enabling the logic for platforms which don't
need it, so it is enabled everywhere except for Win32. [Jeff Trawick]
SECURITY: CAN-2004-0113 (cve.mitre.org) mod_ssl: Fix a memory leak in
plain-HTTP-on-SSL-port handling. PR 27106. [Joe Orton]
SECURITY: CAN-2003-0020 (cve.mitre.org) Escape arbitrary data before
writing into the errorlog. Unescaped errorlogs are still possible using
the compile time switch "-DAP_UNSAFE_ERROR_LOG_UNESCAPED". [Geoffrey
Young, Andre Malo]
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.4-1-k7
Locale: LANG=C, LC_CTYPE=C
---------------------------------------
Received: (at 240100-close) by bugs.debian.org; 4 Apr 2004 14:23:04 +0000
>From katie@ftp-master.debian.org Sun Apr 04 07:23:04 2004
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BA8We-0006XH-00; Sun, 04 Apr 2004 07:23:04 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1BA8Qr-00069S-00; Sun, 04 Apr 2004 10:17:05 -0400
From: Thom May <thom@debian.org>
To: 240100-close@bugs.debian.org
X-Katie: $Revision: 1.46 $
Subject: Bug#240100: fixed in apache2 2.0.49-1
Message-Id: <E1BA8Qr-00069S-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Sun, 04 Apr 2004 10:17:05 -0400
Delivered-To: 240100-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
X-CrossAssassin-Scores: 1 1
Source: apache2
Source-Version: 2.0.49-1
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:
apache2-common_2.0.49-1_powerpc.deb
to pool/main/a/apache2/apache2-common_2.0.49-1_powerpc.deb
apache2-doc_2.0.49-1_all.deb
to pool/main/a/apache2/apache2-doc_2.0.49-1_all.deb
apache2-mpm-perchild_2.0.49-1_powerpc.deb
to pool/main/a/apache2/apache2-mpm-perchild_2.0.49-1_powerpc.deb
apache2-mpm-prefork_2.0.49-1_powerpc.deb
to pool/main/a/apache2/apache2-mpm-prefork_2.0.49-1_powerpc.deb
apache2-mpm-threadpool_2.0.49-1_powerpc.deb
to pool/main/a/apache2/apache2-mpm-threadpool_2.0.49-1_powerpc.deb
apache2-mpm-worker_2.0.49-1_powerpc.deb
to pool/main/a/apache2/apache2-mpm-worker_2.0.49-1_powerpc.deb
apache2-prefork-dev_2.0.49-1_all.deb
to pool/main/a/apache2/apache2-prefork-dev_2.0.49-1_all.deb
apache2-threaded-dev_2.0.49-1_all.deb
to pool/main/a/apache2/apache2-threaded-dev_2.0.49-1_all.deb
apache2_2.0.49-1.diff.gz
to pool/main/a/apache2/apache2_2.0.49-1.diff.gz
apache2_2.0.49-1.dsc
to pool/main/a/apache2/apache2_2.0.49-1.dsc
apache2_2.0.49.orig.tar.gz
to pool/main/a/apache2/apache2_2.0.49.orig.tar.gz
libapr0-dev_2.0.49-1_powerpc.deb
to pool/main/a/apache2/libapr0-dev_2.0.49-1_powerpc.deb
libapr0_2.0.49-1_powerpc.deb
to pool/main/a/apache2/libapr0_2.0.49-1_powerpc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 240100@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thom May <thom@debian.org> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 4 Apr 2004 11:32:20 +0100
Source: apache2
Binary: apache2-prefork-dev apache2-mpm-prefork apache2-doc libapr0-dev apache2-mpm-threadpool apache2-mpm-worker libapr0 apache2-threaded-dev apache2-common apache2-mpm-perchild
Architecture: source all powerpc
Version: 2.0.49-1
Distribution: unstable
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Thom May <thom@debian.org>
Description:
apache2-common - Next generation, scalable, extendable web server
apache2-doc - Documentation for apache2
apache2-mpm-perchild - Experimental High speed perchild threaded model for Apache2
apache2-mpm-prefork - Traditional model for Apache2
apache2-mpm-threadpool - Experimental High speed thread pool model for Apache2
apache2-mpm-worker - High speed threaded model for Apache2
apache2-prefork-dev - Development headers for apache2
apache2-threaded-dev - Development headers for apache2
libapr0 - The Apache Portable Runtime
libapr0-dev - Development headers for libapr
Closes: 240100 240301
Changes:
apache2 (2.0.49-1) unstable; urgency=high
.
