[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#705830: marked as done (apache2: Apache Range Exploit Detector)

Your message dated Sun, 21 Apr 2013 14:47:26 +0200
with message-id <201304211447.26740.sf@sfritsch.de>
and subject line Re: Bug#705830: apache2: Apache Range Exploit Detector
has caused the Debian Bug report #705830,
regarding apache2: Apache Range Exploit Detector
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
705830: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=705830
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: apache2.2-common
Version: 2.2.16-6+squeeze11
Severity: normal

Hello, I discover this site:

http://apache-range-exploit.com/

and apache 2.2.16 is vulnerable to this type of attack.

Thanks!

Pol

-- Package-specific info:
List of enabled modules from 'apache2 -M':
  actions* alias auth_basic authn_file authz_default authz_groupfile
  authz_host authz_user autoindex cgi deflate dir env mime
  negotiation php5 reqtimeout rewrite setenvif ssl status
  (A * means that the .conf file for that module is not enabled in
   /etc/apache2/mods-enabled/)
List of enabled php5 extensions:
  curl gd gmp imagick mcrypt mysql mysqli pdo pdo_mysql pdo_sqlite
  pspell recode snmp sqlite sqlite3 suhosin

-- System Information:
Debian Release: 6.0.7
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork   2.2.16-6+squeeze11 Apache HTTP Server - traditional n
ii  apache2.2-common      2.2.16-6+squeeze11 Apache HTTP Server common files

apache2 recommends no packages.

apache2 suggests no packages.

Versions of packages apache2.2-common depends on:
ii  apache2-utils         2.2.16-6+squeeze11 utility programs for webservers
ii  apache2.2-bin         2.2.16-6+squeeze11 Apache HTTP Server common binary f
ii  libmagic1             5.04-5+squeeze2    File type determination library us
ii  lsb-base              3.2-23.2squeeze1   Linux Standard Base 3.2 init scrip
ii  mime-support          3.48-1             MIME files 'mime.types' & 'mailcap
ii  perl                  5.10.1-17squeeze6  Larry Wall's Practical Extraction 
ii  procps                1:3.2.8-9squeeze1  /proc file system utilities

-- no debconf information

--- End Message ---
--- Begin Message --- 
On Saturday 20 April 2013, Pol Hallen wrote:
> Hello, I discover this site:
> 
> http://apache-range-exploit.com/
> 
> and apache 2.2.16 is vulnerable to this type of attack.

That's a false positive. That page does not really check if a site is 
vulnerable but if a site has disabled range support as a workaround. 
But since Debian's 2.2.16-6 has the proper fix, it has range support 
enabled.

--- End Message ---
Reply to: