Bug#941202: marked as done (apache2: Fix for CVE-2019-10092 results in AH10187 when hitting balancer-manager)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 19 Oct 2019 12:17:35 +0000
with message-id <E1iLnfr-000Dxs-50@fasolo.debian.org>
and subject line Bug#941202: fixed in apache2 2.4.25-3+deb9u9
has caused the Debian Bug report #941202,
regarding apache2: Fix for CVE-2019-10092 results in AH10187 when hitting balancer-manager
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
941202: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941202
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: apache2: Fix for CVE-2019-10092 results in AH10187 when hitting balancer-manager
• From: Daniel Cadden <danielcadden@codeweavers.net>
• Date: Thu, 26 Sep 2019 11:03:52 +0100
• Message-id: <CAO_o+TQi0_CH1FsMpkv9=L3ttOfXfOj0X8eNazHZHJMkjsqA9g@mail.gmail.com>

Package: apache2

Version: 2.4.25-3+deb9u8

Severity: normal

Dear Maintainer,

The fix for CVE-2019-10092 results in the following error when attempting to access details of a member in a mod_proxy_balancer http balancer via the balancer-manager web page:

"[Thu Sep 26 09:51:08.228312 2019] [proxy_balancer:error] [pid 13106:tid 139942457935616] [client 127.0.0.1:54712] AH10187: ignoring params in balancer-manager cross-site access, referer: http://httpbalancer01/httpbalancer/__balancer-manager?b=http-balancer&w=http://192.168.13.71&nonce=193a3e00-9795-f9bb-6cc2-d7f3ac222b68"

The net effect of this is an inability to dynamically change the status of members in the balancer via the balancer-manager.

Raised in Apache httpd-2 bug report 63688: https://bz.apache.org/bugzilla/show_bug.cgi?id=63688

Committed upstream in r1865749: https://svn.apache.org/viewvc?view=revision&revision=1865749

-- Package-specific info:

-- System Information:
Debian Release: 9.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-11-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apache2 depends on:
ii  apache2-bin          2.4.25-3+deb9u8
ii  apache2-data         2.4.25-3+deb9u8
ii  apache2-utils        2.4.25-3+deb9u8
ii  dpkg                 1.18.25
ii  init-system-helpers  1.48
ii  lsb-base             9.20161125
ii  mime-support         3.60
ii  perl                 5.24.1-3+deb9u5
ii  procps               2:3.3.12-3+deb9u1

Versions of packages apache2 recommends:
pn  ssl-cert  <none>

Versions of packages apache2 suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2-bin depends on:
ii  libapr1                  1.5.2-5
ii  libaprutil1              1.5.4-3
ii  libaprutil1-dbd-sqlite3  1.5.4-3
ii  libaprutil1-ldap         1.5.4-3
ii  libc6                    2.24-11+deb9u4
ii  libldap-2.4-2            2.4.44+dfsg-5+deb9u3
ii  liblua5.2-0              5.2.4-1.1+b2
ii  libnghttp2-14            1.18.1-1+deb9u1
ii  libpcre3                 2:8.39-3
ii  libssl1.0.2              1.0.2s-1~deb9u1
ii  libxml2                  2.9.4+dfsg1-2.2+deb9u2
ii  perl                     5.24.1-3+deb9u5
ii  zlib1g                   1:1.2.8.dfsg-5

Versions of packages apache2-bin suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2 is related to:
ii  apache2      2.4.25-3+deb9u8
ii  apache2-bin  2.4.25-3+deb9u8

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: 941202-close@bugs.debian.org
• Subject: Bug#941202: fixed in apache2 2.4.25-3+deb9u9
• From: Stefan Fritsch <sf@debian.org>
• Date: Sat, 19 Oct 2019 12:17:35 +0000
• Message-id: <E1iLnfr-000Dxs-50@fasolo.debian.org>

Source: apache2
Source-Version: 2.4.25-3+deb9u9

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 941202@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 13 Oct 2019 17:43:54 +0200
Source: apache2
Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg
Architecture: source amd64 all
Version: 2.4.25-3+deb9u9
Distribution: stretch-security
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
 apache2    - Apache HTTP Server
 apache2-bin - Apache HTTP Server (modules and other binary files)
 apache2-data - Apache HTTP Server (common files)
 apache2-dbg - Apache debugging symbols
 apache2-dev - Apache HTTP Server (development headers)
 apache2-doc - Apache HTTP Server (on-site documentation)
 apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers)
 apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
 apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
 apache2-utils - Apache HTTP Server (utility programs for web servers)
Closes: 941202
Changes:
 apache2 (2.4.25-3+deb9u9) stretch-security; urgency=medium
 .
   [ Xavier Guimard ]
   * Use correct patch for CVE-2019-10092. This fixes a regression in
     mod_proxy_balancer (Closes: #941202)
Checksums-Sha1:
 74885577336fc37387900ce5a941ba8952006860 2986 apache2_2.4.25-3+deb9u9.dsc
 e50b67e37fffe33735319b8b86d277ea44a5ef1a 816360 apache2_2.4.25-3+deb9u9.debian.tar.xz
 e904d94d22b84cd7dd5e935d1b717709a65bfa78 1185122 apache2-bin_2.4.25-3+deb9u9_amd64.deb
 bb91f8d77ec59bdec18da82ba1d5c543ab667865 162112 apache2-data_2.4.25-3+deb9u9_all.deb
 610faa125977ad90aee8125a3e31f77897d97d3a 4009578 apache2-dbg_2.4.25-3+deb9u9_amd64.deb
 18500026ba2538b686cdf4b6ff49943e86c27119 314710 apache2-dev_2.4.25-3+deb9u9_amd64.deb
 ede6f00a4dc5081a9eaac4526378ce1d803765e3 3771362 apache2-doc_2.4.25-3+deb9u9_all.deb
 08199978ab867614902cb5d231b35324967c9d71 2270 apache2-ssl-dev_2.4.25-3+deb9u9_amd64.deb
 14db0fa337b157f21cb14cf3c2055d5a796e263d 155736 apache2-suexec-custom_2.4.25-3+deb9u9_amd64.deb
 b6c0b8ded302ebae5e9f63b6517636257a33dce6 154250 apache2-suexec-pristine_2.4.25-3+deb9u9_amd64.deb
 9cd9d876c29331023a841c452eed40ae8abb08b1 217534 apache2-utils_2.4.25-3+deb9u9_amd64.deb
 800d4021e8f696a616e501bb19064a6989437d11 10229 apache2_2.4.25-3+deb9u9_amd64.buildinfo
 4d1ba0bc49b08f9af0a65e8bb6e304af57edbbc6 236520 apache2_2.4.25-3+deb9u9_amd64.deb
Checksums-Sha256:
 b55b1a7d7bcd126082b5e0d6f86722e69365eacc2c20536a08f4db915747e297 2986 apache2_2.4.25-3+deb9u9.dsc
 06a2d680cb5aa21f7917948fcd286352ccbc440ec1f6f08c5519c801c8893a99 816360 apache2_2.4.25-3+deb9u9.debian.tar.xz
 82b6e8bb89722e302e7b66294c97358d4481be8237cecd505b605f7080beaa83 1185122 apache2-bin_2.4.25-3+deb9u9_amd64.deb
 83d2ed7b62447c2422c969d586dfe324512a0ea9dc1d11f4910cace364150c3a 162112 apache2-data_2.4.25-3+deb9u9_all.deb
 ff9c6aefb436c16132e55682bd4d96cc361f3317048479a75b76cb42e6707338 4009578 apache2-dbg_2.4.25-3+deb9u9_amd64.deb
 78de8669f75400bffd85630d151f40477bc007a2165d8d1f757952f474c100b8 314710 apache2-dev_2.4.25-3+deb9u9_amd64.deb
 f7345e5b6930f9572131eefb4f7a7c63ba2730e65d6a587965a51a67169cec5a 3771362 apache2-doc_2.4.25-3+deb9u9_all.deb
 1833aff63f07734a30d50141502be29beb949b2511f813b23e7e9a7ab8cb88bd 2270 apache2-ssl-dev_2.4.25-3+deb9u9_amd64.deb
 1a80d12ee4caadc34f611f65410b7e3680d16f5157d7fb9b02be9cc3cca5f904 155736 apache2-suexec-custom_2.4.25-3+deb9u9_amd64.deb
 e6b6231b0ccebd3cb24dbac416de0c8d562e289c04b88ee92b2f7d11a53d425c 154250 apache2-suexec-pristine_2.4.25-3+deb9u9_amd64.deb
 66ff90279898a7af5a6432a451188a660c0b4f1bb2647a837d1ccf995abaa9ac 217534 apache2-utils_2.4.25-3+deb9u9_amd64.deb
 49cdc541700a53b817a05d71a1d84cbf9e836e9d9a5a7126931e5730b01907e6 10229 apache2_2.4.25-3+deb9u9_amd64.buildinfo
 9f2e8c10a7de72872a9f7b5f62b0256b49d78e11921d398af0b110a989cf8d49 236520 apache2_2.4.25-3+deb9u9_amd64.deb
Files:
 3904c816d923af64260208191f898d9f 2986 httpd optional apache2_2.4.25-3+deb9u9.dsc
 a2816931a9e3a55f9cfe73db94642930 816360 httpd optional apache2_2.4.25-3+deb9u9.debian.tar.xz
 2ece1a48370fd47310261f0aa4d5950c 1185122 httpd optional apache2-bin_2.4.25-3+deb9u9_amd64.deb
 558ff0cbefb2bb991c25a09aff5db89c 162112 httpd optional apache2-data_2.4.25-3+deb9u9_all.deb
 2199df1dbae5fd0e65f8b9e7f26699f3 4009578 debug extra apache2-dbg_2.4.25-3+deb9u9_amd64.deb
 9ccd6a9649c6bdcb4ff601273e60c99a 314710 httpd optional apache2-dev_2.4.25-3+deb9u9_amd64.deb
 e85692461a91150502176c7ee3bf92be 3771362 doc optional apache2-doc_2.4.25-3+deb9u9_all.deb
 bfba5ffa7eede9a1fc8c185f8fd88a20 2270 httpd optional apache2-ssl-dev_2.4.25-3+deb9u9_amd64.deb
 5be262f2c63f58c1187a276e0d4f6ee8 155736 httpd extra apache2-suexec-custom_2.4.25-3+deb9u9_amd64.deb
 1f27d6cd6a6ff11a590a79c5ddce5ab6 154250 httpd optional apache2-suexec-pristine_2.4.25-3+deb9u9_amd64.deb
 d9273ea4eefc8963ff10079c3c3d5083 217534 httpd optional apache2-utils_2.4.25-3+deb9u9_amd64.deb
 c142bea31a265afdbc771cbf5a443cb7 10229 httpd optional apache2_2.4.25-3+deb9u9_amd64.buildinfo
 a0e5980c3d6b7c74e61bf1acf918edc7 236520 httpd optional apache2_2.4.25-3+deb9u9_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOpiNza8JqByyYYsxxodfNUHO/eAFAl2jTPsACgkQxodfNUHO
/eB8+xAAg0pp5+IpU29khB65WzhnIjhEQkS8VFhcWX4eMy0rmD+sQK+xV+NjME0b
qaprq2KuX6ZFSmJniWhly82ZY70KN+Yw9qvnQXc63kTLPUUQGaQR8I8P+FScn70T
MJlO0EkfClUy5ymNFcbE0wRzSSaJvOM0qoaiF+gJ3PeTI2l/S8w6iZ/8aGK+d5Ov
lPea6dRtTf5mmWUjvD7i+k/EqrJ5RHIF1jwCLLB/pT7V+/Ogzic6GFPorSJuL/jR
Cve9SV1hlcb4gcgb0J6GhomAbDxjnszvjKxWh6qIOdNx4dx3Of8Klz8Cl/6AYp46
EpEEZZEg82wt2GZ/KJL3OdonHExAYwy9C8a6nXeyk6NniMyKZbdRE7iYYwqe9qIr
RI1Jlwr3d+hEIj/ciGTRD0WzASrfm5BRksMG45XRC65uvcXHXc9ddv0pWyDTIeeJ
3JQHDLeiV4zIDrl1ZQ5lOtEcb8FOZvNkXb7cVeTBpY4y1oeErgfWTe62RNVw2qkk
30kocvwIxCWvF/trU+BMF0ykNnZql3RgXaad0a4Nl4XC3f76LZYx7w1HqPg0+Hp1
mf/wl8BmB5VMVxfzKmYrgp6pB6RfrPPB8/Q5EExW7A2emBiNiU2mNLk7gnWtJZAY
0avvRVVsZecuy1+mpU/IWNsUar8X+YMp8SAX481GsExSQouo9uU=
=Y7Nk
-----END PGP SIGNATURE-----

--- End Message ---