Bug#534712: marked as done (apache2.2-common: DOS possible with mod_deflate)
Your message dated Wed, 05 Aug 2009 19:58:54 +0000
with message-id <E1MYmdS-0000GO-GR@ries.debian.org>
and subject line Bug#534712: fixed in apache2 2.2.3-4+etch9
has caused the Debian Bug report #534712,
regarding apache2.2-common: DOS possible with mod_deflate
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
534712: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534712
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apache2.2-common: DOS possible with mod_deflate
- From: François Guerraz <kubrick@fgv6.net>
- Date: Fri, 26 Jun 2009 17:23:16 +0200
- Message-id: <4A44E7E4.2080408@fgv6.net>
Package: apache2.2-common
Version: 2.2.9-10+lenny3
Severity: normal
Tags: patch security
There is a bug in mod_deflate that can lead to a DOS with a very small
network traffic.
The problem is the following : when downloading a file with mod_deflate
enabled and aborting the connexion before the end, mod_deflate will take
100% of a CPU and finish to compress the file for nothing.
Even with a not-so-big file (a few dozen of MB), it is possible to
"lock" apache by opening simultaneous request on this file and abort the
connexion very soon, as the
file will be compressed multiple times in parallel, it will make
compression times grow and keep the threads busy for a while.
The problem arises because mod_deflate doesn't check if the connexion is
aborted and goes on whatever happen.
The following patch fixes the problem, but at reading the code, I guess
that the inflate function is also impacted.
Best regards,
François
--- mod_deflate.c 2008-01-04 15:23:50.000000000 +0100
+++ mod_deflate.c.new 2009-06-26 16:50:36.000000000 +0200
@@ -691,6 +691,10 @@
continue;
}
+ if (r->connection->aborted) {
+ return APR_ECONNABORTED;
+ }
+
/* read */
apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
-- Package-specific info:
List of enabled modules from 'apache2 -M':
alias auth_basic authn_file authz_default authz_groupfile
authz_host authz_user autoindex cgi deflate dir env expires headers
mime negotiation perl php5 python setenvif status userdir
-- System Information:
Debian Release: 5.0.1
APT prefers stable
APT policy: (990, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.30 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages apache2.2-common depends on:
ii apache2-utils 2.2.9-10+lenny3 utility programs for webservers
ii libapr1 1.2.12-5 The Apache Portable Runtime
Librar
ii libaprutil1 1.2.12+dfsg-8+lenny2 The Apache Portable Runtime
Utilit
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libmagic1 4.26-1 File type determination
library us
ii libssl0.9.8 0.9.8g-15+lenny1 SSL shared libraries
ii lsb-base 3.2-20 Linux Standard Base 3.2
init scrip
ii mime-support 3.44-1 MIME files 'mime.types' &
'mailcap
ii net-tools 1.60-22 The NET-3 networking toolkit
ii perl 5.10.0-19 Larry Wall's Practical
Extraction
ii procps 1:3.2.7-11 /proc file system utilities
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages apache2.2-common recommends:
ii ssl-cert 1.0.23 simple debconf wrapper for
OpenSSL
Versions of packages apache2.2-common suggests:
ii apache2-doc 2.2.9-10+lenny3 Apache HTTP Server
documentation
pn apache2-suexec | apache2 <none> (no description available)
ii dillo [www-browser] 0.8.6-3 Small and fast web browser
ii elinks [www-browser] 0.11.4-3 advanced text-mode WWW browser
ii epiphany-gecko [www-brow 2.22.3-9 Intuitive GNOME web browser
- Geck
ii iceape-browser [www-brow 1.1.14-1 Iceape Navigator (Internet
browser
ii iceweasel [www-browser] 3.0.6-1 lightweight web browser
based on M
ii w3m [www-browser] 0.5.2-2+b1 WWW browsable pager with
excellent
Versions of packages apache2.2-common is related to:
pn apache2-mpm-event <none> (no description available)
pn apache2-mpm-itk <none> (no description available)
ii apache2-mpm-prefork 2.2.9-10+lenny3 Apache HTTP Server -
traditional n
pn apache2-mpm-worker <none> (no description available)
-- no debconf information
--- End Message ---
--- Begin Message ---
- To: 534712-close@bugs.debian.org
- Subject: Bug#534712: fixed in apache2 2.2.3-4+etch9
- From: Stefan Fritsch <sf@debian.org>
- Date: Wed, 05 Aug 2009 19:58:54 +0000
- Message-id: <E1MYmdS-0000GO-GR@ries.debian.org>
Source: apache2
Source-Version: 2.2.3-4+etch9
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:
apache2-doc_2.2.3-4+etch9_all.deb
to pool/main/a/apache2/apache2-doc_2.2.3-4+etch9_all.deb
apache2-mpm-event_2.2.3-4+etch9_i386.deb
to pool/main/a/apache2/apache2-mpm-event_2.2.3-4+etch9_i386.deb
apache2-mpm-perchild_2.2.3-4+etch9_all.deb
to pool/main/a/apache2/apache2-mpm-perchild_2.2.3-4+etch9_all.deb
apache2-mpm-prefork_2.2.3-4+etch9_i386.deb
to pool/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch9_i386.deb
apache2-mpm-worker_2.2.3-4+etch9_i386.deb
to pool/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch9_i386.deb
apache2-prefork-dev_2.2.3-4+etch9_i386.deb
to pool/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch9_i386.deb
apache2-src_2.2.3-4+etch9_all.deb
to pool/main/a/apache2/apache2-src_2.2.3-4+etch9_all.deb
apache2-threaded-dev_2.2.3-4+etch9_i386.deb
to pool/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch9_i386.deb
apache2-utils_2.2.3-4+etch9_i386.deb
to pool/main/a/apache2/apache2-utils_2.2.3-4+etch9_i386.deb
apache2.2-common_2.2.3-4+etch9_i386.deb
to pool/main/a/apache2/apache2.2-common_2.2.3-4+etch9_i386.deb
apache2_2.2.3-4+etch9.diff.gz
to pool/main/a/apache2/apache2_2.2.3-4+etch9.diff.gz
apache2_2.2.3-4+etch9.dsc
to pool/main/a/apache2/apache2_2.2.3-4+etch9.dsc
apache2_2.2.3-4+etch9_all.deb
to pool/main/a/apache2/apache2_2.2.3-4+etch9_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 534712@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 14 Jul 2009 23:06:43 +0200
Source: apache2
Binary: apache2-utils apache2-prefork-dev apache2 apache2-mpm-prefork apache2-doc apache2-mpm-event apache2.2-common apache2-mpm-worker apache2-src apache2-threaded-dev apache2-mpm-perchild
Architecture: source all i386
Version: 2.2.3-4+etch9
Distribution: oldstable-security
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
apache2 - Next generation, scalable, extendable web server
apache2-doc - documentation for apache2
apache2-mpm-event - Event driven model for Apache HTTPD 2.1
apache2-mpm-perchild - Transitional package - please remove
apache2-mpm-prefork - Traditional model for Apache HTTPD 2.1
apache2-mpm-worker - High speed threaded model for Apache HTTPD 2.1
apache2-prefork-dev - development headers for apache2
apache2-src - Apache source code
apache2-threaded-dev - development headers for apache2
apache2-utils - utility programs for webservers
apache2.2-common - Next generation, scalable, extendable web server
Closes: 534712
Changes:
apache2 (2.2.3-4+etch9) oldstable-security; urgency=high
.
* Security:
CVE-2009-1891: denial of service in mod_deflate (closes: #534712)
Also prevent compressing the content for HEAD requests.
Files:
5090ccfce8dc2e193a0200a5046fc0c2 1068 web optional apache2_2.2.3-4+etch9.dsc
2705ba251cdd2e979ce85099b4548848 127065 web optional apache2_2.2.3-4+etch9.diff.gz
9f79ca5450eb153eeb77d0ccdf63af53 962488 web optional apache2.2-common_2.2.3-4+etch9_i386.deb
80ff91b5681b3b65b9f82510b78995d8 423714 web optional apache2-mpm-worker_2.2.3-4+etch9_i386.deb
3efc018978b3f6879d4e17cd870da7c6 419898 web optional apache2-mpm-prefork_2.2.3-4+etch9_i386.deb
f7df4f2e8308b37945d6c9350fb68059 424256 web optional apache2-mpm-event_2.2.3-4+etch9_i386.deb
473c50b8e3b3ff72f61fd2773ad0a5ec 342508 web optional apache2-utils_2.2.3-4+etch9_i386.deb
aca126fc936879a914786d64b39582f1 409096 devel optional apache2-prefork-dev_2.2.3-4+etch9_i386.deb
c973180a87c19636cc18823d872eaaf5 410094 devel optional apache2-threaded-dev_2.2.3-4+etch9_i386.deb
632e77496c06ac55702187083210c5bd 274258 web optional apache2-mpm-perchild_2.2.3-4+etch9_all.deb
765f1df6239124b257a17373ec12a25c 41428 web optional apache2_2.2.3-4+etch9_all.deb
3c97cd0ed50e13730082455509ccf2ea 2243400 doc optional apache2-doc_2.2.3-4+etch9_all.deb
863bd8f5274dcca2b348ddfb455f1e98 6666600 devel extra apache2-src_2.2.3-4+etch9_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKXPvWbxelr8HyTqQRAo/WAJ9irQharLhdo/7fW0YjUVdNMjsG9QCglfQw
C9R7SgEGPKV+V+D4irwcjzo=
=wOXW
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: