--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apache2: Major host parsing error in <Proxy balancer:/..> section
- From: Benoit Plessis <benoit@plessis.info>
- Date: Thu, 29 Nov 2007 20:54:05 +0100
- Message-id: <20071129195405.12930.66292.reportbug@seth.dys1.net>
Package: apache2
Version: 2.2.3-4+etch1
Severity: important
Hi,
I encoutered a weird error using mod_proxy_balancer and multiple
<Proxy balancer://> section.
Here is the config file:
---8<--------------------------------------------------------------------------
<Proxy balancer://back1>
BalancerMember http://1.1.1.1
BalancerMember http://1.1.1.3
</Proxy>
<Proxy balancer://back2>
BalancerMember http://1.1.1.10
BalancerMember http://1.1.1.11
BalancerMember http://1.2.1.11
BalancerMember http://1.1.1.31
</Proxy>
---8<--------------------------------------------------------------------------
Here is the output of balancer-manager via html2text:
---8<--------------------------------------------------------------------------
****** Load Balancer Manager for bd7 ******
Server Version: Apache/2.2.3 (Debian)
Server Built: Jun 17 2007 20:16:04
===============================================================================
**** LoadBalancer Status for balancer://back1 ****
StickySession Timeout FailoverAttempts Method
0 2 byrequests
Worker URL Route RouteRedir Factor Status
http://1.1.1.1 1 Ok
http://1.1.1.3 1 Ok
===============================================================================
**** LoadBalancer Status for balancer://back2 ****
StickySession Timeout FailoverAttempts Method
0 3 byrequests
Worker URL Route RouteRedir Factor Status
http://1.1.1.1 1 Ok
http://1.1.1.1 1 Ok
http://1.2.1.11 1 Ok
http://1.1.1.3 1 Ok
===============================================================================
Apache/2.2.3 (Debian) Server at bd7 Port 80
---8<--------------------------------------------------------------------------
Like you could see, there an abnormal shrink of the Worker URL in the second balancer
status. It's kinda like when parsing the config file worker addresses are compared
to previous worker but using the length() of the previous workers
And the traffic isn't sent to the configured Urls.
One way to workaround is reverse the definition of the balancer:
---8<--------------------------------------------------------------------------
<Proxy balancer://back2>
BalancerMember http://1.1.1.10
BalancerMember http://1.1.1.11
BalancerMember http://1.2.1.11
BalancerMember http://1.1.1.31
</Proxy>
<Proxy balancer://back1>
BalancerMember http://1.1.1.1
BalancerMember http://1.1.1.3
</Proxy>
---8<--------------------------------------------------------------------------
But i fear that there is more implication than just this and than this could affect the
entire mod_proxy module, since i've some weird result just using mod_rewrite and mod_proxy
with same kind of destination URLs and traffic that flow where it shouldn't.
Regards,
benoit
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-3-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
- To: 453630-close@bugs.debian.org
- Subject: Bug#453630: fixed in apache2 2.2.3-4+etch4
- From: Stefan Fritsch <sf@debian.org>
- Date: Sat, 16 Feb 2008 12:17:00 +0000
- Message-id: <E1JQLyW-0000FK-Uf@ries.debian.org>
Source: apache2
Source-Version: 2.2.3-4+etch4
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:
apache2-doc_2.2.3-4+etch4_all.deb
to pool/main/a/apache2/apache2-doc_2.2.3-4+etch4_all.deb
apache2-mpm-event_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2-mpm-event_2.2.3-4+etch4_i386.deb
apache2-mpm-perchild_2.2.3-4+etch4_all.deb
to pool/main/a/apache2/apache2-mpm-perchild_2.2.3-4+etch4_all.deb
apache2-mpm-prefork_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch4_i386.deb
apache2-mpm-worker_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch4_i386.deb
apache2-prefork-dev_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch4_i386.deb
apache2-src_2.2.3-4+etch4_all.deb
to pool/main/a/apache2/apache2-src_2.2.3-4+etch4_all.deb
apache2-threaded-dev_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch4_i386.deb
apache2-utils_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2-utils_2.2.3-4+etch4_i386.deb
apache2.2-common_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2.2-common_2.2.3-4+etch4_i386.deb
apache2_2.2.3-4+etch4.diff.gz
to pool/main/a/apache2/apache2_2.2.3-4+etch4.diff.gz
apache2_2.2.3-4+etch4.dsc
to pool/main/a/apache2/apache2_2.2.3-4+etch4.dsc
apache2_2.2.3-4+etch4_all.deb
to pool/main/a/apache2/apache2_2.2.3-4+etch4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 453630@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 27 Jan 2008 19:05:30 +0100
Source: apache2
Binary: apache2-utils apache2-prefork-dev apache2 apache2-mpm-prefork apache2-doc apache2-mpm-event apache2.2-common apache2-mpm-worker apache2-src apache2-threaded-dev apache2-mpm-perchild
Architecture: source all i386
Version: 2.2.3-4+etch4
Distribution: stable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
apache2 - Next generation, scalable, extendable web server
apache2-doc - documentation for apache2
apache2-mpm-event - Event driven model for Apache HTTPD 2.1
apache2-mpm-perchild - Transitional package - please remove
apache2-mpm-prefork - Traditional model for Apache HTTPD 2.1
apache2-mpm-worker - High speed threaded model for Apache HTTPD 2.1
apache2-prefork-dev - development headers for apache2
apache2-src - Apache source code
apache2-threaded-dev - development headers for apache2
apache2-utils - utility programs for webservers
apache2.2-common - Next generation, scalable, extendable web server
Closes: 399776 421557 453630 453783
Changes:
apache2 (2.2.3-4+etch4) stable; urgency=low
.
* Fix various cross site scripting vulnerabilities with browsers that do not
conform to RFC 2616: Apache now adds explicit ContentType and Charset
headers to the output of various modules, even if AddDefaultCharset is
commented out. This includes directory indexes generated by mod_autoindex
and mod_proxy_ftp, which are now marked as iso-8859-1 by default.
(CVE-2007-4465, CVE-2008-0005, closes: #453783)
To allow to specify the character set for the directory indexes, the
Charset and Type IndexOptions and the ProxyFtpDirCharset directive have
been backported from 2.2.8.
If you use mod_autoindex and use UTF-8 for your filenames, you should add
Charset=UTF-8 to the IndexOptions line in /etc/apache2/apache2.conf .
If you use mod_proxy_ftp, the default charset can be set with the
ProxyFtpDirCharset directive in /etc/apache2/mods-available/proxy.conf .
ProxyFtpDirCharset can also be used inside <Proxy ...> </Proxy> blocks to
set the charset for specific servers.
* Reduce memory usage of chunk filter and ap_rwrite/ap_rflush
(Closes: #399776, #421557)
* More minor security fixes:
- XSS in mod_imagemap (CVE-2007-5000)
- XSS in mod_proxy_balancer's balancer manager (CVE-2007-6421)
- XSS in HTTP method in 413 error message (CVE-2007-6203)
- possible crash in mod_proxy_balancer's balancer manager (CVE-2007-6422)
* Fix mod_proxy_balancer configuration file parsing (closes: #453630).
* Don't ship NEWS.Debian with apache2-utils as it affects only the server.
Remove bogus reference to 2.2.3-5 from README.Debian, and add note about
MSIE SSL workaround.
Files:
7a9f7cae5c4368048798889955526454 1068 web optional apache2_2.2.3-4+etch4.dsc
968d61aa99c002e26f9716ba30668311 119551 web optional apache2_2.2.3-4+etch4.diff.gz
c653dbf159be545ea5f4150349432702 963826 web optional apache2.2-common_2.2.3-4+etch4_i386.deb
fcee959fa33420648a00c70127022974 423734 web optional apache2-mpm-worker_2.2.3-4+etch4_i386.deb
ab752e1733e8d807ef6e6f070942e892 419912 web optional apache2-mpm-prefork_2.2.3-4+etch4_i386.deb
266d8e5f5f43d8ea1ed5eddd793e283a 424260 web optional apache2-mpm-event_2.2.3-4+etch4_i386.deb
02d5d921ff18d6f669baa75978cfaabb 341652 web optional apache2-utils_2.2.3-4+etch4_i386.deb
d5505286937f678397f6c3e8cc734a43 408130 devel optional apache2-prefork-dev_2.2.3-4+etch4_i386.deb
83cd44960ce9e8fef3d205b81c25ed30 408814 devel optional apache2-threaded-dev_2.2.3-4+etch4_i386.deb
e36c2d1d3f3672e737714b11a5b4267a 274740 web optional apache2-mpm-perchild_2.2.3-4+etch4_all.deb
c751eb38da32683f6402cce6bf9c52be 41442 web optional apache2_2.2.3-4+etch4_all.deb
a336153800f26c8875170b20de281fc7 2209280 doc optional apache2-doc_2.2.3-4+etch4_all.deb
f84520523c20161149c508f00752767a 6615728 devel extra apache2-src_2.2.3-4+etch4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHnMzMbxelr8HyTqQRAnz9AJ0fo83STQrPCTqt3uAhr6PTJ59xzgCgna8l
3VZD992mATegUXxekL6UmEw=
=p49f
-----END PGP SIGNATURE-----
--- End Message ---