--- Begin Message ---
Package: apache2
Version: 2.4.4-6
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu saucy ubuntu-patch
*** /tmp/tmp5THIhe/bug_body
In Ubuntu, the attached patch was applied to achieve the following:
* SECURITY UPDATE: denial of service via MERGE request
- debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI
in modules/dav/main/mod_dav.c.
- CVE-2013-1896
Thanks for considering the patch.
-- System Information:
Debian Release: wheezy/sid
APT prefers raring-updates
APT policy: (500, 'raring-updates'), (500, 'raring-security'), (500, 'raring'), (100, 'raring-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.8.0-26-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru apache2-2.4.4/debian/patches/CVE-2013-1896.patch apache2-2.4.4/debian/patches/CVE-2013-1896.patch
--- apache2-2.4.4/debian/patches/CVE-2013-1896.patch 1969-12-31 19:00:00.000000000 -0500
+++ apache2-2.4.4/debian/patches/CVE-2013-1896.patch 2013-07-18 11:21:47.000000000 -0400
@@ -0,0 +1,32 @@
+Description: fix denial of service via MERGE request
+Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1486461
+
+Index: apache2-2.4.4/modules/dav/main/mod_dav.c
+===================================================================
+--- apache2-2.4.4.orig/modules/dav/main/mod_dav.c 2011-12-04 19:08:01.000000000 -0500
++++ apache2-2.4.4/modules/dav/main/mod_dav.c 2013-07-18 11:20:33.353180556 -0400
+@@ -707,6 +707,12 @@
+
+ conf = ap_get_module_config(r->per_dir_config, &dav_module);
+ /* assert: conf->provider != NULL */
++ if (conf->provider == NULL) {
++ return dav_new_error(r->pool, HTTP_METHOD_NOT_ALLOWED, 0, 0,
++ apr_psprintf(r->pool,
++ "DAV not enabled for %s",
++ ap_escape_html(r->pool, r->uri)));
++ }
+
+ /* resolve the resource */
+ err = (*conf->provider->repos->get_resource)(r, conf->dir,
+@@ -2683,11 +2689,6 @@
+ "Destination URI had an error.");
+ }
+
+- if (dav_get_provider(lookup.rnew) == NULL) {
+- return dav_error_response(r, HTTP_METHOD_NOT_ALLOWED,
+- "DAV not enabled for Destination URI.");
+- }
+-
+ /* Resolve destination resource */
+ err = dav_get_resource(lookup.rnew, 0 /* label_allowed */,
+ 0 /* use_checked_in */, &resnew);
diff -Nru apache2-2.4.4/debian/patches/series apache2-2.4.4/debian/patches/series
--- apache2-2.4.4/debian/patches/series 2013-07-02 09:33:25.000000000 -0400
+++ apache2-2.4.4/debian/patches/series 2013-07-18 11:20:09.000000000 -0400
@@ -20,3 +20,4 @@
itk-rerun-configure.patch
upstream-fixes
allow-strtoul.patch
+CVE-2013-1896.patch
--- End Message ---
--- Begin Message ---
- To: 717272-close@bugs.debian.org
- Subject: Bug#717272: fixed in apache2 2.2.16-6+squeeze12
- From: Stefan Fritsch <sf@debian.org>
- Date: Sat, 01 Feb 2014 19:17:29 +0000
- Message-id: <E1W9g4H-0005VA-Tq@franck.debian.org>
Source: apache2
Source-Version: 2.2.16-6+squeeze12
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 717272@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 28 Jan 2014 22:48:05 +0100
Source: apache2
Binary: apache2.2-common apache2.2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-mpm-itk apache2-utils apache2-suexec apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev apache2-threaded-dev apache2-dbg
Architecture: source all i386
Version: 2.2.16-6+squeeze12
Distribution: squeeze
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
apache2 - Apache HTTP Server metapackage
apache2-dbg - Apache debugging symbols
apache2-doc - Apache HTTP Server documentation
apache2-mpm-event - Apache HTTP Server - event driven model
apache2-mpm-itk - multiuser MPM for Apache 2.2
apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
apache2-mpm-worker - Apache HTTP Server - high speed threaded model
apache2-prefork-dev - Apache development headers - non-threaded MPM
apache2-suexec - Standard suexec program for Apache 2 mod_suexec
apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
apache2-threaded-dev - Apache development headers - threaded MPM
apache2-utils - utility programs for webservers
apache2.2-bin - Apache HTTP Server common binary files
apache2.2-common - Apache HTTP Server common files
Closes: 717272 722333
Changes:
apache2 (2.2.16-6+squeeze12) squeeze; urgency=medium
.
* Security: CVE-2013-1862: mod_rewrite: Ensure that client data written to
the RewriteLog is escaped to prevent terminal escape sequences from
entering the log file. Closes: #722333
* Security: CVE-2013-1896: mod_dav: denial of service via MERGE request.
Closes: #717272
* mod_dav: Fix segfaults in certain error conditions.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52559
Checksums-Sha1:
82b6c156735408afee7ecdb2141ece90f0907b8c 1819 apache2_2.2.16-6+squeeze12.dsc
5931bc79595d61386605a8835048a8489590f2c0 231836 apache2_2.2.16-6+squeeze12.diff.gz
601d32b60d09c15a562b45add3f586f59a514850 2305490 apache2-doc_2.2.16-6+squeeze12_all.deb
d4780e9b3e0d5abbde9e244143554bbb81f19db3 309336 apache2.2-common_2.2.16-6+squeeze12_i386.deb
ab1392229ffc0227e4909667acb370f384b60778 1354954 apache2.2-bin_2.2.16-6+squeeze12_i386.deb
69e79c10d46834aa5622deb37c2e4c4e0f9e2b1b 2234 apache2-mpm-worker_2.2.16-6+squeeze12_i386.deb
7ae6b0b78269460f85dbf51954a4f24ddc0396c1 2290 apache2-mpm-prefork_2.2.16-6+squeeze12_i386.deb
b01323ed840b35f08e5d54a54093b0335475bfd9 2266 apache2-mpm-event_2.2.16-6+squeeze12_i386.deb
be4e7804f442d5677337dd099364de2627c9f9a1 2296 apache2-mpm-itk_2.2.16-6+squeeze12_i386.deb
bf62aa0a4c60029850afe49fef88e2833a09a3fd 165890 apache2-utils_2.2.16-6+squeeze12_i386.deb
7fbd9b1f7400da4ed67e08df2d3078f7902b7bd7 100520 apache2-suexec_2.2.16-6+squeeze12_i386.deb
d21f43552705114f1746e6958685ec990654e72e 102076 apache2-suexec-custom_2.2.16-6+squeeze12_i386.deb
1ac250e6e528067a126d536f4ca61f7155f463c1 1392 apache2_2.2.16-6+squeeze12_i386.deb
9e5916e8a78b9395b831623ddfb523046fb221c7 137240 apache2-prefork-dev_2.2.16-6+squeeze12_i386.deb
75865fa2ec18cb15db451e4f5c5d028ec1192f57 138370 apache2-threaded-dev_2.2.16-6+squeeze12_i386.deb
d4377ec96068bb6a2fe057e673bf21de4bcdcac9 2682448 apache2-dbg_2.2.16-6+squeeze12_i386.deb
Checksums-Sha256:
ca7e9c4d0d0f97b23d0da7e1b9c94562aa78ecde0226c839df3e981a7203fc3e 1819 apache2_2.2.16-6+squeeze12.dsc
6ec13b2d398a5ac1219391fed1918d7bbf1ed688e4f956022305f5a6a61accec 231836 apache2_2.2.16-6+squeeze12.diff.gz
d9dd16c107070abe2c25e35539bc19ead990beba4a5b5e93c0f166fef12fb89f 2305490 apache2-doc_2.2.16-6+squeeze12_all.deb
d88d31c91aff63b5fa5b6a7985ad7156c8c9c11c80f78946314abef5b3460cec 309336 apache2.2-common_2.2.16-6+squeeze12_i386.deb
c004fb887b670d42c7b85e937a8d0b97ab37f2f035f505751fca3f07a2792b34 1354954 apache2.2-bin_2.2.16-6+squeeze12_i386.deb
5c1a8602d37769c93b1531ecf94a93eaf5c48ac25e3dac3f329211d6e7193c08 2234 apache2-mpm-worker_2.2.16-6+squeeze12_i386.deb
3d9218939181a93624984b8fd116e333bb2ca09bd3c75447419453401fc6e953 2290 apache2-mpm-prefork_2.2.16-6+squeeze12_i386.deb
c5d26b6d2f14daf754dbc5226620f9d56db2fe5ef9e6b6b3d9ee5af14d7a05a0 2266 apache2-mpm-event_2.2.16-6+squeeze12_i386.deb
0cb1dfb86a99944dfcee67f3ca03bac805e3d235c6bc412de3b4daf577530eb6 2296 apache2-mpm-itk_2.2.16-6+squeeze12_i386.deb
d67cf4746c447101a9f9277094cee1d4cbd998434831188f30a6928097b16dd8 165890 apache2-utils_2.2.16-6+squeeze12_i386.deb
69e385d0f0db2e27299e9c512004f4b6e889817957b0160761d744568107ab77 100520 apache2-suexec_2.2.16-6+squeeze12_i386.deb
20a2f32d0e88a0f9b411e3ed0fa9463dd7508dca70196640b058182220a7d81d 102076 apache2-suexec-custom_2.2.16-6+squeeze12_i386.deb
4319a45666232f1308005834b131ba7d2c1da5e8d15901529b1ceb9f604e5dd9 1392 apache2_2.2.16-6+squeeze12_i386.deb
f99f9c6154349f2cc2faf297c870564b002635031ccdb22bdc2dc02c5a904698 137240 apache2-prefork-dev_2.2.16-6+squeeze12_i386.deb
122965a3c19c0720ff1b860d16bf020ed27523f8ce992a881589fe7736ecef71 138370 apache2-threaded-dev_2.2.16-6+squeeze12_i386.deb
1f6937e9ea116f93b02edb180ea96e4840228b11beb454fa8edb3fc5e566e0f4 2682448 apache2-dbg_2.2.16-6+squeeze12_i386.deb
Files:
c5023cc54b4c1b29956a7752e6ef2a62 1819 httpd optional apache2_2.2.16-6+squeeze12.dsc
e4606c56323e6c304db2aa02aead10cf 231836 httpd optional apache2_2.2.16-6+squeeze12.diff.gz
72c56191e2cc7941883773e5610ac57b 2305490 doc optional apache2-doc_2.2.16-6+squeeze12_all.deb
add687d3ccfbed6e1b7f8248a59c879e 309336 httpd optional apache2.2-common_2.2.16-6+squeeze12_i386.deb
90b7e281bf7066fe24247d4419caa93c 1354954 httpd optional apache2.2-bin_2.2.16-6+squeeze12_i386.deb
fc5c712716c33a6e30730a1b8002cc4d 2234 httpd optional apache2-mpm-worker_2.2.16-6+squeeze12_i386.deb
973cca13267a594373831a3d2fb8e700 2290 httpd optional apache2-mpm-prefork_2.2.16-6+squeeze12_i386.deb
e839b9a57c6d037f6b2e6964b06c5f11 2266 httpd optional apache2-mpm-event_2.2.16-6+squeeze12_i386.deb
74837471d732be2c0466a209bc5e5fdf 2296 httpd extra apache2-mpm-itk_2.2.16-6+squeeze12_i386.deb
28101d1701acadea2564c011bd0ea2a8 165890 httpd optional apache2-utils_2.2.16-6+squeeze12_i386.deb
dbe7a1d80f6cd5cd0438eab37efb1071 100520 httpd optional apache2-suexec_2.2.16-6+squeeze12_i386.deb
e2348ecdea5d9751c7a585259419f1de 102076 httpd extra apache2-suexec-custom_2.2.16-6+squeeze12_i386.deb
e3da272fe85d1b5a7f802a25c126a594 1392 httpd optional apache2_2.2.16-6+squeeze12_i386.deb
86b7b851298e878d3d7e44dd7114c7d3 137240 httpd extra apache2-prefork-dev_2.2.16-6+squeeze12_i386.deb
c2e3828de77386daadc9f2a0a5e3a6a1 138370 httpd extra apache2-threaded-dev_2.2.16-6+squeeze12_i386.deb
6e70af9a6489bed0cb7bdbdd8509e725 2682448 debug extra apache2-dbg_2.2.16-6+squeeze12_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFS6Cu0bxelr8HyTqQRAo6GAKC64cnSHxajkBVBywPhKXhEgyhJyACgwbEX
o8ZZc52YHhfzgSZY8qlKtjU=
=PZB+
-----END PGP SIGNATURE-----
--- End Message ---