Bug#655435: marked as done (libapr1: apr_hash vulnerable to oCert-2011-003 style DOS attacks)
Your message dated Sun, 18 Mar 2012 22:47:16 +0000
with message-id <E1S9Ose-0003jY-FB@franck.debian.org>
and subject line Bug#655435: fixed in apr 1.4.6-1
has caused the Debian Bug report #655435,
regarding libapr1: apr_hash vulnerable to oCert-2011-003 style DOS attacks
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
655435: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655435
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: libapr1: apr_hash vulnerable to oCert-2011-003 style DOS attacks
- From: John Lightsey <lightsey@debian.org>
- Date: Tue, 10 Jan 2012 21:55:11 -0600
- Message-id: <20120111035511.10862.95816.reportbug@panther.nixnuts.net>
Package: libapr1
Version: 1.4.5-1.1
Severity: important
Tags: security
APR's hash implementation is vulnerable to the same types of algorithmic
complexity attacks disclosed in oCert-2011-003.
Discussion of the problem on the apr-dev mailing list is available here:
http://www.mail-archive.com/dev%40apr.apache.org/msg24439.html
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libapr1 depends on:
ii libc6 2.13-24
ii libuuid1 2.20.1-1.1
libapr1 recommends no packages.
libapr1 suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: apr
Source-Version: 1.4.6-1
We believe that the bug you reported is fixed in the latest version of
apr, which is due to be installed in the Debian FTP archive:
apr_1.4.6-1.diff.gz
to main/a/apr/apr_1.4.6-1.diff.gz
apr_1.4.6-1.dsc
to main/a/apr/apr_1.4.6-1.dsc
apr_1.4.6.orig.tar.gz
to main/a/apr/apr_1.4.6.orig.tar.gz
libapr1-dbg_1.4.6-1_i386.deb
to main/a/apr/libapr1-dbg_1.4.6-1_i386.deb
libapr1-dev_1.4.6-1_i386.deb
to main/a/apr/libapr1-dev_1.4.6-1_i386.deb
libapr1_1.4.6-1_i386.deb
to main/a/apr/libapr1_1.4.6-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 655435@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apr package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 18 Mar 2012 23:22:59 +0100
Source: apr
Binary: libapr1 libapr1-dev libapr1-dbg
Architecture: source i386
Version: 1.4.6-1
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
libapr1 - Apache Portable Runtime Library
libapr1-dbg - Apache Portable Runtime Library - Debugging Symbols
libapr1-dev - Apache Portable Runtime Library - Development Headers
Closes: 655435 664451
Changes:
apr (1.4.6-1) unstable; urgency=low
.
* New upstream release:
- Fixes apr_file_trunc() bug which could lead to subversion repository
corruption. Closes: #664451
- Adds randomization to hashes. CVE-2012-0840 (but not known to be
exploitable in httpd or svn). Closes: #655435
* Remove Tollef Fog Heen and Ryan Niebur from uploaders. Thanks for your
work in the past.
Checksums-Sha1:
b9928b4bf42c086c493f2716eb3bbee512c8dbfd 1393 apr_1.4.6-1.dsc
3f5e3f1f67cb4fe0cc46e8c3740105c35a020308 982243 apr_1.4.6.orig.tar.gz
8ac6b5b63d6ee129427e171018288d9404cf5fbe 18361 apr_1.4.6-1.diff.gz
b4ab54104de784f4535896f4a5684962a083edc5 100438 libapr1_1.4.6-1_i386.deb
0ef38f9a20eb0e34f79a120ea4b3f4468e5a56ad 1079792 libapr1-dev_1.4.6-1_i386.deb
1bd7241f48aaf8e9d7a1d3f93fdb869c6cd936e6 26806 libapr1-dbg_1.4.6-1_i386.deb
Checksums-Sha256:
4235d71d3392b302f01a0224a66bc48495d026213931f99fdb6b0b4906ba8139 1393 apr_1.4.6-1.dsc
538d593d805c36985fc6d200d31bf6c1b5f90df2a50b917902743a13bbc10e05 982243 apr_1.4.6.orig.tar.gz
6213af2c7d20fbf06abda072ff971ceb1552f8df98cdebfd15092940bb374b80 18361 apr_1.4.6-1.diff.gz
e7325570bf68f9b19339764665b5b25ab57093081e921eb535eb9426bb0ca249 100438 libapr1_1.4.6-1_i386.deb
d55c2de5eb37a1841eb571b80d53303f76d2aece99ed71b71cdd8d1dfc2909c0 1079792 libapr1-dev_1.4.6-1_i386.deb
10b37587ab7f622af7908397d2bc4721ae5969d7c77d5545825184beb05f220c 26806 libapr1-dbg_1.4.6-1_i386.deb
Files:
e33bc203b92f70a3a1d602bb55c11a72 1393 libs optional apr_1.4.6-1.dsc
76cc4457fbb71eefdafa27dba8f511fb 982243 libs optional apr_1.4.6.orig.tar.gz
25c7c257da84c4818b25c6070f0217d2 18361 libs optional apr_1.4.6-1.diff.gz
1997bf270ebfbc2c3aabdb3bd50dbfb3 100438 libs optional libapr1_1.4.6-1_i386.deb
dfd2943bb504c726e66690d7555b5745 1079792 libdevel optional libapr1-dev_1.4.6-1_i386.deb
6f564e89905c45af90d6cc25115e74c1 26806 debug extra libapr1-dbg_1.4.6-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFPZmJBbxelr8HyTqQRAln+AKDcy+SlDEma8uMTOzwj2zrNeHOsFACgncq5
j42gCph2+cX+2OXy12z+wXs=
=PZvw
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: