Bug#904107: marked as done (apache2: CVE-2018-8011: mod_md, DoS via Coredumps on specially crafted requests)
Your message dated Fri, 27 Jul 2018 20:38:08 +0000
with message-id <E1fj9V2-0002xd-MN@fasolo.debian.org>
and subject line Bug#904107: fixed in apache2 2.4.34-1
has caused the Debian Bug report #904107,
regarding apache2: CVE-2018-8011: mod_md, DoS via Coredumps on specially crafted requests
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
904107: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904107
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Source: apache2
Version: 2.4.33-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for apache2.
CVE-2018-8011[0]:
| By specially crafting HTTP requests, the mod_md challenge handler
| would dereference a NULL pointer and cause the child process to
| segfault. This could be used to DoS the server. Fixed in Apache HTTP
| Server 2.4.34 (Affected 2.4.33).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-8011
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8011
[1] https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-8011
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.34-1
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 904107@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 27 Jul 2018 21:37:37 +0200
Source: apache2
Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg libapache2-mod-md libapache2-mod-proxy-uwsgi
Architecture: source amd64 all
Version: 2.4.34-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
apache2 - Apache HTTP Server
apache2-bin - Apache HTTP Server (modules and other binary files)
apache2-data - Apache HTTP Server (common files)
apache2-dbg - Apache debugging symbols
apache2-dev - Apache HTTP Server (development headers)
apache2-doc - Apache HTTP Server (on-site documentation)
apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers)
apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
apache2-utils - Apache HTTP Server (utility programs for web servers)
libapache2-mod-md - transitional package
libapache2-mod-proxy-uwsgi - transitional package
Closes: 904106 904107 904150 904641
Changes:
apache2 (2.4.34-1) unstable; urgency=medium
.
[ Ondřej Surý ]
* New upstream version 2.4.34
Security fixes:
- CVE-2018-1333: Denial of service in mod_http2. Closes: #904106
- CVE-2018-8011: Denial of service in mod_md. Closes: #904107
* Refresh patches for Apache2 2.4.34 release
* Update the suexec-custom.patch for 2.4.34 release
.
[ Stefan Fritsch ]
* Remove load order dependency introduced in mod_lbmethod_* in 2.4.34
* Remove debian/gbp.conf. Closes: #904641
* Fix typo in apache2_switch_mpm() in apache2-maintscript-helper.
Closes: #904150
Checksums-Sha1:
25d293cf60a153ba5cc1106c99f6573e0400c5c0 3518 apache2_2.4.34-1.dsc
94d6e274273903ed153479c7701fa03761abf93d 6942969 apache2_2.4.34.orig.tar.bz2
acb8e31638e8ced866c6c49be49284c851feb20d 833 apache2_2.4.34.orig.tar.bz2.asc
51aad42cb6910d72d960f110494994a5531ee59c 787912 apache2_2.4.34-1.debian.tar.xz
20a88d3706732ef8b4da6fc7b3c84a8a764c2296 1308608 apache2-bin_2.4.34-1_amd64.deb
33a968c6e049321c1a4dfe49657bb6157f9a21a7 164948 apache2-data_2.4.34-1_all.deb
2338177074f73f71814f45b83f16669959e22417 4866084 apache2-dbg_2.4.34-1_amd64.deb
35283c7e0fdb6050fcb8fb61759c26017bbf9fd0 326276 apache2-dev_2.4.34-1_amd64.deb
4836b89cdcac03e1871f12ba877541ea363e5734 3952652 apache2-doc_2.4.34-1_all.deb
28dc72d8a8f619f725f4675566c3d525833a08b5 2340 apache2-ssl-dev_2.4.34-1_amd64.deb
86065fde31fe6965963dc7d26cb1f02c3cf8fc24 167108 apache2-suexec-custom_2.4.34-1_amd64.deb
2aea85544e1a27691f2611fba9a39fb9630a145f 165532 apache2-suexec-pristine_2.4.34-1_amd64.deb
8c76af685b41af9214150122b8fbac1a071ea874 231708 apache2-utils_2.4.34-1_amd64.deb
7a0ace96332573f9370d9226b53af660bdedb388 11520 apache2_2.4.34-1_amd64.buildinfo
b22e5223fa3bb843643ea0921670290364743093 246668 apache2_2.4.34-1_amd64.deb
a6de4af16a0357d89a2f3b266c34072dd4b4b125 940 libapache2-mod-md_2.4.34-1_amd64.deb
c87137a94af85c3dbba0ee55605202e9b550d006 956 libapache2-mod-proxy-uwsgi_2.4.34-1_amd64.deb
Checksums-Sha256:
0769375964064db6881490bc7ca40360d9dad445f52a712a4605a18cff7514c1 3518 apache2_2.4.34-1.dsc
fa53c95631febb08a9de41fd2864cfff815cf62d9306723ab0d4b8d7aa1638f0 6942969 apache2_2.4.34.orig.tar.bz2
7b9cc7b2af558508a1f5341822b29eac4f19c78295bc869e7420372c05d89279 833 apache2_2.4.34.orig.tar.bz2.asc
52f8405c70569bff315f297dc8572703bfcf96f3f646b57776a8929ba070e5d1 787912 apache2_2.4.34-1.debian.tar.xz
fb79111a65bf9ef5f847d1f1bf4acc0a1ce9f4eb70f05c25399493cb116fa94a 1308608 apache2-bin_2.4.34-1_amd64.deb
16685174573a0582baa84636d82c461d76b257dd858dde5686c1b2db9613fcd7 164948 apache2-data_2.4.34-1_all.deb
32ff895236045bb8d11a7284cf72833053ad444ec12b84927b815ab8fd7cc55f 4866084 apache2-dbg_2.4.34-1_amd64.deb
a641535a3cdcd784d6421838fad099b6a94c0d6d6943aba2ac287fa4a77452a0 326276 apache2-dev_2.4.34-1_amd64.deb
95642044d91686debe1d4b77e866a21cb77302cd8a08d432baf12d89fb69825a 3952652 apache2-doc_2.4.34-1_all.deb
6f66880fc72648cdab62b56d288355a516aa3a6ab96c0bd3b9d40f3412b0ec50 2340 apache2-ssl-dev_2.4.34-1_amd64.deb
2779c29ee81b6da45df85d3d86892eaa1255d267e03445397fbbecb672a2bd04 167108 apache2-suexec-custom_2.4.34-1_amd64.deb
cf6bccbb71603fbba50750fcf6167a114eac729de7b9dfcca8625da912410c34 165532 apache2-suexec-pristine_2.4.34-1_amd64.deb
15226adebe0ad0f9d11ba893e018190900ed7fe10c409aeb16ad61dff07e5dad 231708 apache2-utils_2.4.34-1_amd64.deb
ec811fa2e5e3a3b2d7ca1fa869044f152c1abd13559fb79ae03559b5d7bcaeeb 11520 apache2_2.4.34-1_amd64.buildinfo
03266007e12e907054ca80f13854444bb67aa254793e7f60ef817c3d8f49bcca 246668 apache2_2.4.34-1_amd64.deb
973fa2d7014c167692c57b42c285ffd281c3229e9d13450b610dce844a2ef529 940 libapache2-mod-md_2.4.34-1_amd64.deb
c8c9bcdad9eece07372ee9e5cb564c9ae72381eb80996d0343e5d7123f8cf49a 956 libapache2-mod-proxy-uwsgi_2.4.34-1_amd64.deb
Files:
29ab9e99c228a893e6163c4f71842910 3518 httpd optional apache2_2.4.34-1.dsc
818adca52f3be187fe45d6822755be95 6942969 httpd optional apache2_2.4.34.orig.tar.bz2
bb655ad9087838f45939d4061389c10a 833 httpd optional apache2_2.4.34.orig.tar.bz2.asc
390300b3b58a62a7ceae20fe27d5d176 787912 httpd optional apache2_2.4.34-1.debian.tar.xz
8d0f47f03a2d6aaff0f8d952555e4761 1308608 httpd optional apache2-bin_2.4.34-1_amd64.deb
38115c3be670fc03a61fee2acfddcecb 164948 httpd optional apache2-data_2.4.34-1_all.deb
0f89ac66d06e506f50e9178fa399067d 4866084 debug optional apache2-dbg_2.4.34-1_amd64.deb
f87765aafdabe65bfd55ff44eb47d5dc 326276 httpd optional apache2-dev_2.4.34-1_amd64.deb
cbd6e42af960ec534e0ce0ebde2bce69 3952652 doc optional apache2-doc_2.4.34-1_all.deb
7bb57b10d433b84506f229a2ecc30dac 2340 httpd optional apache2-ssl-dev_2.4.34-1_amd64.deb
aabe5b7fe10b717473719a7107cbd350 167108 httpd optional apache2-suexec-custom_2.4.34-1_amd64.deb
6192101980fb580e7f40d6afb2cde3ce 165532 httpd optional apache2-suexec-pristine_2.4.34-1_amd64.deb
8a51f040c88522aab99d354f68b9a5fe 231708 httpd optional apache2-utils_2.4.34-1_amd64.deb
48d3635b7a4a6c7e0fb8cc54fab431d7 11520 httpd optional apache2_2.4.34-1_amd64.buildinfo
79313fd939d54b05ef91c03dc9517e0c 246668 httpd optional apache2_2.4.34-1_amd64.deb
9b08e74bcdb95965d923b0f2ffbc5fb5 940 oldlibs optional libapache2-mod-md_2.4.34-1_amd64.deb
93ebfe30e5ea942ed49222dcc550ae1d 956 oldlibs optional libapache2-mod-proxy-uwsgi_2.4.34-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOpiNza8JqByyYYsxxodfNUHO/eAFAltbeI0ACgkQxodfNUHO
/eDUTA//UbeI4cGHYykXaGPVjYZJenu1DZ+CsvrYQN3n6ywAAHa8GIKrpm72ZFHN
s4ihxh9axx13ZGH4rPKdMSYqAO5VgASf54sZ5oNLYc/9e5MHjr1RjcfAnGRH4t4Y
m9xB83CsYkqbVjZ2KCwf/CHp8iHbYk+3SeaR0LmZYGo52g6d805JYHPbFpu6uaGL
QFkvEiLngLZZ2pW5yL7OuKXaG1EKOCua6RKIUqJ3eZuqhWdsyA84/tXUerQxFsLQ
h0r6jwVsrtWHEDFJxxbzQ701QcA/CwmFjd3OmR4xWmdEEeA82YuNqu8mylPaXm7C
mK4yAY/qeUEUQEg5ggY+t1TFUToutarmFfk/4ZHjNWzFJpMZ7mMcQKIDAl3F5je7
1zca1ZTfeoRfS946f6Kk5owy+xlIFvXbd2YBV6VHeShH8BB1jq9UTVWNSudXNI46
dHfvA9XEb3cQD6hvybhKQnfzc4c8Pc4faCeEk8ivCsfFbcZa56fAdt6YiuDxtR38
yG6af88FrXl8ANrkrhppXT9wUfSmIOcj3BAWYTG6nu7quByBoGINGnbRXki6CxW9
rrc/3hZOWcC+veV53tXQNWRLsB0tepPM+LbEovNweP/OtzMxULwFi1ZQOA57V/1+
lRpoPlMlLT/VYrjgFbH//F7trnaB3cP9EkPVK9eoJNg04a4YZXI=
=zTzT
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: