[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#534712: marked as done (apache2.2-common: DOS possible with mod_deflate)

Your message dated Wed, 05 Aug 2009 19:58:54 +0000
with message-id <E1MYmdS-0000GO-GR@ries.debian.org>
and subject line Bug#534712: fixed in apache2 2.2.3-4+etch9
has caused the Debian Bug report #534712,
regarding apache2.2-common: DOS possible with mod_deflate
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

534712: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534712
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: apache2.2-common
Version: 2.2.9-10+lenny3
Severity: normal
Tags: patch security

There is a bug in mod_deflate that can lead to a DOS with a very small
network traffic.

The problem is the following : when downloading a file with mod_deflate
enabled and aborting the connexion before the end, mod_deflate will take
100% of a CPU and finish to compress the file for nothing.

Even with a not-so-big file (a few dozen of MB), it is possible to
"lock" apache by opening simultaneous request on this file and abort the
connexion very soon, as the
file will be compressed multiple times in parallel, it will make
compression times grow and keep the threads busy for a while.

The problem arises because mod_deflate doesn't check if the connexion is
aborted and goes on whatever happen.

The following patch fixes the problem, but at reading the code, I guess
that the inflate function is also impacted.

Best regards,


--- mod_deflate.c	2008-01-04 15:23:50.000000000 +0100
+++ mod_deflate.c.new	2009-06-26 16:50:36.000000000 +0200
@@ -691,6 +691,10 @@

+	if (r->connection->aborted) {
+            return APR_ECONNABORTED;
+        }
         /* read */
         apr_bucket_read(e, &data, &len, APR_BLOCK_READ);

-- Package-specific info:
List of enabled modules from 'apache2 -M':
  alias auth_basic authn_file authz_default authz_groupfile
  authz_host authz_user autoindex cgi deflate dir env expires headers
  mime negotiation perl php5 python setenvif status userdir

-- System Information:
Debian Release: 5.0.1
  APT prefers stable
  APT policy: (990, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.30 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages apache2.2-common depends on:
ii  apache2-utils       2.2.9-10+lenny3      utility programs for webservers
ii  libapr1             1.2.12-5             The Apache Portable Runtime
ii  libaprutil1         1.2.12+dfsg-8+lenny2 The Apache Portable Runtime
ii  libc6               2.7-18               GNU C Library: Shared libraries
ii  libmagic1           4.26-1               File type determination
library us
ii  libssl0.9.8         0.9.8g-15+lenny1     SSL shared libraries
ii  lsb-base            3.2-20               Linux Standard Base 3.2
init scrip
ii  mime-support        3.44-1               MIME files 'mime.types' &
ii  net-tools           1.60-22              The NET-3 networking toolkit
ii  perl                5.10.0-19            Larry Wall's Practical
ii  procps              1:3.2.7-11           /proc file system utilities
ii  zlib1g              1:    compression library - runtime

Versions of packages apache2.2-common recommends:
ii  ssl-cert                      1.0.23     simple debconf wrapper for

Versions of packages apache2.2-common suggests:
ii  apache2-doc              2.2.9-10+lenny3 Apache HTTP Server
pn  apache2-suexec | apache2 <none>          (no description available)
ii  dillo [www-browser]      0.8.6-3         Small and fast web browser
ii  elinks [www-browser]     0.11.4-3        advanced text-mode WWW browser
ii  epiphany-gecko [www-brow 2.22.3-9        Intuitive GNOME web browser
- Geck
ii  iceape-browser [www-brow 1.1.14-1        Iceape Navigator (Internet
ii  iceweasel [www-browser]  3.0.6-1         lightweight web browser
based on M
ii  w3m [www-browser]        0.5.2-2+b1      WWW browsable pager with

Versions of packages apache2.2-common is related to:
pn  apache2-mpm-event        <none>          (no description available)
pn  apache2-mpm-itk          <none>          (no description available)
ii  apache2-mpm-prefork      2.2.9-10+lenny3 Apache HTTP Server -
traditional n
pn  apache2-mpm-worker       <none>          (no description available)

-- no debconf information

--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.2.3-4+etch9

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:

  to pool/main/a/apache2/apache2-doc_2.2.3-4+etch9_all.deb
  to pool/main/a/apache2/apache2-mpm-event_2.2.3-4+etch9_i386.deb
  to pool/main/a/apache2/apache2-mpm-perchild_2.2.3-4+etch9_all.deb
  to pool/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch9_i386.deb
  to pool/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch9_i386.deb
  to pool/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch9_i386.deb
  to pool/main/a/apache2/apache2-src_2.2.3-4+etch9_all.deb
  to pool/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch9_i386.deb
  to pool/main/a/apache2/apache2-utils_2.2.3-4+etch9_i386.deb
  to pool/main/a/apache2/apache2.2-common_2.2.3-4+etch9_i386.deb
  to pool/main/a/apache2/apache2_2.2.3-4+etch9.diff.gz
  to pool/main/a/apache2/apache2_2.2.3-4+etch9.dsc
  to pool/main/a/apache2/apache2_2.2.3-4+etch9_all.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 534712@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Hash: SHA1

Format: 1.7
Date: Tue, 14 Jul 2009 23:06:43 +0200
Source: apache2
Binary: apache2-utils apache2-prefork-dev apache2 apache2-mpm-prefork apache2-doc apache2-mpm-event apache2.2-common apache2-mpm-worker apache2-src apache2-threaded-dev apache2-mpm-perchild
Architecture: source all i386
Version: 2.2.3-4+etch9
Distribution: oldstable-security
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
 apache2    - Next generation, scalable, extendable web server
 apache2-doc - documentation for apache2
 apache2-mpm-event - Event driven model for Apache HTTPD 2.1
 apache2-mpm-perchild - Transitional package - please remove
 apache2-mpm-prefork - Traditional model for Apache HTTPD 2.1
 apache2-mpm-worker - High speed threaded model for Apache HTTPD 2.1
 apache2-prefork-dev - development headers for apache2
 apache2-src - Apache source code
 apache2-threaded-dev - development headers for apache2
 apache2-utils - utility programs for webservers
 apache2.2-common - Next generation, scalable, extendable web server
Closes: 534712
 apache2 (2.2.3-4+etch9) oldstable-security; urgency=high
   * Security:
     CVE-2009-1891: denial of service in mod_deflate (closes: #534712)
     Also prevent compressing the content for HEAD requests.
 5090ccfce8dc2e193a0200a5046fc0c2 1068 web optional apache2_2.2.3-4+etch9.dsc
 2705ba251cdd2e979ce85099b4548848 127065 web optional apache2_2.2.3-4+etch9.diff.gz
 9f79ca5450eb153eeb77d0ccdf63af53 962488 web optional apache2.2-common_2.2.3-4+etch9_i386.deb
 80ff91b5681b3b65b9f82510b78995d8 423714 web optional apache2-mpm-worker_2.2.3-4+etch9_i386.deb
 3efc018978b3f6879d4e17cd870da7c6 419898 web optional apache2-mpm-prefork_2.2.3-4+etch9_i386.deb
 f7df4f2e8308b37945d6c9350fb68059 424256 web optional apache2-mpm-event_2.2.3-4+etch9_i386.deb
 473c50b8e3b3ff72f61fd2773ad0a5ec 342508 web optional apache2-utils_2.2.3-4+etch9_i386.deb
 aca126fc936879a914786d64b39582f1 409096 devel optional apache2-prefork-dev_2.2.3-4+etch9_i386.deb
 c973180a87c19636cc18823d872eaaf5 410094 devel optional apache2-threaded-dev_2.2.3-4+etch9_i386.deb
 632e77496c06ac55702187083210c5bd 274258 web optional apache2-mpm-perchild_2.2.3-4+etch9_all.deb
 765f1df6239124b257a17373ec12a25c 41428 web optional apache2_2.2.3-4+etch9_all.deb
 3c97cd0ed50e13730082455509ccf2ea 2243400 doc optional apache2-doc_2.2.3-4+etch9_all.deb
 863bd8f5274dcca2b348ddfb455f1e98 6666600 devel extra apache2-src_2.2.3-4+etch9_all.deb

Version: GnuPG v1.4.9 (GNU/Linux)


--- End Message ---

Reply to: