Bug#1076554: marked as done (CVE-2024-38473 Regression [1/2]: error parsing URL //: Invalid host/port)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 05 Oct 2024 19:06:03 +0000
with message-id <E1sxA6N-006ZXB-0l@fasolo.debian.org>
and subject line Bug#1076554: fixed in apache2 2.4.62-4
has caused the Debian Bug report #1076554,
regarding CVE-2024-38473 Regression [1/2]: error parsing URL //: Invalid host/port
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1076554: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076554
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: Regression: error parsing URL //: Invalid host/port
• From: Sylvain Beucler <beuc@beuc.net>
• Date: Thu, 18 Jul 2024 17:39:15 +0200
• Message-id: <f7d5701b-7663-41ac-9e3f-df9d0ec41c05@beuc.net>

Package: apache2
Version: 2.4.61-1~deb12u1
Severity: important

Dear Maintainer,

Following DSA 5729-1 (2.4.61-1~deb12u1), access to Sympa broke.
User error: Bad Request
Log error: AH01059: error parsing URL //: Invalid host/port

I believe the issue is related to this line:
  SetHandler "proxy:unix:/run/sympa/wwsympa.socket|fcgi://"
This is the default configuration from the sympa Debian package.

I get the same result when compiling the debdiff from:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076531
(2.4.62)

I can work-around the issue by appending 'localhost':
  SetHandler "proxy:unix:/run/sympa/wwsympa.socket|fcgi://localhost"
(but this is still a regression in the stable release :))

-- Package-specific info:

-- System Information:
Debian Release: 12.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-23-cloud-amd64 (SMP w/1 CPU thread; PREEMPT)

Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set

Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apache2 depends on:
ii  apache2-bin                2.4.62-1~deb12u1~local
ii  apache2-data               2.4.62-1~deb12u1~local
ii  apache2-utils              2.4.62-1~deb12u1~local
ii  init-system-helpers        1.65.2
ii  lsb-base                   11.6
ii  media-types                10.0.0
ii  perl                       5.36.0-7+deb12u1
ii  procps                     2:4.0.2-3
ii  sysvinit-utils [lsb-base]  3.06-4

Versions of packages apache2 recommends:
ii  ssl-cert  1.1.2

Versions of packages apache2 suggests:
pn  apache2-doc              <none>
ii  apache2-suexec-pristine  2.4.62-1~deb12u1~local
pn  www-browser              <none>

Versions of packages apache2-bin depends on:
ii  libapr1                  1.7.2-3
ii  libaprutil1              1.6.3-1
ii  libaprutil1-dbd-sqlite3  1.6.3-1
ii  libaprutil1-ldap         1.6.3-1
ii  libbrotli1               1.0.9-2+b6
ii  libc6                    2.36-9+deb12u7
ii  libcrypt1                1:4.4.33-2
ii  libcurl4                 7.88.1-10+deb12u6
ii  libjansson4              2.14-2
ii  libldap-2.5-0            2.5.13+dfsg-5
ii  liblua5.3-0              5.3.6-2
ii  libnghttp2-14            1.52.0-1+deb12u1
ii  libpcre2-8-0             10.42-1
ii  libssl3                  3.0.13-1~deb12u1
ii  libxml2                  2.9.14+dfsg-1.3~deb12u1
ii  perl                     5.36.0-7+deb12u1
ii  zlib1g                   1:1.2.13.dfsg-1

Versions of packages apache2-bin suggests:
pn  apache2-doc              <none>
ii  apache2-suexec-pristine  2.4.62-1~deb12u1~local
pn  www-browser              <none>

Versions of packages apache2 is related to:
ii  apache2      2.4.62-1~deb12u1~local
ii  apache2-bin  2.4.62-1~deb12u1~local

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: 1076554-close@bugs.debian.org
• Subject: Bug#1076554: fixed in apache2 2.4.62-4
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sat, 05 Oct 2024 19:06:03 +0000
• Message-id: <E1sxA6N-006ZXB-0l@fasolo.debian.org>
• Reply-to: Bastien Roucariès <rouca@debian.org>

Source: apache2
Source-Version: 2.4.62-4
Done: Bastien Roucariès <rouca@debian.org>

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1076554@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès <rouca@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 05 Oct 2024 18:11:40 +0000
Source: apache2
Architecture: source
Version: 2.4.62-4
Distribution: experimental
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Closes: 1076554
Changes:
 apache2 (2.4.62-4) experimental; urgency=medium
 .
   * Fix CVE-2024-38473 regression: error parsing URL //: Invalid host/port
     SetHandler "proxy:unix:/run/sympa/wwsympa.socket|fcgi://" failed
     with AH01059: error
     (Closes: #1076554)
Checksums-Sha1:
 9c3724de9cd8905d6066e4030ac9b6cfd2238a33 3469 apache2_2.4.62-4.dsc
 b37cac74da56e827a434745c4e2bb188c101c0ec 826864 apache2_2.4.62-4.debian.tar.xz
 237b8e7742d73bd5c933f9215de8fcb5601fba6d 11846 apache2_2.4.62-4_amd64.buildinfo
Checksums-Sha256:
 63941e5c01fd4b6984a6e398ea9d17442d113b244d269d8657f7205bbf1cb61e 3469 apache2_2.4.62-4.dsc
 c79505cf3901af68680be886bef0fa669fc48323451d2df63db3f336d2aabc75 826864 apache2_2.4.62-4.debian.tar.xz
 7625ac87b6ecbc293fff5ef689ba4c685ef7a7b1ddb1f1b1f7e4a3bad97963c5 11846 apache2_2.4.62-4_amd64.buildinfo
Files:
 5181e187c6590de63cd9d60e179bd06a 3469 httpd optional apache2_2.4.62-4.dsc
 16f496dcbb4e1d9e955466a4bfb0ce0b 826864 httpd optional apache2_2.4.62-4.debian.tar.xz
 295f63944f78bdf7504805d2fa0c7b7b 11846 httpd optional apache2_2.4.62-4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmcBhOQRHHJvdWNhQGRl
Ymlhbi5vcmcACgkQADoaLapBCF/ZwQ//fBtLAE1yq1S59YrMKQ/YSHzyAqvQEcMS
4CbTGyxk6SmhRxhdseAYCgU0x6Bs3WtH3sHPJ17cU4qb/z4ii08uozGafqtNwsmt
Tg3IKdhxIN/zjGduFjb/BMidPPDBs/5UvkHdNBjvdmBms78tLXp96BlIfVFIDI96
gzdARVIft0TNpuefZ3UaxoghhRNTqnuCPbTbmtx/EZL0d+KJjMAhtlOWcy1H1OXe
uhhIv57njMYQW1tvZVOvntwufAa17KfryvWXrOVsBYOMT1Ldc4FqWd33m/NZ2MzL
MkJMAqSVFvkVtBaSUHk6OBecIsx5o658LSfDkby7awIUmoLRuPlGmEBo7KTZmEmh
QmawHwDp5KibRD3FHqQrLZORqZz5HeKNs9hRxDgq3iiyq3ndGmEB2c93LaIH37FH
6R6eWNLOoqiwoiTSigMYev2AUiPBi03Bt3/VdJrvdWtp3Qhzhnznqi0ACR9fxPdG
OUA6LBcI84Aal4ag2b7guxkRrIUFgpMFrmMtCvWQTau+6BwE0SvtbV5Y5/8CjK2W
phtRZGnavRFtvO012aod6Fxc1oVVBII/4b6eblTCY2LgfLwPx4CNzETArwXrh1gw
u605x7ZnbdtDS89l7MgUoZ2UjdMr8zS3a8DFItnDQ6b4Fvx/3XGjku9QDCS3BXgB
+NNGHbTON3U=
=8wy2
-----END PGP SIGNATURE-----

Attachment: pgptoywE8Cbwy.pgp
Description: PGP signature

--- End Message ---