Bug#601606: apache2: Renegotiation on POST request fails intermittently
Package: apache2.2-common
Version: 2.2.9-10+lenny8csail4
Severity: normal
I am providing this bug report primarily for informational purposes.
Note that version 2.2.9-10+lenny8csail4 is my rebuild of the +lenny8
package, described below.
I rebuilt the package to integrate fixes for the SSL renegotiation
vulnerability (CVE-2009-3555), as browsers will soon come with
insecure renegotiation disabled. (My rebuild also links against
OpenSSL 0.9.8o, to get fixed renegotiation support, built from the
squeeze source.) While testing the update, I was able to find the fix
for a long-standing bug that affected POST to servers requiring SSL
renegotiation. The result of the bug was that Apache would
intermittently return a zero-length response to a POST request where
renegotiation was required, logging a renegotiation failure in
error.log.
My package includes Apache SVN changes 896900, 97343, 917726, and
984169. I believe 896900 -- which forces certain reads from low-level
SSL buffers into blocking mode -- is the relevant fix here. If there
is a chance to update the official lenny packages, it would be worth
including this fix, which applies without modification to the
2.2.9-10+lenny8 source.
-- Package-specific info:
List of /etc/apache2/mods-enabled/*.load:
actions alias auth_basic auth_digest authn_file authz_default
authz_groupfile authz_host authz_user autoindex cgi dav dav_fs dir
env expires fastcgi headers include jk mime mod-security2
negotiation rewrite setenvif speling ssl status unique_id
-- System Information:
Debian Release: 5.0.5
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-2-xen-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages apache2 depends on:
ii apache2-mpm-prefor 2.2.9-10+lenny8csail4 Apache HTTP Server - traditional n
apache2 recommends no packages.
apache2 suggests no packages.
Versions of packages apache2.2-common depends on:
ii apache2-utils 2.2.9-10+lenny8csail4 utility programs for webservers
ii libapr1 1.2.12-5+lenny2 The Apache Portable Runtime Librar
ii libaprutil1 1.2.12+dfsg-8+lenny4 The Apache Portable Runtime Utilit
ii libc6 2.7-18lenny4 GNU C Library: Shared libraries
ii libmagic1 4.26-1 File type determination library us
ii libssl0.9.8 0.9.8o-1 SSL shared libraries
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii mime-support 3.44-1 MIME files 'mime.types' & 'mailcap
ii net-tools 1.60-22 The NET-3 networking toolkit
ii perl 5.10.0-19lenny2 Larry Wall's Practical Extraction
ii procps 1:3.2.7-11 /proc file system utilities
ii psmisc 22.6-1 Utilities that use the proc filesy
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
-- no debconf information
Reply to: