Bug#989562: marked as done (apache2: CVE-2021-31618: NULL pointer dereference on specially crafted HTTP/2 request)

To: Yadd <yadd@debian.org>
Subject: Bug#989562: marked as done (apache2: CVE-2021-31618: NULL pointer dereference on specially crafted HTTP/2 request)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Thu, 10 Jun 2021 10:21:03 +0000
Message-id: <[🔎] handler.989562.D989562.162332031018450.ackdone@bugs.debian.org>
Reply-to: 989562@bugs.debian.org
References: <E1lrHlb-000IUv-Uv@fasolo.debian.org> <[🔎] 162308009369.8236.15439324376396289330.reportbug@eldamar.lan>

Your message dated Thu, 10 Jun 2021 10:18:27 +0000
with message-id <E1lrHlb-000IUv-Uv@fasolo.debian.org>
and subject line Bug#989562: fixed in apache2 2.4.46-5
has caused the Debian Bug report #989562,
regarding apache2: CVE-2021-31618: NULL pointer dereference on specially crafted HTTP/2 request
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
989562: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989562
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apache2: CVE-2021-31618: NULL pointer dereference on specially crafted HTTP/2 request
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 07 Jun 2021 17:34:53 +0200
Message-id: <[🔎] 162308009369.8236.15439324376396289330.reportbug@eldamar.lan>

Source: apache2
Version: 2.4.47-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for apache2.

CVE-2021-31618[0]:
| httpd: NULL pointer dereference on specially crafted HTTP/2 request

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-31618
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31618
[1] https://github.com/apache/httpd/commit/a4fba223668c554e06bc78d6e3a88f33d4238ae4
[2] https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-31618

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: 989562-close@bugs.debian.org
Subject: Bug#989562: fixed in apache2 2.4.46-5
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Thu, 10 Jun 2021 10:18:27 +0000
Message-id: <E1lrHlb-000IUv-Uv@fasolo.debian.org>
Reply-to: Yadd <yadd@debian.org>

Source: apache2
Source-Version: 2.4.46-5
Done: Yadd <yadd@debian.org>

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 989562@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 10 Jun 2021 11:57:38 +0200
Source: apache2
Architecture: source
Version: 2.4.46-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 989562
Changes:
 apache2 (2.4.46-5) unstable; urgency=medium
 .
   * Fix "NULL pointer dereference on specially crafted HTTP/2 request"
     (Closes: #989562, CVE-2021-31618)
Checksums-Sha1: 
 94ed6ebb8f0db140a310e2e62e5ec487c3979314 3501 apache2_2.4.46-5.dsc
 524559f4a87cb22eae2f7a82dff872e83445e52e 882500 apache2_2.4.46-5.debian.tar.xz
Checksums-Sha256: 
 1ece3d872ee0dd9a49b563034d35109a1e1b4d86bd7cc16b9f79d77c58ef0268 3501 apache2_2.4.46-5.dsc
 bf40072278b95384a9735897b638ca22de6dfb4b96ece428f65e81466a4c252b 882500 apache2_2.4.46-5.debian.tar.xz
Files: 
 7b5472fa6b3c4afbd50e1abab88190f7 3501 httpd optional apache2_2.4.46-5.dsc
 90bc28aaf94fefad506f01566086fb9a 882500 httpd optional apache2_2.4.46-5.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmDB5EkACgkQ9tdMp8mZ
7un+bg//UlwIj9KAp5x4LnXvabv1l5ybS0sL9h+SR/6jPf4WL266ECR9NA0JJnJB
C59foMeQujInuQlkuR70OIc5IGsnQHTbOeUaoxhvrsm/GrZQULK/YfmMVn+MolPm
1iEm7jisIGn7njm2TBZJY1hhx8M7vcCuIMyDPJMjo9GXweLxh1j2tK046Z5nWIWZ
YZB5M6QELEJZCZg0kel7/k5RxD7YS7tJAmZnu7YFj5+jr6Q5WkMNxnWV9qWK5Pq5
WGWvCk9QTXca8b/lRAZA2nnPmMXm4qQck9HD4lk4FROd13mKLSUJT1znariayo47
Q0oD32pVh8HymrNvAWxz7KduFNT1sB9OKxqwRglRWuYm/G7gp/ksmE1Zo+jHUhNI
gFv3U/YgvnGNz8sU0U+sEv7wq8EhkZHZ+smrzHUzUjcC/3rQhJaW3L1udqsHTbZO
uQ7LBZmlQclGDvVOKTDRMnkev5yL3WuOc1haNMFV9ZLxGIsGZh9DUpakr3TAjsSi
lnV2f/TMCe63RVfQqG/2ivIS0VWp03Flsw1csSdJ8iHPdwBDLIv+4jlIvCWRgfu9
pVU2rB/WVICx5bs5+R0zTfXuxfv055quehKdiD0TObiWHQndrzWuzpBNC1PpXTfN
JZlTsB5V/X0vzLuWMtx0Wb0SSXX430gOU5ODOcfjSBD0VqcMikc=
=vDcd
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#989562: apache2: CVE-2021-31618: NULL pointer dereference on specially crafted HTTP/2 request
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Processed: Bug#989562 marked as pending in apache2
Next by Date: Processing of apache2_2.4.46-5_sourceonly.changes
Previous by thread: Processed: Bug#989562 marked as pending in apache2
Next by thread: Processing of apache2_2.4.48-1_source.changes
Index(es):
- Date
- Thread