Bug#988029: apache2: Non-unique IDs being generated by mod_unique_id - Fix available
Package: apache2
Version: 2.4.38-3+deb10u4
Severity: normal
Tags: patch
Hi
The current version has a race condition in mod_unique_id causing non-unique IDs to be
generated (multiple threads are using a counter without any mutex).
I've encountered the issue in a production situation myself.
There issue has been fixed upstream.
https://svn.apache.org/viewvc?view=revision&revision=1887244
https://svn.apache.org/viewvc?view=revision&revision=1887245
I've tried to compile the patch on top of the current stable version 2.0.38 which seems
to work. Upstream, the patch is only available from 2.0.47 and it's currently in experimental.
Maybe it can be applied to 2.0.38 aswell.
Best regards
Atle Solbakken
-- Package-specific info:
-- System Information:
Debian Release: 10.9
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-13-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages apache2 depends on:
ii apache2-bin 2.4.38-3+deb10u4
ii apache2-data 2.4.38-3+deb10u4
ii apache2-utils 2.4.38-3+deb10u4
ii dpkg 1.19.7
ii lsb-base 10.2019051400
ii mime-support 3.62
ii perl 5.28.1-6+deb10u1
ii procps 2:3.3.15-2
Versions of packages apache2 recommends:
ii ssl-cert 1.0.39
Versions of packages apache2 suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
pn www-browser <none>
Versions of packages apache2-bin depends on:
ii libapr1 1.6.5-1+b1
ii libaprutil1 1.6.1-4
ii libaprutil1-dbd-sqlite3 1.6.1-4
ii libaprutil1-ldap 1.6.1-4
ii libbrotli1 1.0.7-2+deb10u1
ii libc6 2.28-10
ii libcurl4 7.64.0-4+deb10u2
ii libjansson4 2.12-1
ii libldap-2.4-2 2.4.47+dfsg-3+deb10u6
ii liblua5.2-0 5.2.4-1.1+b2
ii libnghttp2-14 1.36.0-2+deb10u1
ii libpcre3 2:8.39-12
ii libssl1.1 1.1.1d-0+deb10u6
ii libxml2 2.9.4+dfsg1-7+deb10u1
ii perl 5.28.1-6+deb10u1
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages apache2-bin suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
pn www-browser <none>
Versions of packages apache2 is related to:
ii apache2 2.4.38-3+deb10u4
ii apache2-bin 2.4.38-3+deb10u4
-- no debconf information
Reply to: