Bug#322607: marked as done (SECURITY: HTTP proxy responses with both Transfer-Encoding and Content-Length headers (CAN-2005-2088))

To: Adam Conrad <adconrad@0c3.net>
Cc: Debian Apache Maintainers <debian-apache@lists.debian.org>
Subject: Bug#322607: marked as done (SECURITY: HTTP proxy responses with both Transfer-Encoding and Content-Length headers (CAN-2005-2088))
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Fri, 16 Dec 2005 21:33:30 -0800
Message-id: <[🔎] handler.322607.D322607.113479689630684.ackdone@bugs.debian.org>
In-reply-to: <E1EnUTG-0007mI-Gq@spohr.debian.org>
References: <E1EnUTG-0007mI-Gq@spohr.debian.org> <E1DnOtX-0001i1-IX@localhost.localdomain>

Your message dated Fri, 16 Dec 2005 21:19:02 -0800
with message-id <E1EnUTG-0007mI-Gq@spohr.debian.org>
and subject line Bug#322607: fixed in apache 1.3.33-6sarge1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 28 Jun 2005 22:49:46 +0000
>From jmm@inutil.org Tue Jun 28 15:49:44 2005
Return-path: <jmm@inutil.org>
Received: from inutil.org (vserver151.vserver151.serverflex.de) [193.22.164.111] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DnOtj-0005fj-00; Tue, 28 Jun 2005 15:49:43 -0700
Received: from dsl-082-082-137-197.arcor-ip.net ([82.82.137.197] helo=localhost.localdomain)
	by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32)
	(Exim 4.50)
	id 1DnOo7-0006DV-N0
	for submit@bugs.debian.org; Wed, 29 Jun 2005 00:43:55 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.51)
	id 1DnOtX-0001i1-IX; Wed, 29 Jun 2005 00:49:31 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apache2: Security issues in HTTP proxy responses with both Transfer-Encoding
 and Content-Length headers
X-Mailer: reportbug 3.15
Date: Wed, 29 Jun 2005 00:49:31 +0200
X-Debbugs-Cc: security@debian.org
Message-Id: <E1DnOtX-0001i1-IX@localhost.localdomain>
X-SA-Exim-Connect-IP: 82.82.137.197
X-SA-Exim-Mail-From: jmm@inutil.org
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
	X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: apache2
Severity: grave
Tags: security
Justification: user security hole

Latest 2.1.6-alpha fixes a security in the proxy HTTP code:

| The 2.1.6-alpha release addresses a security vulnerability present
| in all previous 2.x versions.  This fault did not affect Apache 1.3.x
| (which did not proxy keepalives or chunked transfer encoding);

|    Proxy HTTP: If a response contains both Transfer-Encoding
|    and a Content-Length, remove the Content-Length to eliminate
|    an HTTP Request Smuggling vulnerability and don't reuse the
|    connection, stopping some HTTP Request Spoofing attacks.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

---------------------------------------
Received: (at 322607-close) by bugs.debian.org; 17 Dec 2005 05:21:36 +0000
>From katie@ftp-master.debian.org Fri Dec 16 21:21:36 2005
Return-path: <katie@ftp-master.debian.org>
Received: from katie by spohr.debian.org with local (Exim 4.50)
	id 1EnUTG-0007mI-Gq; Fri, 16 Dec 2005 21:19:02 -0800
From: Adam Conrad <adconrad@0c3.net>
To: 322607-close@bugs.debian.org
X-Katie: $Revision: 1.17 $
Subject: Bug#322607: fixed in apache 1.3.33-6sarge1
Message-Id: <E1EnUTG-0007mI-Gq@spohr.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Fri, 16 Dec 2005 21:19:02 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Source: apache
Source-Version: 1.3.33-6sarge1

We believe that the bug you reported is fixed in the latest version of
apache, which is due to be installed in the Debian FTP archive:

apache-common_1.3.33-6sarge1_i386.deb
  to pool/main/a/apache/apache-common_1.3.33-6sarge1_i386.deb
apache-dbg_1.3.33-6sarge1_i386.deb
  to pool/main/a/apache/apache-dbg_1.3.33-6sarge1_i386.deb
apache-dev_1.3.33-6sarge1_all.deb
  to pool/main/a/apache/apache-dev_1.3.33-6sarge1_all.deb
apache-doc_1.3.33-6sarge1_all.deb
  to pool/main/a/apache/apache-doc_1.3.33-6sarge1_all.deb
apache-perl_1.3.33-6sarge1_i386.deb
  to pool/main/a/apache/apache-perl_1.3.33-6sarge1_i386.deb
apache-ssl_1.3.33-6sarge1_i386.deb
  to pool/main/a/apache/apache-ssl_1.3.33-6sarge1_i386.deb
apache-utils_1.3.33-6sarge1_all.deb
  to pool/main/a/apache/apache-utils_1.3.33-6sarge1_all.deb
apache_1.3.33-6sarge1.diff.gz
  to pool/main/a/apache/apache_1.3.33-6sarge1.diff.gz
apache_1.3.33-6sarge1.dsc
  to pool/main/a/apache/apache_1.3.33-6sarge1.dsc
apache_1.3.33-6sarge1_i386.deb
  to pool/main/a/apache/apache_1.3.33-6sarge1_i386.deb
libapache-mod-perl_1.29.0.3-6sarge1_i386.deb
  to pool/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 322607@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue,  6 Sep 2005 23:02:02 +1000
Source: apache
Binary: apache-dev apache-common apache-doc apache-utils apache apache-dbg apache-perl libapache-mod-perl apache-ssl
Architecture: source i386 all
Version: 1.3.33-6sarge1
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description: 
 apache     - versatile, high-performance HTTP server
 apache-common - support files for all Apache webservers
 apache-dbg - debug versions of the Apache webservers
 apache-dev - development kit for the Apache webserver
 apache-doc - documentation for the Apache webserver
 apache-perl - versatile, high-performance HTTP server with Perl support
 apache-ssl - versatile, high-performance HTTP server with SSL support
 apache-utils - utility programs for webservers (transitional package)
 libapache-mod-perl - integration of perl with the Apache web server
Closes: 322607
Changes: 
 apache (1.3.33-6sarge1) stable-security; urgency=high
 .
   * Add 906_content_length_CAN-2005-2088, resolving an issue in mod_proxy
     where, when a response contains both Transfer-Encoding and Content-Length
     headers, the connection can be used for HTTP request smuggling and HTTP
     request spoofing attacks; see CAN-2005-2088 (closes: #322607)
Files: 
 1fd30bda6f8ced16f68a75b42062e719 1119 web optional apache_1.3.33-6sarge1.dsc
 1a34f13302878a8713a2ac760d9b6da8 3105683 web optional apache_1.3.33.orig.tar.gz
 9b04027dc8af9fc5c19bef5304d6d1a6 369073 web optional apache_1.3.33-6sarge1.diff.gz
 53df3e1f7e47375c957673ff49649ee2 1189326 doc optional apache-doc_1.3.33-6sarge1_all.deb
 2690e824569ca7d3b20c22697fff83ac 331258 devel extra apache-dev_1.3.33-6sarge1_all.deb
 1a9af803b7bb9ee718c8d2463157c73d 212030 web optional apache-utils_1.3.33-6sarge1_all.deb
 d1fb460ac66b9c279bb973962c6b37a6 385394 web optional apache_1.3.33-6sarge1_i386.deb
 fa4e8d3d4c725d0145c78b3f782566d3 492748 web optional apache-ssl_1.3.33-6sarge1_i386.deb
 49cff4c1bc76b51806afe487c0a93fd5 504894 web optional apache-perl_1.3.33-6sarge1_i386.deb
 d39bd56c23b083feeb2d30c1582ac091 9128930 devel extra apache-dbg_1.3.33-6sarge1_i386.deb
 ad852939fd0e97aa35f731e506888eca 844800 web optional apache-common_1.3.33-6sarge1_i386.deb
 0ad21611cc1f3e24e4b51b0b0a76b1bf 485896 web optional libapache-mod-perl_1.29.0.3-6sarge1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDHZeyvjztR8bOoMkRAvOjAJwJ3f0mL7AvhBpJ6ShyhUNVimqFYACgwMVT
FgcWRyATk4+fBtNgnFNPQfE=
=I7uU
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: Attivazione completata ad AMGI informa
Next by Date: apache_1.3.33-6sarge1_i386.changes INSTALLED into stable
Previous by thread: Processed: Re: Bug#343466: Acknowledgement (XSS issue in mod_imap)
Next by thread: apache_1.3.33-6sarge1_i386.changes INSTALLED into stable
Index(es):
- Date
- Thread