Bug#909591: marked as done (apache2: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames)
Your message dated Sun, 07 Oct 2018 11:34:26 +0000
with message-id <E1g97KM-000Gpl-9x@fasolo.debian.org>
and subject line Bug#909591: fixed in apache2 2.4.35-1
has caused the Debian Bug report #909591,
regarding apache2: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
909591: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909591
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apache2: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Tue, 25 Sep 2018 20:57:06 +0200
- Message-id: <153790182628.10792.2497758288192373134.reportbug@eldamar.local>
Source: apache2
Version: 2.4.25-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for apache2.
CVE-2018-11763[0]:
mod_http2, DoS via continuous SETTINGS frames
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-11763
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11763
[1] https://lists.apache.org/thread.html/d435b0267a76501b9e06c552b20c887171064cde38e46d678da4d3dd@%3Cannounce.httpd.apache.org%3E
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.35-1
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 909591@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 07 Oct 2018 12:54:58 +0200
Source: apache2
Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg libapache2-mod-md libapache2-mod-proxy-uwsgi
Architecture: source amd64 all
Version: 2.4.35-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
apache2 - Apache HTTP Server
apache2-bin - Apache HTTP Server (modules and other binary files)
apache2-data - Apache HTTP Server (common files)
apache2-dbg - Apache debugging symbols
apache2-dev - Apache HTTP Server (development headers)
apache2-doc - Apache HTTP Server (on-site documentation)
apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers)
apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
apache2-utils - Apache HTTP Server (utility programs for web servers)
libapache2-mod-md - transitional package
libapache2-mod-proxy-uwsgi - transitional package
Closes: 909591
Changes:
apache2 (2.4.35-1) unstable; urgency=medium
.
* New upstream version 2.4.35
Security fix:
- CVE-2018-11763: DoS for HTTP/2 connections by continuous SETTINGS
Closes: #909591
* Fix lintian warning: Don't force xz in builddeb override.
Checksums-Sha1:
d1f3d0fa2caeae90d9e1d862337248217e5f2329 3518 apache2_2.4.35-1.dsc
2602f2b5b22d290dceea03fd27b6f998d12d9d73 7044336 apache2_2.4.35.orig.tar.bz2
12c12eee0706a1fb21a707611c602b8217df89d3 473 apache2_2.4.35.orig.tar.bz2.asc
6b799b61b15411a6d0fa20d63336a83be2961539 785996 apache2_2.4.35-1.debian.tar.xz
81f49174e6a04209972f7b7c693a2f2316f43308 1311168 apache2-bin_2.4.35-1_amd64.deb
e82f372e10364c2a9b190f4e3865e439b56d946d 164944 apache2-data_2.4.35-1_all.deb
91a797d9825dd2971f28c9641ea867c319c9e058 4871928 apache2-dbg_2.4.35-1_amd64.deb
5afd85acf4b654caed647f743b8b70287858c3e3 327044 apache2-dev_2.4.35-1_amd64.deb
f453823d19182f68f0043191fb9c323a889d543a 3988160 apache2-doc_2.4.35-1_all.deb
f34e3db2f7a86a64ab7d25569336995c37f437c2 2340 apache2-ssl-dev_2.4.35-1_amd64.deb
e8235b3bd9f1c365c972c359eb17187bba33d1a0 167788 apache2-suexec-custom_2.4.35-1_amd64.deb
13d01843fdf040e5aa96b0d2e650873dacd807f2 166200 apache2-suexec-pristine_2.4.35-1_amd64.deb
05df06e4733f029eb6d0d212d00623442cd28c21 232200 apache2-utils_2.4.35-1_amd64.deb
277da0d49711ce23eb11668ad6b9e1dccb1b0cb9 11453 apache2_2.4.35-1_amd64.buildinfo
6884e203344b60226f2c5b58b4119ca07afa29bc 247176 apache2_2.4.35-1_amd64.deb
5ede317e556c29e20ac409d7762b1cdeae51be8c 940 libapache2-mod-md_2.4.35-1_amd64.deb
910ec74eefd2c80d1140a83cb13cdc595899a1ad 956 libapache2-mod-proxy-uwsgi_2.4.35-1_amd64.deb
Checksums-Sha256:
daf50c9ac45a2117e5331a8c850aa12dfdf80e3b63e43d0c116bf1c2a254c62c 3518 apache2_2.4.35-1.dsc
2607c6fdd4d12ac3f583127629291e9432b247b782396a563bec5678aae69b56 7044336 apache2_2.4.35.orig.tar.bz2
78dae735ea09dc90388d453e27c71183c147b2d3076dac659743e6a7ef02231e 473 apache2_2.4.35.orig.tar.bz2.asc
63408c8836a195a93b78d8c16cda30d1d034dd35df5c877c811860799fc191fd 785996 apache2_2.4.35-1.debian.tar.xz
38ae0365f5b69576f685482f581f011a2705a72bd6cced46a915f7bb01dd7b44 1311168 apache2-bin_2.4.35-1_amd64.deb
e6bd0e51cbf1fa4bfae02eead7200b281c8bef5e0072daf4744074cf913188b7 164944 apache2-data_2.4.35-1_all.deb
17e731231b61685ac645d941b7d03a8dff911f068eacbf900de3bf86b9a14e88 4871928 apache2-dbg_2.4.35-1_amd64.deb
1ac8019bc6b807ea000a1a558135acb7d1b6d98f704c9f79322546541c641e74 327044 apache2-dev_2.4.35-1_amd64.deb
4fdc0f66d2971976f2d03887aef7f9122a79b97367614c8314545620b76e57ea 3988160 apache2-doc_2.4.35-1_all.deb
a8bd1b27a082e3b7137dec1c7ab965fa920b5e7fc1715ce42d16069522bb6cfe 2340 apache2-ssl-dev_2.4.35-1_amd64.deb
568c1d3278261c5ee29736d288760cbca9a2fdb2a279870007a7dd00bc72d3bf 167788 apache2-suexec-custom_2.4.35-1_amd64.deb
bbe1f543bbbb191cc31bb912edac68003926f07bbe1ff32d4b9d72289431d238 166200 apache2-suexec-pristine_2.4.35-1_amd64.deb
26fd18c591f311d9e0ab4886d133beb5b188b19f0156820e60f44d20053de8a0 232200 apache2-utils_2.4.35-1_amd64.deb
4a714ea6270a29a2ac526b9315a98a87c59aae73959243eea60a3f90a034442a 11453 apache2_2.4.35-1_amd64.buildinfo
217810162297eae3de52571accb9ffe5164b8d06c4ead6954eb0d2c5b15eeaf8 247176 apache2_2.4.35-1_amd64.deb
03338142b05fc8594f342c83e37556e406bdbeac567eb33beff2c72041a75d3e 940 libapache2-mod-md_2.4.35-1_amd64.deb
b0944182a8c35fd49c434729cb6e453488cd2fb041cc0fcd6ddeda60f70f6837 956 libapache2-mod-proxy-uwsgi_2.4.35-1_amd64.deb
Files:
43574eaf2d4c220b058cd1f2470b59d5 3518 httpd optional apache2_2.4.35-1.dsc
30c1cde80ffe814a8d16b4fdffda330a 7044336 httpd optional apache2_2.4.35.orig.tar.bz2
a1baca95920b365f03c3aff20b1a52e5 473 httpd optional apache2_2.4.35.orig.tar.bz2.asc
f13eb0f8dce6a29b1a50af4a30a47251 785996 httpd optional apache2_2.4.35-1.debian.tar.xz
d7000ed44910c8f48d310fa849b0d506 1311168 httpd optional apache2-bin_2.4.35-1_amd64.deb
974314978d2396f9de7924fdaa8b41ac 164944 httpd optional apache2-data_2.4.35-1_all.deb
844ea2854c1e20a70e532cbc38dcecea 4871928 debug optional apache2-dbg_2.4.35-1_amd64.deb
74e8602dbdbec39b470859f30b410b82 327044 httpd optional apache2-dev_2.4.35-1_amd64.deb
7924e2370e898e47ee3bdb72f59337e9 3988160 doc optional apache2-doc_2.4.35-1_all.deb
4fe91cae56850188789dca8c625c79f7 2340 httpd optional apache2-ssl-dev_2.4.35-1_amd64.deb
a3be0cc1095fb7b7a051f8bd76da24d3 167788 httpd optional apache2-suexec-custom_2.4.35-1_amd64.deb
11d8e435ddcb9d670a0c3b9fe65627b4 166200 httpd optional apache2-suexec-pristine_2.4.35-1_amd64.deb
a7234b20313dacd519003fb3e0e41133 232200 httpd optional apache2-utils_2.4.35-1_amd64.deb
cdaa49679f95ae2436da7e9c6e7cb770 11453 httpd optional apache2_2.4.35-1_amd64.buildinfo
b27d0d22dd64ae41b1861ea83f8d4df0 247176 httpd optional apache2_2.4.35-1_amd64.deb
8690d77e1930047420d4d682c3c0a6fd 940 oldlibs optional libapache2-mod-md_2.4.35-1_amd64.deb
9bdee9c18bd6f9c937e2f6e9f7a704b3 956 oldlibs optional libapache2-mod-proxy-uwsgi_2.4.35-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOpiNza8JqByyYYsxxodfNUHO/eAFAlu56U8ACgkQxodfNUHO
/eDAFQ//Qde5l9YlRHZ9y9AZIxriSnL80McNseTv75YFfhGEsuiRWSz1H4cSNg4O
WVisk/SmkH2JqqIDAgZupW3mP0cLOkd/2NHcDeVUV6CAnd5jBI07ttBWchzhkpdH
MZlRcBxOCK652xqLu2bsAzCBPm+Nal+XBkwkmJyjTXzk0EQYV0+fum8qf1l+iook
p8YhMEBhS1JC2N1NOviNJAoftFuUJCmA3lSyA8RZBFRqldBwMMaJ/7zhHLE+3ZN8
coOdbu3ohyLepN/VLSVn5ItBQ3rF3lNLFQgIi+wagA5tgq94cLSX1pMiq59hhtCS
4qS6DoP7aFn/VVLSrrOV/HyKfnW//KWlzqSjOb0+KEuhsHQaYVBHqxXPSjGuQDWB
1Xy+zF1jop5BeFsw64RlFxhXzrVmgsd7trZF4w8SGjcS+sfsA4dzmxOtkltJ/pwE
OCXDvpxh5/ujV3LnnBzMt9kA+z/HCrEEDcHr2wSebpNX0kG+gGnh2YZ4QcG9UVcv
vbD8iBy0t4dt4JpuXNa93dv6RdZF+I9bUPfvWAzgwwuXda5kt6YhUNZpIeJ+arWy
REqRqZzVU/pN2PKAZlUq2Uy1SLNjKCL58c21PJI62gBMb+L10WWgjQjtwK9TzhZp
5MsvWJmcpIeRmhRfWdtsKLnE8/wqBCoDXdcBRwxvyFydiNl2z9k=
=g/wz
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: