[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#627182: marked as done (libapr1: last security update introduces a infinite loop condition)

Your message dated Sat, 21 May 2011 13:55:30 +0000
with message-id <E1QNmeQ-0000VL-Vj@franck.debian.org>
and subject line Bug#627182: fixed in apr 1.4.2-6+squeeze2
has caused the Debian Bug report #627182,
regarding libapr1: last security update introduces a infinite loop condition
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
627182: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627182
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: libapr1
Version: 1.4.2-8
Severity: important
Tags: upstream

Hello,

We have found that the last security update (1.4.2-6+squeeze1, 1.2.12-5+lenny3)
causes apr_fnmatch to enter an infinite loop, on particular patters.

For instance, with the following configuration directive:
    <Location "/*/WEB-INF/">
        deny from all
    </Location> 
if someone visits any URL, an apache2 thread will start consuming 100% CPU.

This is introduced by the backport
debian/patches/028_fnmatch_CVE-2011-0419.dpatch, but it can be reproduced with the vanilla apr.

Regards,

-- 
 ,--.
: /` )   Tanguy Ortolo <xmpp:tanguy@ortolo.eu> <irc://irc.oftc.net/Elessar>
| `-'    Debian Maintainer
 \_

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libapr1 depends on:
ii  libc6                         2.13-4     Embedded GNU C Library: Shared lib
ii  libuuid1                      2.17.2-9.1 Universally Unique ID library

libapr1 recommends no packages.

libapr1 suggests no packages.

-- no debconf information

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
Source: apr
Source-Version: 1.4.2-6+squeeze2

We believe that the bug you reported is fixed in the latest version of
apr, which is due to be installed in the Debian FTP archive:

apr_1.4.2-6+squeeze2.diff.gz
  to main/a/apr/apr_1.4.2-6+squeeze2.diff.gz
apr_1.4.2-6+squeeze2.dsc
  to main/a/apr/apr_1.4.2-6+squeeze2.dsc
libapr1-dbg_1.4.2-6+squeeze2_i386.deb
  to main/a/apr/libapr1-dbg_1.4.2-6+squeeze2_i386.deb
libapr1-dev_1.4.2-6+squeeze2_i386.deb
  to main/a/apr/libapr1-dev_1.4.2-6+squeeze2_i386.deb
libapr1_1.4.2-6+squeeze2_i386.deb
  to main/a/apr/libapr1_1.4.2-6+squeeze2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 627182@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 19 May 2011 07:49:05 +0200
Source: apr
Binary: libapr1 libapr1-dev libapr1-dbg
Architecture: source i386
Version: 1.4.2-6+squeeze2
Distribution: stable-security
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 libapr1    - The Apache Portable Runtime Library
 libapr1-dbg - The Apache Portable Runtime Library - Debugging Symbols
 libapr1-dev - The Apache Portable Runtime Library - Development Headers
Closes: 627182
Changes: 
 apr (1.4.2-6+squeeze2) stable-security; urgency=low
 .
   * Fix regression introduced by fix for CVE-2011-0419:
     apr_fnmatch may consume 100% CPU. CVE-2011-1928
     Closes: #627182
Checksums-Sha1: 
 d1dfe494a67460bc469a26d1b7dbcba9765376e9 1396 apr_1.4.2-6+squeeze2.dsc
 2faf7079e26604ae959efb05f3e0ba110ed76bc2 25863 apr_1.4.2-6+squeeze2.diff.gz
 e41d7404492fb1118170873dbd5a836a79c5f011 86016 libapr1_1.4.2-6+squeeze2_i386.deb
 a406685c29321ad4ce9c54fd99bb426ce27ee62e 1029208 libapr1-dev_1.4.2-6+squeeze2_i386.deb
 f57cf747e8bc6126819c059c17cc2b2c102804ae 23984 libapr1-dbg_1.4.2-6+squeeze2_i386.deb
Checksums-Sha256: 
 8881eafcde2acaf7cae4ecc3957f8be29904d342cb929942685c79746ff015f3 1396 apr_1.4.2-6+squeeze2.dsc
 2d1801c3477e4b2888f0a1827d75a9f068eb0c2f2a87a29aadc95293b783c034 25863 apr_1.4.2-6+squeeze2.diff.gz
 79fa4ecd885a397720d81b85df81bd0296f1e835386d9a98b0509354785e6282 86016 libapr1_1.4.2-6+squeeze2_i386.deb
 fbe3e2a3022e71e0ab11515aca2f1d91f7d6e77f0d5f12bb1cb7d620bfd9e8a5 1029208 libapr1-dev_1.4.2-6+squeeze2_i386.deb
 7758f98fc3dd41f9bed039e68a68b7f3fd9ce0488bd07d78d0a1d17133a7af8f 23984 libapr1-dbg_1.4.2-6+squeeze2_i386.deb
Files: 
 e84dfc0fbdb765427cbb7ffa5ca6eeec 1396 libs optional apr_1.4.2-6+squeeze2.dsc
 7ee09dbe0f0691b06dc71a346b0fb3df 25863 libs optional apr_1.4.2-6+squeeze2.diff.gz
 99e63c65b900fc31d8a00e22edb759dc 86016 libs optional libapr1_1.4.2-6+squeeze2_i386.deb
 47c131f38486dcac21ebfb5e8f4a9748 1029208 libdevel optional libapr1-dev_1.4.2-6+squeeze2_i386.deb
 31f6a80b2c0654069d25d93f2a5b2b50 23984 debug extra libapr1-dbg_1.4.2-6+squeeze2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFN1LFSbxelr8HyTqQRAlU/AKCpbtOXulTi6fxpYRiFiSUNAu2UIACfS0/F
tZcnxKc/8Qc4f+5VTb4aQTk=
=3VLs
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: