--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: apache2 - CVE-2013-1862 - mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server
- From: Martin Zobel-Helas <martin.zobel-helas@credativ.de>
- Date: Tue, 10 Sep 2013 13:08:56 +0200
- Message-id: <522EFDC8.1050707@credativ.de>
Package: apache2
Version: 2.2.16-6+squeeze10
Severity: important
Hi,
apache.org released a security update for CVE-2013-1862, which has been
marked as "security impact is unimportant" in security-tracker.d.n.
Please provide an updated package for oldstable and stable via
oldstable-proposed-updates and proposed-updates.
Thanks
Martin
--
Martin Zobel-Helas
Teamleiter Betrieb
Tel.: +49 (2161) 4643-196
Fax: +49 (2161) 4643-100
Email: martin.zobel-helas@credativ.de
pgp fingerprint 6B18 5642 8E41 EC89 3D5D BDBB 53B1 AC6D B11B 627B
credativ GmbH, HRB Mönchengladbach 12080
USt-ID-Nummer: DE204566209
Hohenzollernstr. 133, 41061 Mönchengladbach
Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer
Index: CHANGES
===================================================================
--- CHANGES (revision 1469310)
+++ CHANGES (working copy)
@@ -1,8 +1,11 @@
-*- coding: utf-8 -*-
Changes with Apache 2.2.25
+ *) SECURITY: CVE-2013-1862 (cve.mitre.org)
+ mod_rewrite: Ensure that client data written to the RewriteLog is
+ escaped to prevent terminal escape sequences from entering the
+ log file. [Joe Orton]
-
Changes with Apache 2.2.24
*) SECURITY: CVE-2012-3499 (cve.mitre.org)
Index: modules/mappers/mod_rewrite.c
===================================================================
--- modules/mappers/mod_rewrite.c (revision 1469310)
+++ modules/mappers/mod_rewrite.c (working copy)
@@ -500,11 +500,11 @@
logline = apr_psprintf(r->pool, "%s %s %s %s [%s/sid#%pp][rid#%pp/%s%s%s] "
"(%d) %s%s%s%s" APR_EOL_STR,
- rhost ? rhost : "UNKNOWN-HOST",
- rname ? rname : "-",
- r->user ? (*r->user ? r->user : "\"\"") : "-",
+ rhost ? ap_escape_logitem(r->pool, rhost) : "UNKNOWN-HOST",
+ rname ? ap_escape_logitem(r->pool, rname) : "-",
+ r->user ? (*r->user ? ap_escape_logitem(r->pool, r->user) : "\"\"") : "-",
current_logtime(r),
- ap_get_server_name(r),
+ ap_escape_logitem(r->pool, ap_get_server_name(r)),
(void *)(r->server),
(void *)r,
r->main ? "subreq" : "initial",
@@ -514,7 +514,7 @@
perdir ? "[perdir " : "",
perdir ? perdir : "",
perdir ? "] ": "",
- text);
+ ap_escape_logitem(r->pool, text));
nbytes = strlen(logline);
apr_file_write(conf->rewritelogfp, logline, &nbytes);
--- End Message ---
--- Begin Message ---
- To: 722333-close@bugs.debian.org
- Subject: Bug#722333: fixed in apache2 2.2.22-13+deb7u1
- From: Stefan Fritsch <sf@debian.org>
- Date: Sat, 01 Feb 2014 19:17:05 +0000
- Message-id: <E1W9g3t-0005N7-KS@franck.debian.org>
Source: apache2
Source-Version: 2.2.22-13+deb7u1
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 722333@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 31 Jan 2014 19:43:07 +0100
Source: apache2
Binary: apache2.2-common apache2.2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-mpm-itk apache2-utils apache2-suexec apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev apache2-threaded-dev apache2-dbg
Architecture: source i386 all
Version: 2.2.22-13+deb7u1
Distribution: wheezy
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
apache2 - Apache HTTP Server metapackage
apache2-dbg - Apache debugging symbols
apache2-doc - Apache HTTP Server documentation
apache2-mpm-event - Apache HTTP Server - event driven model
apache2-mpm-itk - multiuser MPM for Apache 2.2
apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
apache2-mpm-worker - Apache HTTP Server - high speed threaded model
apache2-prefork-dev - Apache development headers - non-threaded MPM
apache2-suexec - Standard suexec program for Apache 2 mod_suexec
apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
apache2-threaded-dev - Apache development headers - threaded MPM
apache2-utils - utility programs for webservers
apache2.2-bin - Apache HTTP Server common binary files
apache2.2-common - Apache HTTP Server common files
Closes: 717272 722333 731531
Changes:
apache2 (2.2.22-13+deb7u1) wheezy; urgency=medium
.
Low impact security fixes:
* CVE-2013-1862: mod_rewrite: Ensure that client data written to the
RewriteLog is escaped to prevent terminal escape sequences from entering
the log file. Closes: #722333
* CVE-2013-1896: mod_dav: denial of service via MERGE request.
Closes: #717272
* mod_dav: Fix segfaults in certain error conditions.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52559
.
* Make apache2ctl create the necessary directories even if started with
special options for apache2. Closes: #731531
* Adjust paragraph in README.Debian about MaxMemFree not working properly.
The issue has been fixed with apr 1.4.5-1.
Checksums-Sha1:
4ac4025a00a3f2e0ea0bbfaeb487f3b401e07614 2890 apache2_2.2.22-13+deb7u1.dsc
bee4ed4468a949e15322f8a3d5714d03a8238bed 202142 apache2_2.2.22-13+deb7u1.debian.tar.gz
7a4738068c0fb42c107932e22bd3f7d65141d3ab 291066 apache2.2-common_2.2.22-13+deb7u1_i386.deb
84fe0198baa064576169e6f34c79dde148691368 772790 apache2.2-bin_2.2.22-13+deb7u1_i386.deb
25e67f8fc49ae2146306e1952235d8fa6d3e995e 2234 apache2-mpm-worker_2.2.22-13+deb7u1_i386.deb
ded7900746be8b3259bd36c80f42549642d08974 2344 apache2-mpm-prefork_2.2.22-13+deb7u1_i386.deb
ec32dd8dca72e2b446ca2ad65bf8de0e4b8ae0e4 2310 apache2-mpm-event_2.2.22-13+deb7u1_i386.deb
28091cfee3f11663db1f8dcdb26e71e751542d66 2334 apache2-mpm-itk_2.2.22-13+deb7u1_i386.deb
b93e92b7f06382dba12da6b95803830b2db908b6 162484 apache2-utils_2.2.22-13+deb7u1_i386.deb
2564573c7343ae80ee2ab7c03099f897ee793385 105618 apache2-suexec_2.2.22-13+deb7u1_i386.deb
8c4fbd6bf45bc6561508f95ffaf695912c2b41b7 107160 apache2-suexec-custom_2.2.22-13+deb7u1_i386.deb
47a68e7f78d6b80a0a6b54836bf1db0c2d41ee14 1434 apache2_2.2.22-13+deb7u1_i386.deb
c94893d17dafe6fc0c576531dc4f134a26d75363 1773134 apache2-doc_2.2.22-13+deb7u1_all.deb
aa8c5cccb2cbd6ddfdb3911068aaa4675230f1cf 114446 apache2-prefork-dev_2.2.22-13+deb7u1_i386.deb
76e38b0f3551a32624ae258a189573586b6aef5e 115258 apache2-threaded-dev_2.2.22-13+deb7u1_i386.deb
e18626a6ffcb39b3d40ad3aa0903d41af41d5355 1635336 apache2-dbg_2.2.22-13+deb7u1_i386.deb
Checksums-Sha256:
a82f86b21a4553dc4b84f2d7fdca445c0d67de9c03f96a4bee3b5dab4c3afe5f 2890 apache2_2.2.22-13+deb7u1.dsc
cf54af1b8168e029ccedee4fa5f4e090ac500552d983150572196ad7e1a2ed60 202142 apache2_2.2.22-13+deb7u1.debian.tar.gz
e4a52d4112eca59ea1bb5975689fd14544026c3ffd70f22a0fb61981f63e2017 291066 apache2.2-common_2.2.22-13+deb7u1_i386.deb
1aabe51b0374e08ba6d42b74ad9c5a5e0bb79d06664abd7b5d1000819bdd20f9 772790 apache2.2-bin_2.2.22-13+deb7u1_i386.deb
e67d6b3f70611efb1c2254186e4612ecec50b0239f80c057f8df8fcd599676b5 2234 apache2-mpm-worker_2.2.22-13+deb7u1_i386.deb
4072609b4d577e4e5b2402b98e2da664578aec27f150d91a33f0071ced970bb9 2344 apache2-mpm-prefork_2.2.22-13+deb7u1_i386.deb
de8c060859eee4350deb1060d3b3e348bbd153ac65bc6bd38f3ae9679cfbf106 2310 apache2-mpm-event_2.2.22-13+deb7u1_i386.deb
4ce9e3259e1278bfa7cfe5ce90256b91efbde0467ef1b4d5f992d3845c2e98e6 2334 apache2-mpm-itk_2.2.22-13+deb7u1_i386.deb
9b1add1cdfaef391b1a8ad29509b772e04d040ce7e93229e10383bbdae030e73 162484 apache2-utils_2.2.22-13+deb7u1_i386.deb
8741587a473acf306e5ee095c530733aaf5fe4d0f33bd50496f60dec318b6329 105618 apache2-suexec_2.2.22-13+deb7u1_i386.deb
10d7b7b7a183b488413be4f86f97a6900ccdb540cc814cc3c145c60ad58e1ebc 107160 apache2-suexec-custom_2.2.22-13+deb7u1_i386.deb
589f1efb7a5ae1bc2bf58485e1140e6f4fddd72728c59d12a1d35c86183f6a26 1434 apache2_2.2.22-13+deb7u1_i386.deb
4dbfd6ad36ff09190c48ab8607a85ba9af4aa0268d2cd4c6d2c211d06cb62aa3 1773134 apache2-doc_2.2.22-13+deb7u1_all.deb
fc82a3244c8bb5adac00490c9a721f1ba0e700dc7b08ef3d396fc51cbe150950 114446 apache2-prefork-dev_2.2.22-13+deb7u1_i386.deb
321bae87592bbd66cb5e748c1cf7f3270c54707e4a9ffa4271bb18eba9491c20 115258 apache2-threaded-dev_2.2.22-13+deb7u1_i386.deb
f35acbf5492cb2050249981a31206e2b7185153b75e4d42ce19dd35f5e68758d 1635336 apache2-dbg_2.2.22-13+deb7u1_i386.deb
Files:
9b8d0639e92b3fb22bef23f71a94fc96 2890 httpd optional apache2_2.2.22-13+deb7u1.dsc
f021bf4ad5b45272df40d630900a384c 202142 httpd optional apache2_2.2.22-13+deb7u1.debian.tar.gz
8cd9ea2bfd868b1ed6310bafd44e2831 291066 httpd optional apache2.2-common_2.2.22-13+deb7u1_i386.deb
f30b31bb516498dce9c1134b51834e22 772790 httpd optional apache2.2-bin_2.2.22-13+deb7u1_i386.deb
49307e0ef96bea90e534f377e18b902e 2234 httpd optional apache2-mpm-worker_2.2.22-13+deb7u1_i386.deb
63a88f6ad9235511464fd2dfdf349d8e 2344 httpd optional apache2-mpm-prefork_2.2.22-13+deb7u1_i386.deb
d8484aeeaf6e6f13996d21f49fac08f0 2310 httpd optional apache2-mpm-event_2.2.22-13+deb7u1_i386.deb
5db5ce4d5412955a7f700e5891208ca9 2334 httpd extra apache2-mpm-itk_2.2.22-13+deb7u1_i386.deb
0d328fc7f58c7cc6cd4f4c172d80ca66 162484 httpd optional apache2-utils_2.2.22-13+deb7u1_i386.deb
964ee6dcb03c9c9edf1132b2728aaa6c 105618 httpd optional apache2-suexec_2.2.22-13+deb7u1_i386.deb
25f948425e1d497b75a5dfb73881e2bb 107160 httpd extra apache2-suexec-custom_2.2.22-13+deb7u1_i386.deb
108286d11cd84928ec088099c418c96b 1434 httpd optional apache2_2.2.22-13+deb7u1_i386.deb
ef24835885ba43a7727d9dafad85f678 1773134 doc optional apache2-doc_2.2.22-13+deb7u1_all.deb
18899a93e488c0a0e65d2a1544c107c8 114446 httpd extra apache2-prefork-dev_2.2.22-13+deb7u1_i386.deb
a302bd844b5e6c3ad25d203075d36258 115258 httpd extra apache2-threaded-dev_2.2.22-13+deb7u1_i386.deb
41e91a62050b21b35a1af29839123258 1635336 debug extra apache2-dbg_2.2.22-13+deb7u1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBUuz8gMaHXzVBzv3gAQinig//QzqO6dQbrncwJHL2M13jNpgqlHTvm97K
0wZb63LZQr8LyBpZv5mHraCfT4pkZkCm9rdWW27ZeDVCi6nritIwJ0TcGGs49FGL
EkXVLpaok2WxwQljSoDY1EYMaOWn8r8yJr7ZlX24SRG3uq/TG8LJp73eXFMp6/sC
EGBXtQLkebQHQpolLnN7AfIGQtZ2V0an5O9qvVNxGldAT221vBZ6bTap6Smhl0VT
s+/d9pSFTBbZEYINCRVkLi6n3IazGMhmlHQfTKvwNQb6eXtrzCSRX1r5OpuA9iC7
wV3x7GIwvrhUAfKwC15TNO0G8tFHmTQUbEyYSzlWUgE0uUzqx58VtzalVj5WyEDo
VUQxWYjWeGE43v/lcOL/BA1K9sQlZuxqwLh0mVM3woXzQW1MmnFWeqIIf8h/3oun
nDvvZRaXpOzwzag9N3UmuGjo8l3x67U+1gJZUnZqpmd2Pwn2nI3MSU8jWqLNi7wN
4auJ6IsK26IJDDNxAYlTwzmtxC613NgVI6IZWEIoYn963uF064HY2Jt0ZzdoD53o
2Pu13fU4ah+fk/75njlu7KUaJNp1Jj6lcf20h/fRHEKtNsuQxuNHJEZkpvJf5nWL
yr5+Oa3BmX0sayjbDTS8GjbKaPdPxwAVTdXsJi8WHVlGpx9c/0KLwLPzN7MQ3wQo
vv6XH0VZlVk=
=p5w3
-----END PGP SIGNATURE-----
--- End Message ---