* New Upstream release. (Closes: #240100)
* Add missing $ to init-script (closes: #240301)
* Provides: httpd-cgi in reference to #117916
Files:
1bb29c27a95e485a63150cb0549c6b65 1716 net optional apache2_2.0.49-1.dsc
5e63aec0163f62fe1c0cb1b7c064d8d7 5904526 net optional apache2_2.0.49.orig.tar.gz
513f9daf0300df40d8c456cad63923c4 75879 net optional apache2_2.0.49-1.diff.gz
1bc0146ad824bf1c1791de8901864c60 2721924 doc optional apache2-doc_2.0.49-1_all.deb
eadc82ce59f434fad063804b8f067ed7 156482 devel optional apache2-prefork-dev_2.0.49-1_all.deb
ca40a8c2732f70c67cdd2f03cc5ad0eb 157100 devel optional apache2-threaded-dev_2.0.49-1_all.deb
e92dbbb540d7770a3142c5a77e92f4e3 886332 net optional apache2-common_2.0.49-1_powerpc.deb
ad1e7a37c2db890747742516d2319395 215018 net optional apache2-mpm-worker_2.0.49-1_powerpc.deb
baa57d8f056e97c58f2468ae48b121cf 214668 net optional apache2-mpm-threadpool_2.0.49-1_powerpc.deb
8928af631d29755fd2d46ad275118f97 215952 net optional apache2-mpm-perchild_2.0.49-1_powerpc.deb
f5b5674b8675eb6bb693f3d515326037 211510 net optional apache2-mpm-prefork_2.0.49-1_powerpc.deb
0cc29084466f35318eb0b243aa339199 123086 net optional libapr0_2.0.49-1_powerpc.deb
a5fbff614ddbb6f2e33d4d7ed7ed8186 260914 libdevel optional libapr0-dev_2.0.49-1_powerpc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iQIVAwUBQHAS3LVnlGdHP376AQKXfxAAqN2hhLqhLbJmkZpBPTqx2fqTxaBgtwwp
NdEhbOg+pI9Xgmzi6LRFnlNFKYltWxwI/+hBZwUwlQyRrsCfoCyKIZKAtiEzS5tY
8D425Ve2akq6324Yq7ufOLLHDbe4zmMVL6F/bUSl5VdhPNdXFiqh0qjrgO7/lNA5
UMqpo+OWObkpJ3rDFNYnc/rywSnPJgIib5CUuzYpN8ixguSQPe3sa8uL6yjuHnj9
lr88xp3sp7MbS/LnJR9E8Y5IN8+QRUP3qwjuK6x5+frF998P+YoNTMrE6lvWFN16
OIqbYqAGdt3b9cYMPkFoEjxfVBsE+8z/K9UwkeTcZ6l+/Nzf+0YptF6mE3ykpF33
XcUnLFFhBoCfT2CHLCGMEZpwDUClReFsSu/stz5Es0YiopFWgOy1nWGARICxx2dg
78/RzH2emF0khBCPs5uJTnwMDfAIs9lJVt6zrjqjyKMTzULNwa/lKVXgcNbRfTE0
ka9RCnK9RWyYV9JgZQCEvI5sM5vXwWY0d56HkT56zBbSy8JRrJGYjzW4Y7NwJ6Z8
I+NNCHfWwg2RyuZgeOAeyGdVXyRdMTpuK/uHyDxrJebhamGJAZAQ4IHHUv0PfJZd
VrhXswgRFFno/DIa0cRpC8Lh0M32jyKpwuWzVwcnUWZWZkM51kNUfer1b0IoUgVx
x9NOivvtZEg=
=+niV
-----END PGP SIGNATURE-----
Reply to: