[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#774289: marked as done (unblock: apache2/2.4.10-9)

Your message dated Wed, 31 Dec 2014 12:18:01 +0000
with message-id <1420028281.7476.38.camel@adam-barratt.org.uk>
and subject line Re: Bug#774289: unblock: apache2/2.4.10-9
has caused the Debian Bug report #774289,
regarding unblock: apache2/2.4.10-9
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
774289: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774289
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package apache2

It fixes a low-impact security issue, improves working with systemd (though
that's not quite perfect, yet) and fixes a build-dep. 

Thanks,
Stefan

Changelog:

apache2 (2.4.10-9) unstable; urgency=medium

  * CVE-2014-8109: mod_lua: Fix handling of the Require line when a
    LuaAuthzProvider is used in multiple Require directives with different
    arguments.
  * Include ask-for-passphrase script from Ubuntu with some tweaks. This
    fixes asking for certificate passphrases if started via systemd.
    Closes: #773405
  * Fix init script to not wait 20s if passphrase was wrong.
  * Also bump debhelper build-depends to get dh_installdeb with support for
    symlink_to_dir. Closes: #770421


Diffstat (full diff is attached):

 apache2.init                       |    8 ++
 apache2.install                    |    1 
 ask-for-passphrase                 |   48 +++++++++++++++
 changelog                          |   14 ++++
 config-dir/mods-available/ssl.conf |    2 
 control                            |    2 
 patches/CVE-2014-8109_mod_lua.diff |  118 +++++++++++++++++++++++++++++++++++++
 patches/series                     |    1 
 8 files changed, 192 insertions(+), 2 deletions(-)


unblock apache2/2.4.10-9

diff -Nru apache2-2.4.10/debian/apache2.init apache2-2.4.10/debian/apache2.init
--- apache2-2.4.10/debian/apache2.init	2014-11-08 23:16:55.000000000 +0100
+++ apache2-2.4.10/debian/apache2.init	2014-12-22 21:43:54.000000000 +0100
@@ -116,6 +116,10 @@
 apache_wait_start() {
 	local STATUS=$1
 	local i=0
+
+	if [ $STATUS != 0 ] ; then
+	        return $STATUS
+	fi
 	while : ; do
 	        PIDTMP=$(pidofproc -p $PIDFILE $DAEMON)
 	        if [ -n "${PIDTMP:-}" ] && kill -0 "${PIDTMP:-}" 2> /dev/null; then
@@ -136,6 +140,10 @@
 apache_wait_stop() {
 	local STATUS=$1
 
+	if [ $STATUS != 0 ] ; then
+	        return $STATUS
+	fi
+
 	PIDTMP=$(pidofproc -p $PIDFILE $DAEMON)
 	if [ -n "${PIDTMP:-}" ] && kill -0 "${PIDTMP:-}" 2> /dev/null; then
 	        local i=0
diff -Nru apache2-2.4.10/debian/apache2.install apache2-2.4.10/debian/apache2.install
--- apache2-2.4.10/debian/apache2.install	2014-11-08 23:16:55.000000000 +0100
+++ apache2-2.4.10/debian/apache2.install	2014-12-22 20:14:39.000000000 +0100
@@ -3,4 +3,5 @@
 debian/a2enmod					/usr/sbin
 debian/apache2ctl				/usr/sbin
 debian/a2query					/usr/sbin
+debian/ask-for-passphrase			/usr/share/apache2/
 debian/debhelper/apache2-maintscript-helper	/usr/share/apache2/
diff -Nru apache2-2.4.10/debian/ask-for-passphrase apache2-2.4.10/debian/ask-for-passphrase
--- apache2-2.4.10/debian/ask-for-passphrase	1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.4.10/debian/ask-for-passphrase	2014-12-22 21:44:47.000000000 +0100
@@ -0,0 +1,48 @@
+#!/bin/bash
+#
+#    ask-for-passphrase - designed to be used by SSLPassPhraseDialog exec:
+#
+#    Copyright Canonical, Ltd. 2010, All Rights Reserved
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+sitename=$1
+keytype=$2
+
+log="logger -p daemon.err -t apache2"
+
+prompt="Enter passphrase for SSL/TLS keys for $sitename ($keytype):"
+
+# Apache gives us a pipe for stdin, but we want to
+# talk to apache's terminal.
+tty=`tty < /proc/${PPID}/fd/0`
+if [ "$tty" = "not a tty" ] ; then
+	if [ -x /bin/systemd-ask-password ] ; then
+		exec /bin/systemd-ask-password --timeout=0 "$prompt"
+	elif [ -x /bin/plymouth ] && plymouth --ping ; then
+		echo $prompt | logger
+		exec plymouth ask-for-password --prompt="$prompt"
+	else
+		$log "No way to ask user for passphrase"
+		exit 1
+	fi
+	$log "Passphrase prompt failed"
+	exit 1
+fi
+
+# We must not print anything on stdout except the passphrase
+read -s -p "$prompt" passphrase > $tty 2>&1 < $tty
+echo > $tty
+echo "$passphrase"
diff -Nru apache2-2.4.10/debian/changelog apache2-2.4.10/debian/changelog
--- apache2-2.4.10/debian/changelog	2014-11-18 15:18:18.000000000 +0100
+++ apache2-2.4.10/debian/changelog	2014-12-22 21:46:14.000000000 +0100
@@ -1,3 +1,17 @@
+apache2 (2.4.10-9) unstable; urgency=medium
+
+  * CVE-2014-8109: mod_lua: Fix handling of the Require line when a
+    LuaAuthzProvider is used in multiple Require directives with different
+    arguments.
+  * Include ask-for-passphrase script from Ubuntu with some tweaks. This
+    fixes asking for certificate passphrases if started via systemd.
+    Closes: #773405
+  * Fix init script to not wait 20s if passphrase was wrong.
+  * Also bump debhelper build-depends to get dh_installdeb with support for
+    symlink_to_dir. Closes: #770421
+
+ -- Stefan Fritsch <sf@debian.org>  Mon, 22 Dec 2014 20:24:36 +0100
+
 apache2 (2.4.10-8) unstable; urgency=medium
 
   * Bump dpkg Pre-Depends to version that supports relative symlinks in
diff -Nru apache2-2.4.10/debian/config-dir/mods-available/ssl.conf apache2-2.4.10/debian/config-dir/mods-available/ssl.conf
--- apache2-2.4.10/debian/config-dir/mods-available/ssl.conf	2014-11-08 23:16:56.000000000 +0100
+++ apache2-2.4.10/debian/config-dir/mods-available/ssl.conf	2014-12-22 20:15:07.000000000 +0100
@@ -33,7 +33,7 @@
 	#   Configure the pass phrase gathering process.
 	#   The filtering dialog program (`builtin' is a internal
 	#   terminal dialog) has to provide the pass phrase on stdout.
-	SSLPassPhraseDialog  builtin
+	SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase
 
 	#   Inter-Process Session Cache:
 	#   Configure the SSL Session Cache: First the mechanism 
diff -Nru apache2-2.4.10/debian/control apache2-2.4.10/debian/control
--- apache2-2.4.10/debian/control	2014-11-17 00:37:59.000000000 +0100
+++ apache2-2.4.10/debian/control	2014-11-22 00:55:05.000000000 +0100
@@ -3,7 +3,7 @@
 Priority: optional
 Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
 Uploaders: Stefan Fritsch <sf@debian.org>, Arno Töll <arno@debian.org>
-Build-Depends: debhelper (>= 8.9.7~), lsb-release, dpkg-dev (>= 1.16.1~),
+Build-Depends: debhelper (>= 9.20131213~), lsb-release, dpkg-dev (>= 1.16.1~),
  libaprutil1-dev (>= 1.5.0), libapr1-dev (>= 1.5.0), libpcre3-dev, zlib1g-dev,
  libssl-dev (>= 0.9.8m), perl,
  liblua5.1-0-dev, libxml2-dev, autotools-dev, gawk | awk
diff -Nru apache2-2.4.10/debian/patches/CVE-2014-8109_mod_lua.diff apache2-2.4.10/debian/patches/CVE-2014-8109_mod_lua.diff
--- apache2-2.4.10/debian/patches/CVE-2014-8109_mod_lua.diff	1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.4.10/debian/patches/CVE-2014-8109_mod_lua.diff	2014-12-22 19:53:32.000000000 +0100
@@ -0,0 +1,118 @@
+# http://svn.apache.org/viewvc?view=revision&revision=r1642861
+#
+#commit 3f1693d558d0758f829c8b53993f1749ddf6ffcb
+#Author: Jim Jagielski <jim@apache.org>
+#Date:   Tue Dec 2 12:50:59 2014 +0000
+#
+#    Merge r1642499 from trunk:
+#    
+#      *) SECURITY: CVE-2014-8109 (cve.mitre.org)
+#         mod_lua: Fix handling of the Require line when a LuaAuthzProvider is
+#         used in multiple Require directives with different arguments.
+#         PR57204 [Edward Lu <Chaosed0 gmail.com>]
+#    
+#    Submitted By: Edward Lu
+#    Committed By: covener
+#    
+#    
+#    Submitted by: covener
+#    Reviewed/backported by: jim
+#    
+#    
+#    git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1642861 13f79535-47bb-0310-9956-ffa450edef68
+#
+--- apache2.orig/CHANGES
++++ apache2/CHANGES
+@@ -6,6 +6,11 @@ Changes with Apache 2.4.11
+      mod_cache: Avoid a crash when Content-Type has an empty value.
+      PR 56924.  [Mark Montague <mark catseye.org>, Jan Kaluza]
+ 
++  *) SECURITY: CVE-2014-8109 (cve.mitre.org)
++     mod_lua: Fix handling of the Require line when a LuaAuthzProvider is
++     used in multiple Require directives with different arguments.
++     PR57204 [Edward Lu <Chaosed0 gmail.com>]
++
+   *) SECURITY: CVE-2013-5704 (cve.mitre.org)
+      core: HTTP trailers could be used to replace HTTP headers
+      late during request processing, potentially undoing or
+--- apache2.orig/modules/lua/mod_lua.c
++++ apache2/modules/lua/mod_lua.c
+@@ -66,9 +66,13 @@ typedef struct {
+     const char *file_name;
+     const char *function_name;
+     ap_lua_vm_spec *spec;
+-    apr_array_header_t *args;
+ } lua_authz_provider_spec;
+ 
++typedef struct {
++    lua_authz_provider_spec *spec;
++    apr_array_header_t *args;
++} lua_authz_provider_func;
++
+ apr_hash_t *lua_authz_providers;
+ 
+ typedef struct
+@@ -1692,6 +1696,7 @@ static const char *lua_authz_parse(cmd_p
+ {
+     const char *provider_name;
+     lua_authz_provider_spec *spec;
++    lua_authz_provider_func *func = apr_pcalloc(cmd->pool, sizeof(lua_authz_provider_func));
+ 
+     apr_pool_userdata_get((void**)&provider_name, AUTHZ_PROVIDER_NAME_NOTE,
+                           cmd->temp_pool);
+@@ -1699,16 +1704,17 @@ static const char *lua_authz_parse(cmd_p
+ 
+     spec = apr_hash_get(lua_authz_providers, provider_name, APR_HASH_KEY_STRING);
+     ap_assert(spec != NULL);
++    func->spec = spec;
+ 
+     if (require_line && *require_line) {
+         const char *arg;
+-        spec->args = apr_array_make(cmd->pool, 2, sizeof(const char *));
++        func->args = apr_array_make(cmd->pool, 2, sizeof(const char *));
+         while ((arg = ap_getword_conf(cmd->pool, &require_line)) && *arg) {
+-            APR_ARRAY_PUSH(spec->args, const char *) = arg;
++            APR_ARRAY_PUSH(func->args, const char *) = arg;
+         }
+     }
+ 
+-    *parsed_require_line = spec;
++    *parsed_require_line = func;
+     return NULL;
+ }
+ 
+@@ -1722,7 +1728,8 @@ static authz_status lua_authz_check(requ
+                                                          &lua_module);
+     const ap_lua_dir_cfg *cfg = ap_get_module_config(r->per_dir_config,
+                                                      &lua_module);
+-    const lua_authz_provider_spec *prov_spec = parsed_require_line;
++    const lua_authz_provider_func *prov_func = parsed_require_line;
++    const lua_authz_provider_spec *prov_spec = prov_func->spec;
+     int result;
+     int nargs = 0;
+ 
+@@ -1744,19 +1751,19 @@ static authz_status lua_authz_check(requ
+         return AUTHZ_GENERAL_ERROR;
+     }
+     ap_lua_run_lua_request(L, r);
+-    if (prov_spec->args) {
++    if (prov_func->args) {
+         int i;
+-        if (!lua_checkstack(L, prov_spec->args->nelts)) {
++        if (!lua_checkstack(L, prov_func->args->nelts)) {
+             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02315)
+                           "Error: authz provider %s: too many arguments", prov_spec->name);
+             ap_lua_release_state(L, spec, r);
+             return AUTHZ_GENERAL_ERROR;
+         }
+-        for (i = 0; i < prov_spec->args->nelts; i++) {
+-            const char *arg = APR_ARRAY_IDX(prov_spec->args, i, const char *);
++        for (i = 0; i < prov_func->args->nelts; i++) {
++            const char *arg = APR_ARRAY_IDX(prov_func->args, i, const char *);
+             lua_pushstring(L, arg);
+         }
+-        nargs = prov_spec->args->nelts;
++        nargs = prov_func->args->nelts;
+     }
+     if (lua_pcall(L, 1 + nargs, 1, 0)) {
+         const char *err = lua_tostring(L, -1);
diff -Nru apache2-2.4.10/debian/patches/series apache2-2.4.10/debian/patches/series
--- apache2-2.4.10/debian/patches/series	2014-11-18 14:57:02.000000000 +0100
+++ apache2-2.4.10/debian/patches/series	2014-12-22 19:53:05.000000000 +0100
@@ -10,3 +10,4 @@
 mpm_event_use_after_free.diff
 mod_ssl_memleak.diff
 mod_ssl-oscp_stapling_crash.diff
+CVE-2014-8109_mod_lua.diff

--- End Message ---
--- Begin Message --- 
On Wed, 2014-12-31 at 13:06 +0100, Stefan Fritsch wrote:
> Please unblock package apache2
> 
> It fixes a low-impact security issue, improves working with systemd (though
> that's not quite perfect, yet) and fixes a build-dep. 

Unblocked.

Regards,

Adam

--- End Message ---
Reply to: