Your message dated Sat, 19 Oct 2019 12:32:08 +0000 with message-id <E1iLntw-000FzT-L3@fasolo.debian.org> and subject line Bug#941202: fixed in apache2 2.4.38-3+deb10u2 has caused the Debian Bug report #941202, regarding apache2: Fix for CVE-2019-10092 results in AH10187 when hitting balancer-manager to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 941202: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941202 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: apache2: Fix for CVE-2019-10092 results in AH10187 when hitting balancer-manager
- From: Daniel Cadden <danielcadden@codeweavers.net>
- Date: Thu, 26 Sep 2019 11:03:52 +0100
- Message-id: <CAO_o+TQi0_CH1FsMpkv9=L3ttOfXfOj0X8eNazHZHJMkjsqA9g@mail.gmail.com>
Package: apache2Version: 2.4.25-3+deb9u8Severity: normal
Dear Maintainer,The fix for CVE-2019-10092 results in the following error when attempting to access details of a member in a mod_proxy_balancer http balancer via the balancer-manager web page:"[Thu Sep 26 09:51:08.228312 2019] [proxy_balancer:error] [pid 13106:tid 139942457935616] [client 127.0.0.1:54712] AH10187: ignoring params in balancer-manager cross-site access, referer: http://httpbalancer01/httpbalancer/__balancer-manager?b=http-balancer&w=http://192.168.13.71&nonce=193a3e00-9795-f9bb-6cc2-d7f3ac222b68"The net effect of this is an inability to dynamically change the status of members in the balancer via the balancer-manager.Raised in Apache httpd-2 bug report 63688: https://bz.apache.org/bugzilla/show_bug.cgi?id=63688Committed upstream in r1865749: https://svn.apache.org/viewvc?view=revision&revision=1865749
-- Package-specific info:
-- System Information:
Debian Release: 9.11
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-11-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apache2 depends on:
ii apache2-bin 2.4.25-3+deb9u8
ii apache2-data 2.4.25-3+deb9u8
ii apache2-utils 2.4.25-3+deb9u8
ii dpkg 1.18.25
ii init-system-helpers 1.48
ii lsb-base 9.20161125
ii mime-support 3.60
ii perl 5.24.1-3+deb9u5
ii procps 2:3.3.12-3+deb9u1
Versions of packages apache2 recommends:
pn ssl-cert <none>
Versions of packages apache2 suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
pn www-browser <none>
Versions of packages apache2-bin depends on:
ii libapr1 1.5.2-5
ii libaprutil1 1.5.4-3
ii libaprutil1-dbd-sqlite3 1.5.4-3
ii libaprutil1-ldap 1.5.4-3
ii libc6 2.24-11+deb9u4
ii libldap-2.4-2 2.4.44+dfsg-5+deb9u3
ii liblua5.2-0 5.2.4-1.1+b2
ii libnghttp2-14 1.18.1-1+deb9u1
ii libpcre3 2:8.39-3
ii libssl1.0.2 1.0.2s-1~deb9u1
ii libxml2 2.9.4+dfsg1-2.2+deb9u2
ii perl 5.24.1-3+deb9u5
ii zlib1g 1:1.2.8.dfsg-5
Versions of packages apache2-bin suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
pn www-browser <none>
Versions of packages apache2 is related to:
ii apache2 2.4.25-3+deb9u8
ii apache2-bin 2.4.25-3+deb9u8
-- no debconf information
--- End Message ---
--- Begin Message ---
- To: 941202-close@bugs.debian.org
- Subject: Bug#941202: fixed in apache2 2.4.38-3+deb10u2
- From: Xavier Guimard <yadd@debian.org>
- Date: Sat, 19 Oct 2019 12:32:08 +0000
- Message-id: <E1iLntw-000FzT-L3@fasolo.debian.org>
Source: apache2 Source-Version: 2.4.38-3+deb10u2 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 941202@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard <yadd@debian.org> (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 13 Oct 2019 22:23:11 +0200 Source: apache2 Architecture: source Version: 2.4.38-3+deb10u2 Distribution: buster-security Urgency: medium Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> Changed-By: Xavier Guimard <yadd@debian.org> Closes: 941202 Changes: apache2 (2.4.38-3+deb10u2) buster-security; urgency=medium . * Fix CVE-2019-10092 patch (Closes: #941202) Checksums-Sha1: 3509de9f5126b36b0fe81e64f38bcc35f4078814 3263 apache2_2.4.38-3+deb10u2.dsc f285efd6d0ceb0e3d7f6f3794c339bc2ec0a0142 1058152 apache2_2.4.38-3+deb10u2.debian.tar.xz Checksums-Sha256: de816406feffca2a5755190e1ca5c4e2428171e6144a903ced16ddad59bb4a23 3263 apache2_2.4.38-3+deb10u2.dsc 583b34d9ad9578f74086cf1e83f196e384598ff87496b800eb52496c54ecd6a6 1058152 apache2_2.4.38-3+deb10u2.debian.tar.xz Files: 6a9e23082eda5dda6078bdaa22e7c3dc 3263 httpd optional apache2_2.4.38-3+deb10u2.dsc 14c47928ce18fdba5be99f20998b99b9 1058152 httpd optional apache2_2.4.38-3+deb10u2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl2j+1QACgkQ9tdMp8mZ 7ulJBg//Ww6Sf6O00Nii7ALH3+08dlZ43KODVPd6H+BiWK8QnbV6yM/GaeLDF9H7 lFZ4447ugtouHP/+L+o3C/epUT3HzX3nX1vvPjKCzQCRLoH+dgIEjnhTwMW/XIlc Iv/sDSBNUkAsYanTzFPn8o+GSWGHIK0G+AhLAR72muvMZVpAV5STBmh2E/sWCmyF lQbKw7L9/IPoQq1s25MPq8SLoHM3HNbnGFfdFbnCm7/AtsCVVp7ELYCRPeV6aDVz pnIA30EwLF6uvSH5t9YwDzRPKtl9rVbt4y5olhjFKaQ+r5RRAjWRpwKpG0LTCYz8 6gdN4BJ7b1RZ1af+PZoGDbexRIwCFjFpE4CBlzxdWFNdhxdvaM4tUb3yxp/FXcnI xWFNSzCGZyLK/TnWdSRRDq9ZcoThfEpgxawF2RAsLYqSiC5cX3Bb49IEpY9EwgQJ sEUMSsjBTx1WkCvqesKA3nbaPEQinorEWt5WDO7NTxNek5J40K6ylAKq0kEfdaBD WUhE0dAFRRyB5IXu0ocTAugt1pddfjBqQ5c9L0JhEYje5nwkH9q6dPb5VIsGuzH+ PNFuqR1R8ezRx+pby1UHq3Rf+zWgQdwTHN/G1YGvNTzeA/rYjBqU3QuDsOr7zvMG KB4IIDDj0sW330tch4nbZbae3LCniwxIv5HW/Sbga3fnLHniU/s= =VX78 -----END PGP SIGNATURE-----
--- End Message ---