[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#988029: apache2: Non-unique IDs being generated by mod_unique_id - Fix available

Le 03/05/2021 à 23:29, Atle Solbakken a écrit :
> Package: apache2
> Version: 2.4.38-3+deb10u4
> Severity: normal
> Tags: patch
> 
> Hi
> 
> The current version has a race condition in mod_unique_id causing non-unique IDs to be
> generated (multiple threads are using a counter without any mutex).
> 
> I've encountered the issue in a production situation myself.
> 
> There issue has been fixed upstream.
> 
> https://svn.apache.org/viewvc?view=revision&revision=1887244
> https://svn.apache.org/viewvc?view=revision&revision=1887245
> 
> I've tried to compile the patch on top of the current stable version 2.0.38 which seems
> to work. Upstream, the patch is only available from 2.0.47 and it's currently in experimental.
> 
> Maybe it can be applied to 2.0.38 aswell.
> 
> Best regards
> Atle Solbakken

Hi,

Debian Buster is "stable", it means that to avoid regression, only
critical patches are applies (security or grave bug).
So this patch won't probably be accepted by Debian release team.

This bug will be fixed in Debian unstable with Apache 2.0.48 and be part of:
 * next Debian 12 (~2023)
 * Debian backports for Bullseye
 * maybe Debian backports for Buster (buster-backports-sloppy)

Cheers,
Yadd
Reply to: