Bug#534712: marked as done (apache2.2-common: DOS possible with mod_deflate)
Your message dated Sat, 15 Aug 2009 01:57:34 +0000
with message-id <E1Mc8WU-0001to-F6@ries.debian.org>
and subject line Bug#534712: fixed in apache2 2.2.9-10+lenny4
has caused the Debian Bug report #534712,
regarding apache2.2-common: DOS possible with mod_deflate
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
534712: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534712
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apache2.2-common: DOS possible with mod_deflate
- From: François Guerraz <kubrick@fgv6.net>
- Date: Fri, 26 Jun 2009 17:23:16 +0200
- Message-id: <4A44E7E4.2080408@fgv6.net>
Package: apache2.2-common
Version: 2.2.9-10+lenny3
Severity: normal
Tags: patch security
There is a bug in mod_deflate that can lead to a DOS with a very small
network traffic.
The problem is the following : when downloading a file with mod_deflate
enabled and aborting the connexion before the end, mod_deflate will take
100% of a CPU and finish to compress the file for nothing.
Even with a not-so-big file (a few dozen of MB), it is possible to
"lock" apache by opening simultaneous request on this file and abort the
connexion very soon, as the
file will be compressed multiple times in parallel, it will make
compression times grow and keep the threads busy for a while.
The problem arises because mod_deflate doesn't check if the connexion is
aborted and goes on whatever happen.
The following patch fixes the problem, but at reading the code, I guess
that the inflate function is also impacted.
Best regards,
François
--- mod_deflate.c 2008-01-04 15:23:50.000000000 +0100
+++ mod_deflate.c.new 2009-06-26 16:50:36.000000000 +0200
@@ -691,6 +691,10 @@
continue;
}
+ if (r->connection->aborted) {
+ return APR_ECONNABORTED;
+ }
+
/* read */
apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
-- Package-specific info:
List of enabled modules from 'apache2 -M':
alias auth_basic authn_file authz_default authz_groupfile
authz_host authz_user autoindex cgi deflate dir env expires headers
mime negotiation perl php5 python setenvif status userdir
-- System Information:
Debian Release: 5.0.1
APT prefers stable
APT policy: (990, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.30 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages apache2.2-common depends on:
ii apache2-utils 2.2.9-10+lenny3 utility programs for webservers
ii libapr1 1.2.12-5 The Apache Portable Runtime
Librar
ii libaprutil1 1.2.12+dfsg-8+lenny2 The Apache Portable Runtime
Utilit
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libmagic1 4.26-1 File type determination
library us
ii libssl0.9.8 0.9.8g-15+lenny1 SSL shared libraries
ii lsb-base 3.2-20 Linux Standard Base 3.2
init scrip
ii mime-support 3.44-1 MIME files 'mime.types' &
'mailcap
ii net-tools 1.60-22 The NET-3 networking toolkit
ii perl 5.10.0-19 Larry Wall's Practical
Extraction
ii procps 1:3.2.7-11 /proc file system utilities
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages apache2.2-common recommends:
ii ssl-cert 1.0.23 simple debconf wrapper for
OpenSSL
Versions of packages apache2.2-common suggests:
ii apache2-doc 2.2.9-10+lenny3 Apache HTTP Server
documentation
pn apache2-suexec | apache2 <none> (no description available)
ii dillo [www-browser] 0.8.6-3 Small and fast web browser
ii elinks [www-browser] 0.11.4-3 advanced text-mode WWW browser
ii epiphany-gecko [www-brow 2.22.3-9 Intuitive GNOME web browser
- Geck
ii iceape-browser [www-brow 1.1.14-1 Iceape Navigator (Internet
browser
ii iceweasel [www-browser] 3.0.6-1 lightweight web browser
based on M
ii w3m [www-browser] 0.5.2-2+b1 WWW browsable pager with
excellent
Versions of packages apache2.2-common is related to:
pn apache2-mpm-event <none> (no description available)
pn apache2-mpm-itk <none> (no description available)
ii apache2-mpm-prefork 2.2.9-10+lenny3 Apache HTTP Server -
traditional n
pn apache2-mpm-worker <none> (no description available)
-- no debconf information
--- End Message ---
--- Begin Message ---
- To: 534712-close@bugs.debian.org
- Subject: Bug#534712: fixed in apache2 2.2.9-10+lenny4
- From: Stefan Fritsch <sf@debian.org>
- Date: Sat, 15 Aug 2009 01:57:34 +0000
- Message-id: <E1Mc8WU-0001to-F6@ries.debian.org>
Source: apache2
Source-Version: 2.2.9-10+lenny4
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:
apache2-dbg_2.2.9-10+lenny4_i386.deb
to pool/main/a/apache2/apache2-dbg_2.2.9-10+lenny4_i386.deb
apache2-doc_2.2.9-10+lenny4_all.deb
to pool/main/a/apache2/apache2-doc_2.2.9-10+lenny4_all.deb
apache2-mpm-event_2.2.9-10+lenny4_i386.deb
to pool/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny4_i386.deb
apache2-mpm-prefork_2.2.9-10+lenny4_i386.deb
to pool/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny4_i386.deb
apache2-mpm-worker_2.2.9-10+lenny4_i386.deb
to pool/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny4_i386.deb
apache2-prefork-dev_2.2.9-10+lenny4_i386.deb
to pool/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny4_i386.deb
apache2-src_2.2.9-10+lenny4_all.deb
to pool/main/a/apache2/apache2-src_2.2.9-10+lenny4_all.deb
apache2-suexec-custom_2.2.9-10+lenny4_i386.deb
to pool/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny4_i386.deb
apache2-suexec_2.2.9-10+lenny4_i386.deb
to pool/main/a/apache2/apache2-suexec_2.2.9-10+lenny4_i386.deb
apache2-threaded-dev_2.2.9-10+lenny4_i386.deb
to pool/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny4_i386.deb
apache2-utils_2.2.9-10+lenny4_i386.deb
to pool/main/a/apache2/apache2-utils_2.2.9-10+lenny4_i386.deb
apache2.2-common_2.2.9-10+lenny4_i386.deb
to pool/main/a/apache2/apache2.2-common_2.2.9-10+lenny4_i386.deb
apache2_2.2.9-10+lenny4.diff.gz
to pool/main/a/apache2/apache2_2.2.9-10+lenny4.diff.gz
apache2_2.2.9-10+lenny4.dsc
to pool/main/a/apache2/apache2_2.2.9-10+lenny4.dsc
apache2_2.2.9-10+lenny4_all.deb
to pool/main/a/apache2/apache2_2.2.9-10+lenny4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 534712@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 14 Jul 2009 21:53:01 +0200
Source: apache2
Binary: apache2.2-common apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-utils apache2-suexec apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev apache2-threaded-dev apache2-src apache2-dbg
Architecture: source i386 all
Version: 2.2.9-10+lenny4
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
apache2 - Apache HTTP Server metapackage
apache2-dbg - Apache debugging symbols
apache2-doc - Apache HTTP Server documentation
apache2-mpm-event - Apache HTTP Server - event driven model
apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
apache2-mpm-worker - Apache HTTP Server - high speed threaded model
apache2-prefork-dev - Apache development headers - non-threaded MPM
apache2-src - Apache source code
apache2-suexec - Standard suexec program for Apache 2 mod_suexec
apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
apache2-threaded-dev - Apache development headers - threaded MPM
apache2-utils - utility programs for webservers
apache2.2-common - Apache HTTP Server common files
Closes: 534712 536718
Changes:
apache2 (2.2.9-10+lenny4) stable-security; urgency=high
.
* Security fixes:
- CVE-2009-1890: denial of service in mod_proxy (closes: #536718)
- CVE-2009-1891: denial of service in mod_deflate (closes: #534712)
Also prevent compressing the content for HEAD requests.
Checksums-Sha1:
b6985c3c29faf52c7a593aa44cddf3b15981b864 1673 apache2_2.2.9-10+lenny4.dsc
89c68afe4a74abb0213e17be879155f4a95b5f85 138623 apache2_2.2.9-10+lenny4.diff.gz
9acb9f447940cbbfca2fae4de3638c3e04eb996a 782590 apache2.2-common_2.2.9-10+lenny4_i386.deb
c97554508708286d7305af28a53f412a42ac075b 240464 apache2-mpm-worker_2.2.9-10+lenny4_i386.deb
1329a07a996735a140c67bb886a0584ac4bef237 236982 apache2-mpm-prefork_2.2.9-10+lenny4_i386.deb
cfdb8b27cba028a2718edb9cd17353b2877e7baa 240950 apache2-mpm-event_2.2.9-10+lenny4_i386.deb
2a7e88f106a86ae91c345b8c8d29e24c3fc52c79 142984 apache2-utils_2.2.9-10+lenny4_i386.deb
61451e675e2138780d18ed338ffed84c792c446b 81826 apache2-suexec_2.2.9-10+lenny4_i386.deb
a74cf4abd63f81074d524130264e711ccc4b1b33 83576 apache2-suexec-custom_2.2.9-10+lenny4_i386.deb
791dc787b001b16115ea53470d76b820b189ef40 210906 apache2-prefork-dev_2.2.9-10+lenny4_i386.deb
ed4185e8f8ecd5d08117b948d251a8198e977dd9 212226 apache2-threaded-dev_2.2.9-10+lenny4_i386.deb
730f886299d7e71d08bd03b23440981d949c5303 2321656 apache2-dbg_2.2.9-10+lenny4_i386.deb
d0b8c58630ca50924e7f0f62af75cc2bfe0b993c 44714 apache2_2.2.9-10+lenny4_all.deb
89017171b8c11b62e2bc12267585e54fb094f431 2060300 apache2-doc_2.2.9-10+lenny4_all.deb
f4121631849bf777c8302a3b674852cb579d2eeb 6734400 apache2-src_2.2.9-10+lenny4_all.deb
Checksums-Sha256:
2b696c8027e914658e15871c4ce8dd4fec5db7430f6e00d5f9b2197fd6997f51 1673 apache2_2.2.9-10+lenny4.dsc
27aa3da621bd4cbae660105aeeee5e5e6745f573c240546b223d42856a2615c4 138623 apache2_2.2.9-10+lenny4.diff.gz
3b2544bdaf52872eeb90df8f1b92dcf31bc3aabdefd78915fe3203c9a53ce501 782590 apache2.2-common_2.2.9-10+lenny4_i386.deb
5dc6201e8f96d36d00165c109f993a8e66a31053dd7a99fa86ffe0a6ef122153 240464 apache2-mpm-worker_2.2.9-10+lenny4_i386.deb
0363d9b28624bf3ce8ddbcaacde1ce28247217d7b4e3c016afaaea1502c0d016 236982 apache2-mpm-prefork_2.2.9-10+lenny4_i386.deb
c8c99837d0141b0c5186e2dcd91bd4f7a77ab5d36b45522d9a3372c6a89269f7 240950 apache2-mpm-event_2.2.9-10+lenny4_i386.deb
aa3b21c33fc44b91ebaa13c370b12a269871ac1c12cbf1573a38ce5601f9182c 142984 apache2-utils_2.2.9-10+lenny4_i386.deb
0fd933959dfceb197a7cd6a1a795757d6367426a71317b5f7a7d6fa321e3e3c1 81826 apache2-suexec_2.2.9-10+lenny4_i386.deb
3f61c6dbb6ffb0d4c50082cc818c18d6a4ab6355007321bd6d409a80dcf80442 83576 apache2-suexec-custom_2.2.9-10+lenny4_i386.deb
b4e79bd64fb3bd901c5e80c5683bc39eb83975a4b1dbf48dbe9b534d8177bc4d 210906 apache2-prefork-dev_2.2.9-10+lenny4_i386.deb
6aebd6d9e5de18fbcba1129fe8007a76202b12ceafab8ac2eeb408430c92e6c3 212226 apache2-threaded-dev_2.2.9-10+lenny4_i386.deb
97cac91b09821dd0dfb96759627bbde6f89fb7fc472e124088726dcff6ae7404 2321656 apache2-dbg_2.2.9-10+lenny4_i386.deb
e3f40fe80d7e348f6589897adfc677fdcbb8132d9fa7c49c7db76e66d1868b06 44714 apache2_2.2.9-10+lenny4_all.deb
9a59cc794efdebbd83a429b64941d776c2d1765922cc07a86a4d1600627f4a65 2060300 apache2-doc_2.2.9-10+lenny4_all.deb
4cdfad211b7200fa628e3ccb84f8790c7418ef2814218ef1e6aba65fc479a7c3 6734400 apache2-src_2.2.9-10+lenny4_all.deb
Files:
3edbeef1b78cdcb238a1b156b1e15bb3 1673 web optional apache2_2.2.9-10+lenny4.dsc
e83f70e3fe9dc21e23b9e12e0e3509a2 138623 web optional apache2_2.2.9-10+lenny4.diff.gz
91c5374730252660a652998778f37d8d 782590 web optional apache2.2-common_2.2.9-10+lenny4_i386.deb
5354fbeaf0547f9a42bb15093325f549 240464 web optional apache2-mpm-worker_2.2.9-10+lenny4_i386.deb
db7f962144ad83c02e89cf774292288b 236982 web optional apache2-mpm-prefork_2.2.9-10+lenny4_i386.deb
d071d125f52595d24d7ce27a700125b2 240950 web optional apache2-mpm-event_2.2.9-10+lenny4_i386.deb
a5f47b4e360f4dfb1af40edc0fd4b029 142984 web optional apache2-utils_2.2.9-10+lenny4_i386.deb
14dc03b9022352f6ca89cc18d5a0330e 81826 web optional apache2-suexec_2.2.9-10+lenny4_i386.deb
1bada724cf9b6dd9f63c650467efeba9 83576 web extra apache2-suexec-custom_2.2.9-10+lenny4_i386.deb
c3f8cc33efaf94bb394269a70c71a0d1 210906 devel extra apache2-prefork-dev_2.2.9-10+lenny4_i386.deb
962c9711427d4b3040f2682cc76ab86a 212226 devel extra apache2-threaded-dev_2.2.9-10+lenny4_i386.deb
ec028a4db5a43f4ed9ad5be64752d03a 2321656 libdevel extra apache2-dbg_2.2.9-10+lenny4_i386.deb
bc0ebb5a9da11e825827315a6899abfb 44714 web optional apache2_2.2.9-10+lenny4_all.deb
196001254f77a940ad90c9b71a852e77 2060300 doc optional apache2-doc_2.2.9-10+lenny4_all.deb
79b3f9d5db6aa727567fbe8465ff90d4 6734400 devel extra apache2-src_2.2.9-10+lenny4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKXOoabxelr8HyTqQRAifyAKCtMLqGJ+HNyverlKLoE+R064+afQCgnJog
0EY43IHPqNSnZ4ikE+ARipk=
=kCvs
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: