Bug#601606: apache2: Renegotiation on POST request fails intermittently

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#601606: apache2: Renegotiation on POST request fails intermittently
From: Garrett Wollman <wollman@csail.mit.edu>
Date: Wed, 27 Oct 2010 14:31:23 -0400
Message-id: <[🔎] 20101027183123.32588.28082.reportbug@groups.csail.mit.edu>
Reply-to: Garrett Wollman <wollman@csail.mit.edu>, 601606@bugs.debian.org

Package: apache2.2-common
Version: 2.2.9-10+lenny8csail4
Severity: normal

I am providing this bug report primarily for informational purposes.
Note that version 2.2.9-10+lenny8csail4 is my rebuild of the +lenny8
package, described below.

I rebuilt the package to integrate fixes for the SSL renegotiation
vulnerability (CVE-2009-3555), as browsers will soon come with
insecure renegotiation disabled.  (My rebuild also links against
OpenSSL 0.9.8o, to get fixed renegotiation support, built from the
squeeze source.)  While testing the update, I was able to find the fix
for a long-standing bug that affected POST to servers requiring SSL
renegotiation.  The result of the bug was that Apache would
intermittently return a zero-length response to a POST request where
renegotiation was required, logging a renegotiation failure in
error.log.

My package includes Apache SVN changes 896900, 97343, 917726, and
984169.  I believe 896900 -- which forces certain reads from low-level
SSL buffers into blocking mode -- is the relevant fix here.  If there
is a chance to update the official lenny packages, it would be worth
including this fix, which applies without modification to the
2.2.9-10+lenny8 source.

-- Package-specific info:
List of /etc/apache2/mods-enabled/*.load:
  actions alias auth_basic auth_digest authn_file authz_default
  authz_groupfile authz_host authz_user autoindex cgi dav dav_fs dir
  env expires fastcgi headers include jk mime mod-security2
  negotiation rewrite setenvif speling ssl status unique_id

-- System Information:
Debian Release: 5.0.5
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-xen-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages apache2 depends on:
ii  apache2-mpm-prefor 2.2.9-10+lenny8csail4 Apache HTTP Server - traditional n

apache2 recommends no packages.

apache2 suggests no packages.

Versions of packages apache2.2-common depends on:
ii  apache2-utils      2.2.9-10+lenny8csail4 utility programs for webservers
ii  libapr1            1.2.12-5+lenny2       The Apache Portable Runtime Librar
ii  libaprutil1        1.2.12+dfsg-8+lenny4  The Apache Portable Runtime Utilit
ii  libc6              2.7-18lenny4          GNU C Library: Shared libraries
ii  libmagic1          4.26-1                File type determination library us
ii  libssl0.9.8        0.9.8o-1              SSL shared libraries
ii  lsb-base           3.2-20                Linux Standard Base 3.2 init scrip
ii  mime-support       3.44-1                MIME files 'mime.types' & 'mailcap
ii  net-tools          1.60-22               The NET-3 networking toolkit
ii  perl               5.10.0-19lenny2       Larry Wall's Practical Extraction 
ii  procps             1:3.2.7-11            /proc file system utilities
ii  psmisc             22.6-1                Utilities that use the proc filesy
ii  zlib1g             1:1.2.3.3.dfsg-12     compression library - runtime

-- no debconf information

Reply to:

Prev by Date: Bug#601520: Can't install apache2 because of libkrb53 issues
Next by Date: Bug#601520: Can't install apache2 because of libkrb53 issues
Previous by thread: Bug#601520: closed by Stefan Fritsch <sf@sfritsch.de> (Re: Bug#601520: Can't install apache2 because of libkrb53 issues)
Index(es):
- Date
- Thread