[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#320048: marked as done (SECURITY: buffer-overrun in apache2-ssl (CAN-2005-1268))

Your message dated Sat, 17 Dec 2005 00:05:09 -0800
with message-id <E1EnX41-0003CA-Ae@spohr.debian.org>
and subject line Bug#320048: fixed in apache2 2.0.54-5
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Received: (at submit) by bugs.debian.org; 26 Jul 2005 17:11:21 +0000
>From debian@incase.de Tue Jul 26 10:11:21 2005
Return-path: <debian@incase.de>
Received: from mail.incase.de [] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1DxSxd-0007O9-00; Tue, 26 Jul 2005 10:11:21 -0700
Received: from localhost (localhost [])
	by mail1_1.incase.de (Postfix) with ESMTP id 0C19B251B18
	for <submit@bugs.debian.org>; Tue, 26 Jul 2005 19:10:46 +0200 (CEST)
Received: from mail.incase.de ([])
	by localhost (mail1.incase.de []) (amavisd-new, port 10024)
	with ESMTP id 28020-01 for <submit@bugs.debian.org>;
	Tue, 26 Jul 2005 19:10:44 +0200 (CEST)
Received: from mail2.incase.de (mail.incase.de [])
	by mail.incase.de (Postfix) with SMTP id B17F6251B17
	for <submit@bugs.debian.org>; Tue, 26 Jul 2005 19:10:44 +0200 (CEST)
Received: by mail2.incase.de (sSMTP sendmail emulation); Tue, 26 Jul 2005 19:10:44 +0200
Content-Type: multipart/mixed; boundary="===============1719839988=="
MIME-Version: 1.0
From: Sven Mueller <debian@incase.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: security: Buffer overflow in ssl_engine_kernel.c
X-Mailer: reportbug 3.8
Date: Tue, 26 Jul 2005 19:10:44 +0200
Message-Id: <20050726171044.B17F6251B17@mail.incase.de>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at incase.de
X-Spam-Bayes: Score: 0.0000 Tokensummary: Tokens: new, 47; hammy, 98; neutral,
	 61; spammy, 0.
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

This is a multi-part MIME message sent by reportbug.

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Package: apache2
Version: 2.0.54-4
Severity: grave
Tags: security, patch
Justification: possible DoS

There is a buffer overflow (off-by-one in buffer size checks) in
ssl_engine_kernel.c which could be exploited to DoS the server.

Upstream bug report at

Upstream patch at

(SVN revision 179781)

patch which can be dropped into the Debian package as
043_fix_buffer_overflow_in_ssl_engine_kernel is attached

-- System Information:
Debian Release: 3.1
  APT prefers stable
Architecture: i386 (i686)
Kernel: Linux
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork           2.0.54-4   traditional model for Apache2

-- no debconf information

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;

diff -ruN -x Makefile.in -x configure -x '*~' -x build-tree.orig -x '*.rej' build-tree.orig/apache2/config.layout build-tree/apache2/config.layout
--- build-tree.orig/apache2/modules/ssl/ssl_engine_kernel.c	2005/06/03 12:43:35	179780
+++ build-tree/apache2/modules/ssl/ssl_engine_kernel.c	2005/06/03 12:54:53	179781
@@ -1408,7 +1408,7 @@
             BIO_printf(bio, ", nextUpdate: ");
             ASN1_UTCTIME_print(bio, X509_CRL_get_nextUpdate(crl));
-            n = BIO_read(bio, buff, sizeof(buff));
+            n = BIO_read(bio, buff, sizeof(buff) - 1);
             buff[n] = '\0';


Received: (at 320048-close) by bugs.debian.org; 17 Dec 2005 08:11:00 +0000
>From katie@ftp-master.debian.org Sat Dec 17 00:11:00 2005
Return-path: <katie@ftp-master.debian.org>
Received: from katie by spohr.debian.org with local (Exim 4.50)
	id 1EnX41-0003CA-Ae; Sat, 17 Dec 2005 00:05:09 -0800
From: Adam Conrad <adconrad@0c3.net>
To: 320048-close@bugs.debian.org
X-Katie: $Revision: 1.17 $
Subject: Bug#320048: fixed in apache2 2.0.54-5
Message-Id: <E1EnX41-0003CA-Ae@spohr.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Sat, 17 Dec 2005 00:05:09 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 2

Source: apache2
Source-Version: 2.0.54-5

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:

  to pool/main/a/apache2/apache2-common_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-doc_2.0.54-5_all.deb
  to pool/main/a/apache2/apache2-mpm-perchild_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-mpm-prefork_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-mpm-threadpool_2.0.54-5_all.deb
  to pool/main/a/apache2/apache2-mpm-worker_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-prefork-dev_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-threaded-dev_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-utils_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2_2.0.54-5.diff.gz
  to pool/main/a/apache2/apache2_2.0.54-5.dsc
  to pool/main/a/apache2/apache2_2.0.54-5_i386.deb
  to pool/main/a/apache2/libapr0-dev_2.0.54-5_i386.deb
  to pool/main/a/apache2/libapr0_2.0.54-5_i386.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 320048@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Adam Conrad <adconrad@0c3.net> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Hash: SHA1

Format: 1.7
Date: Fri,  2 Sep 2005 22:26:28 +1000
Source: apache2
Binary: apache2-utils apache2 apache2-prefork-dev apache2-mpm-prefork apache2-doc libapr0-dev apache2-mpm-threadpool apache2-mpm-worker libapr0 apache2-threaded-dev apache2-common apache2-mpm-perchild
Architecture: source all i386
Version: 2.0.54-5
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Adam Conrad <adconrad@0c3.net>
 apache2    - next generation, scalable, extendable web server
 apache2-common - next generation, scalable, extendable web server
 apache2-doc - documentation for apache2
 apache2-mpm-perchild - experimental high speed perchild threaded model for Apache2
 apache2-mpm-prefork - traditional model for Apache2
 apache2-mpm-threadpool - experimental high speed model for Apache2 (transitional package)
 apache2-mpm-worker - high speed threaded model for Apache2
 apache2-prefork-dev - development headers for apache2
 apache2-threaded-dev - development headers for apache2
 apache2-utils - utility programs for webservers
 libapr0    - the Apache Portable Runtime
 libapr0-dev - development headers for libapr
Closes: 316173 320048 320063 326435
 apache2 (2.0.54-5) stable-security; urgency=high
   * Add 043_ssl_off_by_one_CAN-2005-1268, fixing an off-by-one error in SSL
     certificate validation; see CAN-2005-1268 (closes: #320048, #320063)
   * Add 044_content_length_CAN-2005-2088, resolving an issue in mod_proxy
     where, when a response contains both Transfer-Encoding and Content-Length
     headers, the connection can be used for HTTP request smuggling and HTTP
     request spoofing attacks; see CAN-2005-2088 (closes: #316173)
   * Add 045_byterange_CAN-2005-2728, to resolve a denial of service in apache
     when large byte ranges are requested; see CAN-2005-2728 (closes: #326435)
   * Add 046_verify_client_CAN-2005-2700, resolving an issue where the context
     of the SSLVerifyClient directive is not honoured within a <Location>
     nested in a <VirtualHost>, and is left unenforced; see CAN-2005-2700
 779558a3a1edad615114d9e951d44352 1141 net optional apache2_2.0.54-5.dsc
 37d0d0a3e25ad93d37f0483021e70409 7493636 net optional apache2_2.0.54.orig.tar.gz
 3f51c615473cb57d4d182e1abbeffcd4 110044 net optional apache2_2.0.54-5.diff.gz
 df584a81cd27a1858014ac52cfdd9ab9 33460 net optional apache2-mpm-threadpool_2.0.54-5_all.deb
 429e520dda920f145468b39f4b3f2c2c 3861324 doc optional apache2-doc_2.0.54-5_all.deb
 143fb414c293aaa8d89e178306dca35a 799800 net optional apache2-common_2.0.54-5_i386.deb
 3dc37ae17bb34d4068f5153bfd2ffd54 90962 net optional apache2-utils_2.0.54-5_i386.deb
 824b90f8be18f53abef31e66aca2b0dd 206374 net optional apache2-mpm-worker_2.0.54-5_i386.deb
 8cb83e70bbe05872ba5a9de9eacdadc2 206602 net optional apache2-mpm-perchild_2.0.54-5_i386.deb
 670721077006223829903285d28b428d 202826 net optional apache2-mpm-prefork_2.0.54-5_i386.deb
 46926e9e39dba00825c06b1bc6afa847 167626 devel optional apache2-prefork-dev_2.0.54-5_i386.deb
 a22f739befa46e30b9c9f5ad8e6b2bc7 168356 devel optional apache2-threaded-dev_2.0.54-5_i386.deb
 0f1b46d69ed1665dbc7175fd777dc9eb 130614 net optional libapr0_2.0.54-5_i386.deb
 f877c48fae275c3e011dcdcddf6f4bdc 259890 libdevel optional libapr0-dev_2.0.54-5_i386.deb
 f2bb4abd8a56f74165641a1ffb98268d 33384 web optional apache2_2.0.54-5_i386.deb

Version: GnuPG v1.4.1 (GNU/Linux)


Reply to: