Bug#988029: apache2: Non-unique IDs being generated by mod_unique_id - Fix available

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#988029: apache2: Non-unique IDs being generated by mod_unique_id - Fix available
From: Atle Solbakken <atle@goliathdns.no>
Date: Mon, 03 May 2021 23:29:23 +0200
Message-id: <[🔎] 162007736320.7290.9287277875793773755.reportbug@debian-buster-64>
Reply-to: Atle Solbakken <atle@goliathdns.no>, 988029@bugs.debian.org

Package: apache2
Version: 2.4.38-3+deb10u4
Severity: normal
Tags: patch

Hi

The current version has a race condition in mod_unique_id causing non-unique IDs to be
generated (multiple threads are using a counter without any mutex).

I've encountered the issue in a production situation myself.

There issue has been fixed upstream.

https://svn.apache.org/viewvc?view=revision&revision=1887244
https://svn.apache.org/viewvc?view=revision&revision=1887245

I've tried to compile the patch on top of the current stable version 2.0.38 which seems
to work. Upstream, the patch is only available from 2.0.47 and it's currently in experimental.

Maybe it can be applied to 2.0.38 aswell.

Best regards
Atle Solbakken

-- Package-specific info:

-- System Information:
Debian Release: 10.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-13-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apache2 depends on:
ii  apache2-bin    2.4.38-3+deb10u4
ii  apache2-data   2.4.38-3+deb10u4
ii  apache2-utils  2.4.38-3+deb10u4
ii  dpkg           1.19.7
ii  lsb-base       10.2019051400
ii  mime-support   3.62
ii  perl           5.28.1-6+deb10u1
ii  procps         2:3.3.15-2

Versions of packages apache2 recommends:
ii  ssl-cert  1.0.39

Versions of packages apache2 suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2-bin depends on:
ii  libapr1                  1.6.5-1+b1
ii  libaprutil1              1.6.1-4
ii  libaprutil1-dbd-sqlite3  1.6.1-4
ii  libaprutil1-ldap         1.6.1-4
ii  libbrotli1               1.0.7-2+deb10u1
ii  libc6                    2.28-10
ii  libcurl4                 7.64.0-4+deb10u2
ii  libjansson4              2.12-1
ii  libldap-2.4-2            2.4.47+dfsg-3+deb10u6
ii  liblua5.2-0              5.2.4-1.1+b2
ii  libnghttp2-14            1.36.0-2+deb10u1
ii  libpcre3                 2:8.39-12
ii  libssl1.1                1.1.1d-0+deb10u6
ii  libxml2                  2.9.4+dfsg1-7+deb10u1
ii  perl                     5.28.1-6+deb10u1
ii  zlib1g                   1:1.2.11.dfsg-1

Versions of packages apache2-bin suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2 is related to:
ii  apache2      2.4.38-3+deb10u4
ii  apache2-bin  2.4.38-3+deb10u4

-- no debconf information

Reply to:

Follow-Ups:
- Bug#988029: apache2: Non-unique IDs being generated by mod_unique_id - Fix available
  - From: Atle Solbakken <atle@goliathdns.no>
- Bug#988029: apache2: Non-unique IDs being generated by mod_unique_id - Fix available
  - From: Yadd <yadd@debian.org>
- Bug#988029: apache2: Non-unique IDs being generated by mod_unique_id - Fix available
  - From: Ondřej Surý <ondrej@sury.org>

Next by Date: Bug#988029: apache2: Non-unique IDs being generated by mod_unique_id - Fix available
Next by thread: Bug#988029: apache2: Non-unique IDs being generated by mod_unique_id - Fix available
Index(es):
- Date
- Thread