[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#627182: marked as done (libapr1: last security update introduces a infinite loop condition)

Your message dated Sat, 21 May 2011 19:17:12 +0000
with message-id <E1QNrfk-0000MC-6Y@franck.debian.org>
and subject line Bug#627182: fixed in apr 1.4.5-1
has caused the Debian Bug report #627182,
regarding libapr1: last security update introduces a infinite loop condition
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

627182: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627182
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: libapr1
Version: 1.4.2-8
Severity: important
Tags: upstream


We have found that the last security update (1.4.2-6+squeeze1, 1.2.12-5+lenny3)
causes apr_fnmatch to enter an infinite loop, on particular patters.

For instance, with the following configuration directive:
    <Location "/*/WEB-INF/">
        deny from all
if someone visits any URL, an apache2 thread will start consuming 100% CPU.

This is introduced by the backport
debian/patches/028_fnmatch_CVE-2011-0419.dpatch, but it can be reproduced with the vanilla apr.


: /` )   Tanguy Ortolo <xmpp:tanguy@ortolo.eu> <irc://irc.oftc.net/Elessar>
| `-'    Debian Maintainer

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libapr1 depends on:
ii  libc6                         2.13-4     Embedded GNU C Library: Shared lib
ii  libuuid1                      2.17.2-9.1 Universally Unique ID library

libapr1 recommends no packages.

libapr1 suggests no packages.

-- no debconf information

Attachment: signature.asc
Description: Digital signature

--- End Message ---
--- Begin Message ---
Source: apr
Source-Version: 1.4.5-1

We believe that the bug you reported is fixed in the latest version of
apr, which is due to be installed in the Debian FTP archive:

  to main/a/apr/apr_1.4.5-1.diff.gz
  to main/a/apr/apr_1.4.5-1.dsc
  to main/a/apr/apr_1.4.5.orig.tar.gz
  to main/a/apr/libapr1-dbg_1.4.5-1_i386.deb
  to main/a/apr/libapr1-dev_1.4.5-1_i386.deb
  to main/a/apr/libapr1_1.4.5-1_i386.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 627182@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Stefan Fritsch <sf@debian.org> (supplier of updated apr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Hash: SHA1

Format: 1.8
Date: Sat, 21 May 2011 20:49:17 +0200
Source: apr
Binary: libapr1 libapr1-dev libapr1-dbg
Architecture: source i386
Version: 1.4.5-1
Distribution: unstable
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
 libapr1    - Apache Portable Runtime Library
 libapr1-dbg - Apache Portable Runtime Library - Debugging Symbols
 libapr1-dev - Apache Portable Runtime Library - Development Headers
Closes: 627182 627532
 apr (1.4.5-1) unstable; urgency=high
   * New upstream version:
     - Fix regression introduced by fix for CVE-2011-0419: apr_fnmatch may
       consume 100% CPU. CVE-2011-1928. Closes: #627182
   * Fix allocator using mmap crashing on non-4k-page platforms. Thanks to
     Lifeng Sun for the patch. Closes: #627532
 63113d5b1a71ca3eadae94c17c039539651b7c50 1360 apr_1.4.5-1.dsc
 acdde5a7fdda11e7815fe3035de5fc4c10c1d428 994320 apr_1.4.5.orig.tar.gz
 8051523156693e3667effbba64d5db034f838787 18461 apr_1.4.5-1.diff.gz
 e500fdfd1b72cf89ce3ca007ef34d9e3f4cf946c 99194 libapr1_1.4.5-1_i386.deb
 c9522b0ceb2a2e86d774e3cf2305116e395e0a65 1089578 libapr1-dev_1.4.5-1_i386.deb
 28a88240caadb1bbe6016daeb093e7ca14c93d27 25722 libapr1-dbg_1.4.5-1_i386.deb
 de9b841570cba549ff4e7b53416e1c47931f2c4b85ade1e8b6c7905a47daffc4 1360 apr_1.4.5-1.dsc
 7323d5f72d6bddf7d1ecb63e4326df82a66210018bb2f1e8f6d97357e68302df 994320 apr_1.4.5.orig.tar.gz
 0008d1c222c4478debd41777d821da68bf6e431f47815a6f7c86becd1e0aa9a7 18461 apr_1.4.5-1.diff.gz
 365c5286442bda3a9ea1fcc0ee5000360d324ecda9f5d10fa1e42c09579e0da3 99194 libapr1_1.4.5-1_i386.deb
 45eed52060b2c4f7190a00dfe5ea96440124220277b3409f58fb8dc6edc41dd5 1089578 libapr1-dev_1.4.5-1_i386.deb
 7db6caa978723dd549e4412f98aaf544a21fc8bc5439f16abb8961d29f310f43 25722 libapr1-dbg_1.4.5-1_i386.deb
 b101b5e1b5a60f3ccff174bd6a22ae15 1360 libs optional apr_1.4.5-1.dsc
 97262fe54dddaf583eaaee3497a426e1 994320 libs optional apr_1.4.5.orig.tar.gz
 a486e5080c275bd72b145bb602d77525 18461 libs optional apr_1.4.5-1.diff.gz
 d1bf69fd620c7f87fc21c1a302247c06 99194 libs optional libapr1_1.4.5-1_i386.deb
 cedee726d86282eff9e477b523dd1b13 1089578 libdevel optional libapr1-dev_1.4.5-1_i386.deb
 4c9be775f4f60a755d81f6f4fff1f3c4 25722 debug extra libapr1-dbg_1.4.5-1_i386.deb

Version: GnuPG v1.4.11 (GNU/Linux)


--- End Message ---

Reply to: