Your message dated Sat, 21 May 2011 13:55:30 +0000 with message-id <E1QNmeQ-0000VL-Vj@franck.debian.org> and subject line Bug#627182: fixed in apr 1.4.2-6+squeeze2 has caused the Debian Bug report #627182, regarding libapr1: last security update introduces a infinite loop condition to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 627182: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627182 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: libapr1: last security update introduces a infinite loop condition
- From: Tanguy Ortolo <tanguy+debian@ortolo.eu>
- Date: Wed, 18 May 2011 15:25:16 +0200
- Message-id: <20110518132516.GA18364@ortolo.eu>
Package: libapr1 Version: 1.4.2-8 Severity: important Tags: upstream Hello, We have found that the last security update (1.4.2-6+squeeze1, 1.2.12-5+lenny3) causes apr_fnmatch to enter an infinite loop, on particular patters. For instance, with the following configuration directive: <Location "/*/WEB-INF/"> deny from all </Location> if someone visits any URL, an apache2 thread will start consuming 100% CPU. This is introduced by the backport debian/patches/028_fnmatch_CVE-2011-0419.dpatch, but it can be reproduced with the vanilla apr. Regards, -- ,--. : /` ) Tanguy Ortolo <xmpp:tanguy@ortolo.eu> <irc://irc.oftc.net/Elessar> | `-' Debian Maintainer \_ -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libapr1 depends on: ii libc6 2.13-4 Embedded GNU C Library: Shared lib ii libuuid1 2.17.2-9.1 Universally Unique ID library libapr1 recommends no packages. libapr1 suggests no packages. -- no debconf informationAttachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: 627182-close@bugs.debian.org
- Subject: Bug#627182: fixed in apr 1.4.2-6+squeeze2
- From: Stefan Fritsch <sf@debian.org>
- Date: Sat, 21 May 2011 13:55:30 +0000
- Message-id: <E1QNmeQ-0000VL-Vj@franck.debian.org>
Source: apr Source-Version: 1.4.2-6+squeeze2 We believe that the bug you reported is fixed in the latest version of apr, which is due to be installed in the Debian FTP archive: apr_1.4.2-6+squeeze2.diff.gz to main/a/apr/apr_1.4.2-6+squeeze2.diff.gz apr_1.4.2-6+squeeze2.dsc to main/a/apr/apr_1.4.2-6+squeeze2.dsc libapr1-dbg_1.4.2-6+squeeze2_i386.deb to main/a/apr/libapr1-dbg_1.4.2-6+squeeze2_i386.deb libapr1-dev_1.4.2-6+squeeze2_i386.deb to main/a/apr/libapr1-dev_1.4.2-6+squeeze2_i386.deb libapr1_1.4.2-6+squeeze2_i386.deb to main/a/apr/libapr1_1.4.2-6+squeeze2_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 627182@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch <sf@debian.org> (supplier of updated apr package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Thu, 19 May 2011 07:49:05 +0200 Source: apr Binary: libapr1 libapr1-dev libapr1-dbg Architecture: source i386 Version: 1.4.2-6+squeeze2 Distribution: stable-security Urgency: low Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> Changed-By: Stefan Fritsch <sf@debian.org> Description: libapr1 - The Apache Portable Runtime Library libapr1-dbg - The Apache Portable Runtime Library - Debugging Symbols libapr1-dev - The Apache Portable Runtime Library - Development Headers Closes: 627182 Changes: apr (1.4.2-6+squeeze2) stable-security; urgency=low . * Fix regression introduced by fix for CVE-2011-0419: apr_fnmatch may consume 100% CPU. CVE-2011-1928 Closes: #627182 Checksums-Sha1: d1dfe494a67460bc469a26d1b7dbcba9765376e9 1396 apr_1.4.2-6+squeeze2.dsc 2faf7079e26604ae959efb05f3e0ba110ed76bc2 25863 apr_1.4.2-6+squeeze2.diff.gz e41d7404492fb1118170873dbd5a836a79c5f011 86016 libapr1_1.4.2-6+squeeze2_i386.deb a406685c29321ad4ce9c54fd99bb426ce27ee62e 1029208 libapr1-dev_1.4.2-6+squeeze2_i386.deb f57cf747e8bc6126819c059c17cc2b2c102804ae 23984 libapr1-dbg_1.4.2-6+squeeze2_i386.deb Checksums-Sha256: 8881eafcde2acaf7cae4ecc3957f8be29904d342cb929942685c79746ff015f3 1396 apr_1.4.2-6+squeeze2.dsc 2d1801c3477e4b2888f0a1827d75a9f068eb0c2f2a87a29aadc95293b783c034 25863 apr_1.4.2-6+squeeze2.diff.gz 79fa4ecd885a397720d81b85df81bd0296f1e835386d9a98b0509354785e6282 86016 libapr1_1.4.2-6+squeeze2_i386.deb fbe3e2a3022e71e0ab11515aca2f1d91f7d6e77f0d5f12bb1cb7d620bfd9e8a5 1029208 libapr1-dev_1.4.2-6+squeeze2_i386.deb 7758f98fc3dd41f9bed039e68a68b7f3fd9ce0488bd07d78d0a1d17133a7af8f 23984 libapr1-dbg_1.4.2-6+squeeze2_i386.deb Files: e84dfc0fbdb765427cbb7ffa5ca6eeec 1396 libs optional apr_1.4.2-6+squeeze2.dsc 7ee09dbe0f0691b06dc71a346b0fb3df 25863 libs optional apr_1.4.2-6+squeeze2.diff.gz 99e63c65b900fc31d8a00e22edb759dc 86016 libs optional libapr1_1.4.2-6+squeeze2_i386.deb 47c131f38486dcac21ebfb5e8f4a9748 1029208 libdevel optional libapr1-dev_1.4.2-6+squeeze2_i386.deb 31f6a80b2c0654069d25d93f2a5b2b50 23984 debug extra libapr1-dbg_1.4.2-6+squeeze2_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFN1LFSbxelr8HyTqQRAlU/AKCpbtOXulTi6fxpYRiFiSUNAu2UIACfS0/F tZcnxKc/8Qc4f+5VTb4aQTk= =3VLs -----END PGP SIGNATURE-----
--- End Message ---