Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1

To: Xavier <yadd@debian.org>
Cc: 920220@bugs.debian.org
Subject: Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 23 Jan 2019 22:10:13 +0100
Message-id: <[🔎] 20190123211013.GA28392@eldamar.local>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 920220@bugs.debian.org
In-reply-to: <[🔎] 4f5beab1-6a83-d00f-3587-03529aa75a8f@debian.org>
References: <[🔎] 154818831845.19252.4400934716675438065.reportbug@eldamar.local> <[🔎] 26de356e-46ea-2847-ed1f-e2a7653db1d1@debian.org> <[🔎] 20190123195707.GB19859@eldamar.local> <[🔎] b3a2441e-74e7-79f3-af9c-d315e31fa01e@debian.org> <[🔎] 20190123205031.3tahlewjtcjqblh6@lorien.valinor.li> <[🔎] 4f5beab1-6a83-d00f-3587-03529aa75a8f@debian.org> <[🔎] 154818831845.19252.4400934716675438065.reportbug@eldamar.local>

Hi Xavier,

On Wed, Jan 23, 2019 at 09:54:29PM +0100, Xavier wrote:
> Le 23/01/2019 à 21:50, Salvatore Bonaccorso a écrit :
> > Hi Xavier,
> > 
> > On Wed, Jan 23, 2019 at 09:46:44PM +0100, Xavier wrote:
> >> Le 23/01/2019 à 20:57, Salvatore Bonaccorso a écrit :
> >>> Control: tags -1 + fixed-upstream
> >>> Control: tags -1 - patch
> >>>
> >>> Hi Xavier,
> >>>
> >>> On Wed, Jan 23, 2019 at 09:18:36AM +0100, Xavier wrote:
> >>>> Hello,
> >>>>
> >>>> Debian bug is tagged as "patch", but I didn't find any patch in the
> >>>> related documents. Can you give me the link to patch ?
> >>>
> >>> Well you are right, not a patch per se, maybe fixed-upstream and
> >>> "there is a patch" would have been better. Let me fix that.
> >>>
> >>> If feasible possibly updating to the new upstream version fixing this
> >>> CVE (and two other) would be better if still feasible so short before
> >>> the soft freeze.
> >>>
> >>> Regards,
> >>> Salvatore
> >>
> >> Hello,
> >>
> >> looking at last release changelog, bug seems not fixed
> > 
> > Cf. https://www.openwall.com/lists/oss-security/2019/01/22/4, where it
> > is fixed in 2.4.38 upstream.
> > 
> > HTH,
> > 
> > Regards,
> > Salvatore
> 
> I see that but the provided link [1] doesn't mention it, neither apache2
> changelog.

I'm almost sure this is just because the respective vulnerabilities_24
page has just not yet been updated accordingly. The fixes are
mentioned already in the upstream changelog at
https://www.apache.org/dist/httpd/CHANGES_2.4.38 .

Regards,
Salvatore

Reply to:

References:
- Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
  - From: Xavier <yadd@debian.org>
- Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
  - From: Xavier <yadd@debian.org>
- Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
  - From: Xavier <yadd@debian.org>

Prev by Date: Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Next by Date: Bug#882395: still seeing this in buster
Previous by thread: Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Next by thread: Processed: Re: Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Index(es):
- Date
- Thread