Bug#441845: marked as done (Subject: apache2: Remote user can crash Apache if reverse proxy is enabled.)
Your message dated Tue, 11 Sep 2007 18:53:30 +0200
with message-id <20070911165330.GF3291@eilebrecht.net>
and subject line invalid bug report
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: apache2
Severity: critical
Justification: root security hole
Tags: security
*** Please type your report below this line ***
A security hole has been disclosed on the Apache web site.
http://httpd.apache.org/security/vulnerabilities_22.html
Although it is disclosed as a denial of service, it seems
to involve a buffer overflow, and thus allow remote code
execution under the apache account. I can confim, from
attacks in systems of a customer, that this is actually the case.
As I have not seen any security upgrade from 4th of september,
date of the disclosure, I request this issue to be fixed.
Ramon Garcia
Systems Administrator
ramon.garcia@kotasoft.com
http://www.kotasoft.com
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-vserver-686
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
--- End Message ---
--- Begin Message ---
On behalf of the Apache Security Team I suggest that this bug report
is closed as invalid.
According to further information provided by the original submitter
to the Apache Security Team, there is no evidence that the proxy crash
bug (CVE-2007-3847) could lead to a root exploit. Actually, there
seems to be no evidence at all that the server - to which the original
submitter was referring to - was compromised.
Of course we recommend that Debian updates their Apache packages to the
newest versions available from the ASF, but the proxy crash bug only
has a moderate severity.
--snip--
moderate: mod_proxy crash CVE-2007-3847
A flaw was found in the Apache HTTP Server mod_proxy module. On sites
where a reverse proxy is configured, a remote attacker could send a
carefully crafted request that would cause the Apache child process handling
that request to crash. On sites where a forward proxy is configured, an
attacker could cause a similar crash if a user could be persuaded to visit a
malicious site using the proxy. This could lead to a denial of service if
using a threaded Multi-Processing Module.
Update Released: 7th September 2007
Affects: 2.2.4, 2.2.3, 2.2.2, 2.2.0
--snip--
Best Regards
--
Lars Eilebrecht - The Apache Software Foundation
lars@apache.org - Apache Security Team
--- End Message ---
Reply to: