[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#320063: marked as done (Security: buffer-overrun in apache2-ssl)

Your message dated Sat, 17 Dec 2005 00:05:09 -0800
with message-id <E1EnX41-0003CA-Ae@spohr.debian.org>
and subject line Bug#320048: fixed in apache2 2.0.54-5
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Received: (at submit) by bugs.debian.org; 26 Jul 2005 18:45:58 +0000
>From debian-bts@spamblock.netzgehirn.de Tue Jul 26 11:45:58 2005
Return-path: <debian-bts@spamblock.netzgehirn.de>
Received: from svr.bitshelter.net (mx0.bitshelter.net) [] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1DxURC-0002H7-00; Tue, 26 Jul 2005 11:45:58 -0700
Received: from localhost (localhost [])
	by mx0.bitshelter.net (Postfix) with ESMTP id 2AC873FFEC
	for <submit@bugs.debian.org>; Tue, 26 Jul 2005 20:45:54 +0200 (CEST)
Received: from mx0.bitshelter.net ([])
	by localhost (svr.bitshelter.net []) (amavisd-new, port 10024)
	with LMTP id 29705-01-2 for <submit@bugs.debian.org>;
	Tue, 26 Jul 2005 20:45:39 +0200 (CEST)
Received: from nz (J1afb.j.pppool.de [])
	(using TLSv1 with cipher RC4-MD5 (128/128 bits))
	(No client certificate requested)
	by mx0.bitshelter.net (Postfix) with ESMTP id 6A0BD3FF4A
	for <submit@bugs.debian.org>; Tue, 26 Jul 2005 20:45:39 +0200 (CEST)
From: debian-bts@spamblock.netzgehirn.de
To: submit@bugs.debian.org
Subject: Security: buffer-overrun in apache2-ssl
Date: Tue, 26 Jul 2005 20:45:35 +0200
User-Agent: KMail/1.8.1
X-Fingerprint: BBF9 60C6 892A A542 0006 B208 63F8 974C 8DC6 9FB4
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200507262045.36642.debian-bts@spamblock.netzgehirn.de>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.4 required=4.0 tests=BAYES_00,HAS_PACKAGE,
	NO_REAL_NAME autolearn=no version=2.60-bugs.debian.org_2005_01_02

Package: apache2
Version: 2.0.54-4
Tags: security, fixed-upstream

There is a possible remote-exploitable buffer overrun in the Apache2 ssl 
implementation. A patch is available.


Received: (at 320048-close) by bugs.debian.org; 17 Dec 2005 08:11:00 +0000
>From katie@ftp-master.debian.org Sat Dec 17 00:11:00 2005
Return-path: <katie@ftp-master.debian.org>
Received: from katie by spohr.debian.org with local (Exim 4.50)
	id 1EnX41-0003CA-Ae; Sat, 17 Dec 2005 00:05:09 -0800
From: Adam Conrad <adconrad@0c3.net>
To: 320048-close@bugs.debian.org
X-Katie: $Revision: 1.17 $
Subject: Bug#320048: fixed in apache2 2.0.54-5
Message-Id: <E1EnX41-0003CA-Ae@spohr.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Sat, 17 Dec 2005 00:05:09 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 2

Source: apache2
Source-Version: 2.0.54-5

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:

  to pool/main/a/apache2/apache2-common_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-doc_2.0.54-5_all.deb
  to pool/main/a/apache2/apache2-mpm-perchild_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-mpm-prefork_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-mpm-threadpool_2.0.54-5_all.deb
  to pool/main/a/apache2/apache2-mpm-worker_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-prefork-dev_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-threaded-dev_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-utils_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2_2.0.54-5.diff.gz
  to pool/main/a/apache2/apache2_2.0.54-5.dsc
  to pool/main/a/apache2/apache2_2.0.54-5_i386.deb
  to pool/main/a/apache2/libapr0-dev_2.0.54-5_i386.deb
  to pool/main/a/apache2/libapr0_2.0.54-5_i386.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 320048@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Adam Conrad <adconrad@0c3.net> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Hash: SHA1

Format: 1.7
Date: Fri,  2 Sep 2005 22:26:28 +1000
Source: apache2
Binary: apache2-utils apache2 apache2-prefork-dev apache2-mpm-prefork apache2-doc libapr0-dev apache2-mpm-threadpool apache2-mpm-worker libapr0 apache2-threaded-dev apache2-common apache2-mpm-perchild
Architecture: source all i386
Version: 2.0.54-5
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Adam Conrad <adconrad@0c3.net>
 apache2    - next generation, scalable, extendable web server
 apache2-common - next generation, scalable, extendable web server
 apache2-doc - documentation for apache2
 apache2-mpm-perchild - experimental high speed perchild threaded model for Apache2
 apache2-mpm-prefork - traditional model for Apache2
 apache2-mpm-threadpool - experimental high speed model for Apache2 (transitional package)
 apache2-mpm-worker - high speed threaded model for Apache2
 apache2-prefork-dev - development headers for apache2
 apache2-threaded-dev - development headers for apache2
 apache2-utils - utility programs for webservers
 libapr0    - the Apache Portable Runtime
 libapr0-dev - development headers for libapr
Closes: 316173 320048 320063 326435
 apache2 (2.0.54-5) stable-security; urgency=high
   * Add 043_ssl_off_by_one_CAN-2005-1268, fixing an off-by-one error in SSL
     certificate validation; see CAN-2005-1268 (closes: #320048, #320063)
   * Add 044_content_length_CAN-2005-2088, resolving an issue in mod_proxy
     where, when a response contains both Transfer-Encoding and Content-Length
     headers, the connection can be used for HTTP request smuggling and HTTP
     request spoofing attacks; see CAN-2005-2088 (closes: #316173)
   * Add 045_byterange_CAN-2005-2728, to resolve a denial of service in apache
     when large byte ranges are requested; see CAN-2005-2728 (closes: #326435)
   * Add 046_verify_client_CAN-2005-2700, resolving an issue where the context
     of the SSLVerifyClient directive is not honoured within a <Location>
     nested in a <VirtualHost>, and is left unenforced; see CAN-2005-2700
 779558a3a1edad615114d9e951d44352 1141 net optional apache2_2.0.54-5.dsc
 37d0d0a3e25ad93d37f0483021e70409 7493636 net optional apache2_2.0.54.orig.tar.gz
 3f51c615473cb57d4d182e1abbeffcd4 110044 net optional apache2_2.0.54-5.diff.gz
 df584a81cd27a1858014ac52cfdd9ab9 33460 net optional apache2-mpm-threadpool_2.0.54-5_all.deb
 429e520dda920f145468b39f4b3f2c2c 3861324 doc optional apache2-doc_2.0.54-5_all.deb
 143fb414c293aaa8d89e178306dca35a 799800 net optional apache2-common_2.0.54-5_i386.deb
 3dc37ae17bb34d4068f5153bfd2ffd54 90962 net optional apache2-utils_2.0.54-5_i386.deb
 824b90f8be18f53abef31e66aca2b0dd 206374 net optional apache2-mpm-worker_2.0.54-5_i386.deb
 8cb83e70bbe05872ba5a9de9eacdadc2 206602 net optional apache2-mpm-perchild_2.0.54-5_i386.deb
 670721077006223829903285d28b428d 202826 net optional apache2-mpm-prefork_2.0.54-5_i386.deb
 46926e9e39dba00825c06b1bc6afa847 167626 devel optional apache2-prefork-dev_2.0.54-5_i386.deb
 a22f739befa46e30b9c9f5ad8e6b2bc7 168356 devel optional apache2-threaded-dev_2.0.54-5_i386.deb
 0f1b46d69ed1665dbc7175fd777dc9eb 130614 net optional libapr0_2.0.54-5_i386.deb
 f877c48fae275c3e011dcdcddf6f4bdc 259890 libdevel optional libapr0-dev_2.0.54-5_i386.deb
 f2bb4abd8a56f74165641a1ffb98268d 33384 web optional apache2_2.0.54-5_i386.deb

Version: GnuPG v1.4.1 (GNU/Linux)


Reply to: