[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#717272: marked as done (apache2: Fix for CVE-2013-1896)

Your message dated Sat, 01 Feb 2014 19:17:29 +0000
with message-id <E1W9g4H-0005VA-Tq@franck.debian.org>
and subject line Bug#717272: fixed in apache2 2.2.16-6+squeeze12
has caused the Debian Bug report #717272,
regarding apache2: Fix for CVE-2013-1896
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
717272: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717272
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: apache2
Version: 2.4.4-6
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu saucy ubuntu-patch



*** /tmp/tmp5THIhe/bug_body

In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: denial of service via MERGE request
    - debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI
      in modules/dav/main/mod_dav.c.
    - CVE-2013-1896


Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers raring-updates
  APT policy: (500, 'raring-updates'), (500, 'raring-security'), (500, 'raring'), (100, 'raring-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.8.0-26-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru apache2-2.4.4/debian/patches/CVE-2013-1896.patch apache2-2.4.4/debian/patches/CVE-2013-1896.patch
--- apache2-2.4.4/debian/patches/CVE-2013-1896.patch	1969-12-31 19:00:00.000000000 -0500
+++ apache2-2.4.4/debian/patches/CVE-2013-1896.patch	2013-07-18 11:21:47.000000000 -0400
@@ -0,0 +1,32 @@
+Description: fix denial of service via MERGE request
+Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1486461
+
+Index: apache2-2.4.4/modules/dav/main/mod_dav.c
+===================================================================
+--- apache2-2.4.4.orig/modules/dav/main/mod_dav.c	2011-12-04 19:08:01.000000000 -0500
++++ apache2-2.4.4/modules/dav/main/mod_dav.c	2013-07-18 11:20:33.353180556 -0400
+@@ -707,6 +707,12 @@
+ 
+     conf = ap_get_module_config(r->per_dir_config, &dav_module);
+     /* assert: conf->provider != NULL */
++    if (conf->provider == NULL) {
++        return dav_new_error(r->pool, HTTP_METHOD_NOT_ALLOWED, 0, 0,
++                             apr_psprintf(r->pool,
++				          "DAV not enabled for %s",
++					  ap_escape_html(r->pool, r->uri)));
++    }
+ 
+     /* resolve the resource */
+     err = (*conf->provider->repos->get_resource)(r, conf->dir,
+@@ -2683,11 +2689,6 @@
+                                   "Destination URI had an error.");
+     }
+ 
+-    if (dav_get_provider(lookup.rnew) == NULL) {
+-        return dav_error_response(r, HTTP_METHOD_NOT_ALLOWED,
+-                                  "DAV not enabled for Destination URI.");
+-    }
+-
+     /* Resolve destination resource */
+     err = dav_get_resource(lookup.rnew, 0 /* label_allowed */,
+                            0 /* use_checked_in */, &resnew);
diff -Nru apache2-2.4.4/debian/patches/series apache2-2.4.4/debian/patches/series
--- apache2-2.4.4/debian/patches/series	2013-07-02 09:33:25.000000000 -0400
+++ apache2-2.4.4/debian/patches/series	2013-07-18 11:20:09.000000000 -0400
@@ -20,3 +20,4 @@
 itk-rerun-configure.patch
 upstream-fixes
 allow-strtoul.patch
+CVE-2013-1896.patch

--- End Message ---
--- Begin Message --- 
Source: apache2
Source-Version: 2.2.16-6+squeeze12

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 717272@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 28 Jan 2014 22:48:05 +0100
Source: apache2
Binary: apache2.2-common apache2.2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-mpm-itk apache2-utils apache2-suexec apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev apache2-threaded-dev apache2-dbg
Architecture: source all i386
Version: 2.2.16-6+squeeze12
Distribution: squeeze
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 apache2    - Apache HTTP Server metapackage
 apache2-dbg - Apache debugging symbols
 apache2-doc - Apache HTTP Server documentation
 apache2-mpm-event - Apache HTTP Server - event driven model
 apache2-mpm-itk - multiuser MPM for Apache 2.2
 apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
 apache2-mpm-worker - Apache HTTP Server - high speed threaded model
 apache2-prefork-dev - Apache development headers - non-threaded MPM
 apache2-suexec - Standard suexec program for Apache 2 mod_suexec
 apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
 apache2-threaded-dev - Apache development headers - threaded MPM
 apache2-utils - utility programs for webservers
 apache2.2-bin - Apache HTTP Server common binary files
 apache2.2-common - Apache HTTP Server common files
Closes: 717272 722333
Changes: 
 apache2 (2.2.16-6+squeeze12) squeeze; urgency=medium
 .
   * Security: CVE-2013-1862: mod_rewrite: Ensure that client data written to
     the RewriteLog is escaped to prevent terminal escape sequences from
     entering the log file. Closes: #722333
   * Security: CVE-2013-1896: mod_dav: denial of service via MERGE request.
     Closes: #717272
   * mod_dav: Fix segfaults in certain error conditions.
     https://issues.apache.org/bugzilla/show_bug.cgi?id=52559
Checksums-Sha1: 
 82b6c156735408afee7ecdb2141ece90f0907b8c 1819 apache2_2.2.16-6+squeeze12.dsc
 5931bc79595d61386605a8835048a8489590f2c0 231836 apache2_2.2.16-6+squeeze12.diff.gz
 601d32b60d09c15a562b45add3f586f59a514850 2305490 apache2-doc_2.2.16-6+squeeze12_all.deb
 d4780e9b3e0d5abbde9e244143554bbb81f19db3 309336 apache2.2-common_2.2.16-6+squeeze12_i386.deb
 ab1392229ffc0227e4909667acb370f384b60778 1354954 apache2.2-bin_2.2.16-6+squeeze12_i386.deb
 69e79c10d46834aa5622deb37c2e4c4e0f9e2b1b 2234 apache2-mpm-worker_2.2.16-6+squeeze12_i386.deb
 7ae6b0b78269460f85dbf51954a4f24ddc0396c1 2290 apache2-mpm-prefork_2.2.16-6+squeeze12_i386.deb
 b01323ed840b35f08e5d54a54093b0335475bfd9 2266 apache2-mpm-event_2.2.16-6+squeeze12_i386.deb
 be4e7804f442d5677337dd099364de2627c9f9a1 2296 apache2-mpm-itk_2.2.16-6+squeeze12_i386.deb
 bf62aa0a4c60029850afe49fef88e2833a09a3fd 165890 apache2-utils_2.2.16-6+squeeze12_i386.deb
 7fbd9b1f7400da4ed67e08df2d3078f7902b7bd7 100520 apache2-suexec_2.2.16-6+squeeze12_i386.deb
 d21f43552705114f1746e6958685ec990654e72e 102076 apache2-suexec-custom_2.2.16-6+squeeze12_i386.deb
 1ac250e6e528067a126d536f4ca61f7155f463c1 1392 apache2_2.2.16-6+squeeze12_i386.deb
 9e5916e8a78b9395b831623ddfb523046fb221c7 137240 apache2-prefork-dev_2.2.16-6+squeeze12_i386.deb
 75865fa2ec18cb15db451e4f5c5d028ec1192f57 138370 apache2-threaded-dev_2.2.16-6+squeeze12_i386.deb
 d4377ec96068bb6a2fe057e673bf21de4bcdcac9 2682448 apache2-dbg_2.2.16-6+squeeze12_i386.deb
Checksums-Sha256: 
 ca7e9c4d0d0f97b23d0da7e1b9c94562aa78ecde0226c839df3e981a7203fc3e 1819 apache2_2.2.16-6+squeeze12.dsc
 6ec13b2d398a5ac1219391fed1918d7bbf1ed688e4f956022305f5a6a61accec 231836 apache2_2.2.16-6+squeeze12.diff.gz
 d9dd16c107070abe2c25e35539bc19ead990beba4a5b5e93c0f166fef12fb89f 2305490 apache2-doc_2.2.16-6+squeeze12_all.deb
 d88d31c91aff63b5fa5b6a7985ad7156c8c9c11c80f78946314abef5b3460cec 309336 apache2.2-common_2.2.16-6+squeeze12_i386.deb
 c004fb887b670d42c7b85e937a8d0b97ab37f2f035f505751fca3f07a2792b34 1354954 apache2.2-bin_2.2.16-6+squeeze12_i386.deb
 5c1a8602d37769c93b1531ecf94a93eaf5c48ac25e3dac3f329211d6e7193c08 2234 apache2-mpm-worker_2.2.16-6+squeeze12_i386.deb
 3d9218939181a93624984b8fd116e333bb2ca09bd3c75447419453401fc6e953 2290 apache2-mpm-prefork_2.2.16-6+squeeze12_i386.deb
 c5d26b6d2f14daf754dbc5226620f9d56db2fe5ef9e6b6b3d9ee5af14d7a05a0 2266 apache2-mpm-event_2.2.16-6+squeeze12_i386.deb
 0cb1dfb86a99944dfcee67f3ca03bac805e3d235c6bc412de3b4daf577530eb6 2296 apache2-mpm-itk_2.2.16-6+squeeze12_i386.deb
 d67cf4746c447101a9f9277094cee1d4cbd998434831188f30a6928097b16dd8 165890 apache2-utils_2.2.16-6+squeeze12_i386.deb
 69e385d0f0db2e27299e9c512004f4b6e889817957b0160761d744568107ab77 100520 apache2-suexec_2.2.16-6+squeeze12_i386.deb
 20a2f32d0e88a0f9b411e3ed0fa9463dd7508dca70196640b058182220a7d81d 102076 apache2-suexec-custom_2.2.16-6+squeeze12_i386.deb
 4319a45666232f1308005834b131ba7d2c1da5e8d15901529b1ceb9f604e5dd9 1392 apache2_2.2.16-6+squeeze12_i386.deb
 f99f9c6154349f2cc2faf297c870564b002635031ccdb22bdc2dc02c5a904698 137240 apache2-prefork-dev_2.2.16-6+squeeze12_i386.deb
 122965a3c19c0720ff1b860d16bf020ed27523f8ce992a881589fe7736ecef71 138370 apache2-threaded-dev_2.2.16-6+squeeze12_i386.deb
 1f6937e9ea116f93b02edb180ea96e4840228b11beb454fa8edb3fc5e566e0f4 2682448 apache2-dbg_2.2.16-6+squeeze12_i386.deb
Files: 
 c5023cc54b4c1b29956a7752e6ef2a62 1819 httpd optional apache2_2.2.16-6+squeeze12.dsc
 e4606c56323e6c304db2aa02aead10cf 231836 httpd optional apache2_2.2.16-6+squeeze12.diff.gz
 72c56191e2cc7941883773e5610ac57b 2305490 doc optional apache2-doc_2.2.16-6+squeeze12_all.deb
 add687d3ccfbed6e1b7f8248a59c879e 309336 httpd optional apache2.2-common_2.2.16-6+squeeze12_i386.deb
 90b7e281bf7066fe24247d4419caa93c 1354954 httpd optional apache2.2-bin_2.2.16-6+squeeze12_i386.deb
 fc5c712716c33a6e30730a1b8002cc4d 2234 httpd optional apache2-mpm-worker_2.2.16-6+squeeze12_i386.deb
 973cca13267a594373831a3d2fb8e700 2290 httpd optional apache2-mpm-prefork_2.2.16-6+squeeze12_i386.deb
 e839b9a57c6d037f6b2e6964b06c5f11 2266 httpd optional apache2-mpm-event_2.2.16-6+squeeze12_i386.deb
 74837471d732be2c0466a209bc5e5fdf 2296 httpd extra apache2-mpm-itk_2.2.16-6+squeeze12_i386.deb
 28101d1701acadea2564c011bd0ea2a8 165890 httpd optional apache2-utils_2.2.16-6+squeeze12_i386.deb
 dbe7a1d80f6cd5cd0438eab37efb1071 100520 httpd optional apache2-suexec_2.2.16-6+squeeze12_i386.deb
 e2348ecdea5d9751c7a585259419f1de 102076 httpd extra apache2-suexec-custom_2.2.16-6+squeeze12_i386.deb
 e3da272fe85d1b5a7f802a25c126a594 1392 httpd optional apache2_2.2.16-6+squeeze12_i386.deb
 86b7b851298e878d3d7e44dd7114c7d3 137240 httpd extra apache2-prefork-dev_2.2.16-6+squeeze12_i386.deb
 c2e3828de77386daadc9f2a0a5e3a6a1 138370 httpd extra apache2-threaded-dev_2.2.16-6+squeeze12_i386.deb
 6e70af9a6489bed0cb7bdbdd8509e725 2682448 debug extra apache2-dbg_2.2.16-6+squeeze12_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFS6Cu0bxelr8HyTqQRAo6GAKC64cnSHxajkBVBywPhKXhEgyhJyACgwbEX
o8ZZc52YHhfzgSZY8qlKtjU=
=PZB+
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: