Re: Request for testing - apache2
On Sat, May 26, 2018 at 02:29:34PM -0400, Roberto C. Sánchez wrote:
> On Sat, May 26, 2018 at 02:27:18PM -0400, Roberto C. Sánchez wrote:
> > Hello,
> > I have prepared a new apache2 package (version 2.2.22-13+deb7u13) to
> > address CVE-2017-15710, CVE-2018-1301, and CVE-2018-1312. The patch for
> > CVE-2018-1312 did not apply cleanly, required backporting an additional
> > commit from the Apache history, as well as adjusting the function calls
> > for logging and managing pool data.
> > As I do not use digest authentication, I thought it prudent to give
> > others the opportunity to test these packages before I upload them.
> > Unless I hear a negative report, I intend to upload on Tuesday or
> > Wednesday.
> The packages are available here: https://people.debian.org/~roberto/
I have been able to resolve the problem which Thorsten identified, which
caused apache to fail to start with the backported patch for
CVE-2018-1312. After some additional digging, I concluded that the
specific issue which caused apache to fail to start resulted from an
improvement/optimization included in the upstream patch which was not
suitable for apache 2.2.x. I was clearly mistaken in thinking that I
had been able to properly backport the change.
As an alternative I went back to the original series of commits on the
trunk and cherry-picked/backported only those which were needed to
address the specific vulnerability in the CVE. The resulting subset was
suitable for apache 2.2.x. I did perform some testing of these packages
(this time even remembering that the module must be enabled in order to
ensure that it works; thanks Thorsten for helping with that). However,
I would appreciate some additional review on this before I upload.
Updated packages are at the same location noted above.
Roberto C. Sánchez