[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#717272: marked as done (apache2: Fix for CVE-2013-1896)

Your message dated Sun, 21 Jul 2013 18:48:26 +0000
with message-id <E1V0ygE-0000OR-Ii@franck.debian.org>
and subject line Bug#717272: fixed in apache2 2.4.6-1
has caused the Debian Bug report #717272,
regarding apache2: Fix for CVE-2013-1896
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
717272: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717272
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: apache2
Version: 2.4.4-6
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu saucy ubuntu-patch



*** /tmp/tmp5THIhe/bug_body

In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: denial of service via MERGE request
    - debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI
      in modules/dav/main/mod_dav.c.
    - CVE-2013-1896


Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers raring-updates
  APT policy: (500, 'raring-updates'), (500, 'raring-security'), (500, 'raring'), (100, 'raring-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.8.0-26-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru apache2-2.4.4/debian/patches/CVE-2013-1896.patch apache2-2.4.4/debian/patches/CVE-2013-1896.patch
--- apache2-2.4.4/debian/patches/CVE-2013-1896.patch	1969-12-31 19:00:00.000000000 -0500
+++ apache2-2.4.4/debian/patches/CVE-2013-1896.patch	2013-07-18 11:21:47.000000000 -0400
@@ -0,0 +1,32 @@
+Description: fix denial of service via MERGE request
+Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1486461
+
+Index: apache2-2.4.4/modules/dav/main/mod_dav.c
+===================================================================
+--- apache2-2.4.4.orig/modules/dav/main/mod_dav.c	2011-12-04 19:08:01.000000000 -0500
++++ apache2-2.4.4/modules/dav/main/mod_dav.c	2013-07-18 11:20:33.353180556 -0400
+@@ -707,6 +707,12 @@
+ 
+     conf = ap_get_module_config(r->per_dir_config, &dav_module);
+     /* assert: conf->provider != NULL */
++    if (conf->provider == NULL) {
++        return dav_new_error(r->pool, HTTP_METHOD_NOT_ALLOWED, 0, 0,
++                             apr_psprintf(r->pool,
++				          "DAV not enabled for %s",
++					  ap_escape_html(r->pool, r->uri)));
++    }
+ 
+     /* resolve the resource */
+     err = (*conf->provider->repos->get_resource)(r, conf->dir,
+@@ -2683,11 +2689,6 @@
+                                   "Destination URI had an error.");
+     }
+ 
+-    if (dav_get_provider(lookup.rnew) == NULL) {
+-        return dav_error_response(r, HTTP_METHOD_NOT_ALLOWED,
+-                                  "DAV not enabled for Destination URI.");
+-    }
+-
+     /* Resolve destination resource */
+     err = dav_get_resource(lookup.rnew, 0 /* label_allowed */,
+                            0 /* use_checked_in */, &resnew);
diff -Nru apache2-2.4.4/debian/patches/series apache2-2.4.4/debian/patches/series
--- apache2-2.4.4/debian/patches/series	2013-07-02 09:33:25.000000000 -0400
+++ apache2-2.4.4/debian/patches/series	2013-07-18 11:20:09.000000000 -0400
@@ -20,3 +20,4 @@
 itk-rerun-configure.patch
 upstream-fixes
 allow-strtoul.patch
+CVE-2013-1896.patch

--- End Message ---
--- Begin Message --- 
Source: apache2
Source-Version: 2.4.6-1

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 717272@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Arno Töll <arno@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 21 Jul 2013 18:44:42 +0200
Source: apache2
Binary: apache2 apache2-data apache2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-mpm-itk apache2.2-bin libapache2-mod-proxy-html libapache2-mod-macro apache2-utils apache2-suexec apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-dbg
Architecture: source i386 all
Version: 2.4.6-1
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Arno Töll <arno@debian.org>
Description: 
 apache2    - Apache HTTP Server
 apache2-bin - Apache HTTP Server (binary files and modules)
 apache2-data - Apache HTTP Server (common files)
 apache2-dbg - Apache debugging symbols
 apache2-dev - Apache HTTP Server (development headers)
 apache2-doc - Apache HTTP Server (on-site documentation)
 apache2-mpm-event - transitional event MPM package for apache2
 apache2-mpm-itk - transitional itk MPM package for apache2
 apache2-mpm-prefork - transitional prefork MPM package for apache2
 apache2-mpm-worker - transitional worker MPM package for apache2
 apache2-suexec - transitional package for apache2-suexec-pristine
 apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
 apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
 apache2-utils - Apache HTTP Server (utility programs for web servers)
 apache2.2-bin - Transitional package for apache2-bin
 libapache2-mod-macro - Transitional package for apache2-bin
 libapache2-mod-proxy-html - Transitional package for apache2-bin
Closes: 706962 716694 716921 717272 717299 717343 717448
Changes: 
 apache2 (2.4.6-1) unstable; urgency=low
 .
   New upstream release:
   * CVE-2013-1896: mod_dav: Fix a denial of service via MERGE request
     (Closes: #717272)
   * New modules mod_cache_socache, mod_proxy_wstunnel.
   * mod_ssl: Add support for subjectAltName-based host name checking in proxy
     mode (SSLProxyCheckPeerName).
   * mod_lua: Many new functions.
   * mod_auth_basic: Add a generic mechanism to fake basic authentication
     using the ap_expr parser (AuthBasicFake).
   * mod_proxy: New BalancerInherit and ProxyPassInherit options.
   * mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind password.
 .
   [ Arno Töll ]
   * Document our security model in our NEWS file and highlight we do not allow
     access to /srv. Thanks to joeyh for pointing this out.
   * Allow the use of apache2-maintscript-helper from a sub-function. We rely
     on dpkg's arguments supplied in $1, $2 etc. This clashes with function
     arguments supplied to to sh sub-function. Allow manual override in such
     cases.
   * Mention that the dh_apache2 conditional must be present in postrm too
     (Closes: #716694)
   * Fix "dh_apache2 ignores alternative httpd on conf files" by correctly
     checking the supplied arguments, we were off by one (Closes: #717299).
   * Reinstall index.html also on upgrades as it is removed during upgrades.
   * Add mod_macro transitional package as it was promoted to core and does not
     exist as individual package anymore (Closes: #706962)
 .
   [ Stefan Fritsch ]
   * Don't fail package upgrade or removal just because the configuration is in
     an inconsistent state (Closes: #716921, #717343, LP: #1202653).
   * Improve error output of init script.
   * Fix broken dependency information in several *.load files.
   * Add mod_authn_core as dependency of the mod_auth_* modules.
     (Closes: #717448)
Checksums-Sha1: 
 8165ccba179181c41f3f21059f95ba66cd1a3806 2430 apache2_2.4.6-1.dsc
 16d8ec72535ded65d035122b0d944b0e64eaa2a2 4949897 apache2_2.4.6.orig.tar.bz2
 4c9a9501247a9b6edd8ef3eaa69d2dc147e7b486 188549 apache2_2.4.6-1.debian.tar.gz
 bc0991bab7d5d523b1e70c862bfda685d9b87b20 1412 libapache2-mod-proxy-html_2.4.6-1_i386.deb
 a376e81d1a74e9b0f25d84d6d7f75ac2dab596dd 1404 libapache2-mod-macro_2.4.6-1_i386.deb
 298a3581ebcac353e2ab4598fb87a8833efa46b2 187302 apache2_2.4.6-1_i386.deb
 2f427b47136d534a8e8e76122e42750eed404214 153620 apache2-data_2.4.6-1_all.deb
 c260af0d49098f459919a7575f4cba39d7791536 946704 apache2-bin_2.4.6-1_i386.deb
 261ac65f96c8d6068b828df5399de12381f464f2 1400 apache2-mpm-worker_2.4.6-1_i386.deb
 a483aa0dd20a9b4a14b891401a3beb21c81517b0 1400 apache2-mpm-prefork_2.4.6-1_i386.deb
 10b3fe0603bd46bfa6a2b5accc093f14aec963c6 1396 apache2-mpm-event_2.4.6-1_i386.deb
 cf6ad6b99047be9adbde78f4faab0f9113007b04 1390 apache2-mpm-itk_2.4.6-1_i386.deb
 4c8636d1184cb3d3ef0247502f12646179cd08cb 1428 apache2.2-bin_2.4.6-1_i386.deb
 22cc7e71581433d4edbac8956912745528ce9279 180352 apache2-utils_2.4.6-1_i386.deb
 fab206b484a31ea7dff28acd9b8e998b2bcbdb8e 1386 apache2-suexec_2.4.6-1_i386.deb
 5660efb8df142d736461250a6a5b90f3ede471bc 114944 apache2-suexec-pristine_2.4.6-1_i386.deb
 bb4ca208f98c7083fda64e0eab37d850cc774f5e 116412 apache2-suexec-custom_2.4.6-1_i386.deb
 762db58e6794898421fe80e603ea44cb0ec2acf9 2673992 apache2-doc_2.4.6-1_all.deb
 cb18bd9df8a2540202e859c1c2b3dc0ea63f40aa 262770 apache2-dev_2.4.6-1_i386.deb
 c8256ff9e19f75627b395b5c03ea912724eca97d 1938764 apache2-dbg_2.4.6-1_i386.deb
Checksums-Sha256: 
 f73d6c83f9ff12b22bf4999d932a8d91d58312c4d86287febf801c4ffc9fd71d 2430 apache2_2.4.6-1.dsc
 dc9f3625ebc08bea55eeb0d16e71fba656f252e6cd0aa244ee7806dc3b022fea 4949897 apache2_2.4.6.orig.tar.bz2
 af5309e7b6940b799d22f2d1665800fe8928a2d71ce56ba863ae1dda8e9ea466 188549 apache2_2.4.6-1.debian.tar.gz
 92fbf3aa7acd597ae28121176e5597fd9d35d09973d30ef6841df56bcf52f17f 1412 libapache2-mod-proxy-html_2.4.6-1_i386.deb
 80c9f25e2d2b663495da70198f5830d0e802b072f477dbc01184f511bb38ba08 1404 libapache2-mod-macro_2.4.6-1_i386.deb
 91a0bcb484bcd5c43900ace2db5c113e0ff81db0e5beaa56a03595a559200465 187302 apache2_2.4.6-1_i386.deb
 cb6feb15237f2c17d8e06da05d9710600da8c768b21032059bffded43b889c9d 153620 apache2-data_2.4.6-1_all.deb
 a371931f74694f1ca385385cc7b3d13bee5042c257d10304e90cb89557548592 946704 apache2-bin_2.4.6-1_i386.deb
 3c31acb3ef5b8404f63b9321f88272694521b75e810875064772dc55702d7ebb 1400 apache2-mpm-worker_2.4.6-1_i386.deb
 20a852c939fd88fdfffbef20e212c66133e1b67011067e9ea8552ce4b0c6a9e7 1400 apache2-mpm-prefork_2.4.6-1_i386.deb
 04f00976d6b736f1ca1315a0841335755438b80dda237011c27766fcd4ae0df3 1396 apache2-mpm-event_2.4.6-1_i386.deb
 89c1b5b27389a66929942d3e52ca4234d94f701cd7d14c1876064dcfa00b73d6 1390 apache2-mpm-itk_2.4.6-1_i386.deb
 2ecb7bfd7d19dea566119518aad7767a5544c98fd001e34b18288022f628a7c5 1428 apache2.2-bin_2.4.6-1_i386.deb
 b3997e5053f7bfcbd98a43a4bcf8dd696d5b30739e459f6c4cf5c96b2e2b76ae 180352 apache2-utils_2.4.6-1_i386.deb
 c1e821df00f3d8085d1957b5a018f1f3d574fd47e5205ce49bc70a58c3546c88 1386 apache2-suexec_2.4.6-1_i386.deb
 155b05fbcee6ee20865ccf9d20b69c8c1ed2c201c2f2c7d24eb5a4e1c4f1a1ee 114944 apache2-suexec-pristine_2.4.6-1_i386.deb
 d64ddf88c96041e705c508ae41da74d3d669d091340277697d32e2ba7bcebe8c 116412 apache2-suexec-custom_2.4.6-1_i386.deb
 cd11cc6f44a0c29c666374cf1c454bfb1742a634298e9b2a2f1a0d3d10194fee 2673992 apache2-doc_2.4.6-1_all.deb
 554176d50bd70471034606fbb33487c922629cdee28364609652cc6eb5c6c0f0 262770 apache2-dev_2.4.6-1_i386.deb
 4ff6b9b8c3286dc82c6d03e731d2b720aba1b49421fc78b04b96b78b1be580c6 1938764 apache2-dbg_2.4.6-1_i386.deb
Files: 
 827cd09b3f55f0b30acc10aa5e6fdb99 2430 httpd optional apache2_2.4.6-1.dsc
 ea5e361ca37b8d7853404419dd502efe 4949897 httpd optional apache2_2.4.6.orig.tar.bz2
 75ff5c211f37666c1d5c71832c219b14 188549 httpd optional apache2_2.4.6-1.debian.tar.gz
 06f2ec89e88c4abdf386447c314b1756 1412 oldlibs extra libapache2-mod-proxy-html_2.4.6-1_i386.deb
 3d8db77c6a6ea3eba37feca2d8376733 1404 oldlibs extra libapache2-mod-macro_2.4.6-1_i386.deb
 6c370aefe396f18c3c95f00810cd5051 187302 httpd optional apache2_2.4.6-1_i386.deb
 6cda177a221549f0280a425a00c27a28 153620 httpd optional apache2-data_2.4.6-1_all.deb
 f8c43af1d303907a3be579a8bfbe22bf 946704 httpd optional apache2-bin_2.4.6-1_i386.deb
 be7fccbd94a8dfaa067f43933ba94dcb 1400 oldlibs extra apache2-mpm-worker_2.4.6-1_i386.deb
 508fe55c4e6eec8894e86c6598871d39 1400 oldlibs extra apache2-mpm-prefork_2.4.6-1_i386.deb
 c22bc64d48fe256efba1ff3ee1da2406 1396 oldlibs extra apache2-mpm-event_2.4.6-1_i386.deb
 6e7eca34b6e6d36d7be4ec83c13a10ff 1390 oldlibs extra apache2-mpm-itk_2.4.6-1_i386.deb
 64038f85f03e06c82ab644e9bf191b9b 1428 oldlibs extra apache2.2-bin_2.4.6-1_i386.deb
 5008a8e4f12cd0f9ca5de3934600a555 180352 httpd optional apache2-utils_2.4.6-1_i386.deb
 9875aa071065bb5223fb9e77a357ad9a 1386 oldlibs extra apache2-suexec_2.4.6-1_i386.deb
 038e3ba784d54ba8246a5c1f7ac2a99d 114944 httpd optional apache2-suexec-pristine_2.4.6-1_i386.deb
 288cc35f6130526d1ffe9aa96b6a4ca8 116412 httpd extra apache2-suexec-custom_2.4.6-1_i386.deb
 17fd2cc9d81218dfc5e56143970034c0 2673992 doc optional apache2-doc_2.4.6-1_all.deb
 7144b24e884c4c2e05dc9d5b466ccdc9 262770 httpd optional apache2-dev_2.4.6-1_i386.deb
 10d7cd543a8873d6077792014a41b1ee 1938764 debug extra apache2-dbg_2.4.6-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFR7CiZbxelr8HyTqQRAr4XAJ9wGheOPj7awhLVmWlqke9be7kdOgCfSyop
wwMzQ7MW2R5lJ/ieohQ8WWg=
=EdVM
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: