Bug#271945: marked as done (apache in woody is missing security patches/updates)
Your message dated Fri, 17 Sep 2004 07:54:21 +0200 (CEST)
with message-id <[🔎] Pine.LNX.4.58.0409170751090.6689@trider-g7.ext.fabbione.net>
and subject line Bug#271945: apache in woody is missing security patches/updates
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 16 Sep 2004 11:11:11 +0000
>From mark.bryars@etvinteractive.com Thu Sep 16 04:11:11 2004
Return-path: <mark.bryars@etvinteractive.com>
Received: from usergc137.dsl.pipex.com (smtp.e-tv-interactive.com) [62.190.170.137]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1C7uAQ-0000Jj-00; Thu, 16 Sep 2004 04:11:11 -0700
Received: from etvinteractive.com (unknown [192.168.1.194])
by smtp.e-tv-interactive.com (Postfix) with ESMTP id 5B4EA3366CC
for <submit@bugs.debian.org>; Thu, 16 Sep 2004 12:10:28 +0100 (BST)
Message-ID: <[🔎] 414982A9.30007@etvinteractive.com>
Date: Thu, 16 Sep 2004 13:10:17 +0100
From: Mark Bryars <mark.bryars@etvinteractive.com>
User-Agent: Mozilla Thunderbird 0.5 (X11/20040306)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: submit@bugs.debian.org
Subject: apache in woody is missing security patches/updates
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: apache
Version: 1.3.26-0woody5
Tags: woody, security
In 1.3.28 there is a patch that prevents file descriptors leaking to
child processes, this is not present. This causes processes spawned
by php (in this case 4.1.2-6woody3, not tested 4.1.2-7.0.1 yet) to have
full access to the apache logs, sockets etc.
I suggest this patch could be backported.
---------------------------------------
Received: (at 271945-done) by bugs.debian.org; 17 Sep 2004 05:54:33 +0000
>From fabbione@fabbione.net Thu Sep 16 22:54:33 2004
Return-path: <fabbione@fabbione.net>
Received: from port1845.ds1-khk.adsl.cybercity.dk (trider-g7.fabbione.net) [212.242.190.82]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1C8BhY-0002Ql-00; Thu, 16 Sep 2004 22:54:33 -0700
Received: from localhost (localhost [127.0.0.1])
by trider-g7.fabbione.net (Postfix) with ESMTP id DB8F64C73;
Fri, 17 Sep 2004 07:54:29 +0200 (CEST)
Received: from trider-g7.fabbione.net ([127.0.0.1])
by localhost (trider-g7 [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id 00516-10; Fri, 17 Sep 2004 07:54:22 +0200 (CEST)
Received: from trider-g7.ext.fabbione.net (port1845.ds1-khk.adsl.cybercity.dk [212.242.190.82])
by trider-g7.fabbione.net (Postfix) with ESMTP id 0CB324C72;
Fri, 17 Sep 2004 07:54:22 +0200 (CEST)
Date: Fri, 17 Sep 2004 07:54:21 +0200 (CEST)
From: Fabio Massimo Di Nitto <fabbione@fabbione.net>
Sender: fabbione@fabbione.net
To: Matt Zimmerman <mdz@debian.org>, 271945-done@bugs.debian.org
Cc: Debian Apache Maintainers <debian-apache@lists.debian.org>
Subject: Re: Bug#271945: apache in woody is missing security patches/updates
In-Reply-To: <[🔎] 20040916210808.GG5721@alcor.net>
Message-ID: <[🔎] Pine.LNX.4.58.0409170751090.6689@trider-g7.ext.fabbione.net>
References: <[🔎] 414982A9.30007@etvinteractive.com> <[🔎] 20040916192506.GE5721@alcor.net>
<[🔎] Pine.LNX.4.58.0409162208040.5301@trider-g7.ext.fabbione.net>
<[🔎] 20040916210808.GG5721@alcor.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at fabbione.net
Delivered-To: 271945-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_01,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
On Thu, 16 Sep 2004, Matt Zimmerman wrote:
> On Thu, Sep 16, 2004 at 10:09:19PM +0200, Fabio Massimo Di Nitto wrote:
>
> > On Thu, 16 Sep 2004, Matt Zimmerman wrote:
> >
> > > Maintainers, please raise the severity of this bug and contact the security
> > > team if this is an urgent issue.
> >
> > Please can we have at least the CAN number and reference? Joey has been
> > keeping track of this iirc.
>
> I thisk this refers to the follow upstream changelog entry:
>
> *) Certain 3rd party modules would bypass the Apache API and not
> invoke ap_cleanup_for_exec() before creating sub-processes.
> To such a child process, Apache's file descriptors (lock
> fd's, log files, sockets) were accessible, allowing them
> direct access to Apache log file etc. Where the OS allows,
> we now add proactive close functions to prevent these file
> descriptors from leaking to the child processes.
> [Jim Jagielski, Martin Kraemer]
>
> This is a workaround for security bugs in third-party mobules (which ones?),
> and not a security fix in itself.
This problem is the one that has been discussed by Joey (iirc) together
with upstream. The result of the discussion was that it is not worth to
backport such a precaution since it includes an API change and possibly
all external modules need to be ported to it (list is unknown). Also the
benefits of this fix are minimal compared to the hundreds of many way a
user can expose sensible data with a wrong config setup.
Fabio
--
<user> fajita: step one
<fajita> Whatever the problem, step one is always to look in the error log.
<user> fajita: step two
<fajita> When in danger or in doubt, step two is to scream and shout.
Reply to: