Bug#780973: marked as done (unblock: apache2/2.4.10-10)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#780973: marked as done (unblock: apache2/2.4.10-10)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sun, 22 Mar 2015 19:48:05 +0000
Message-id: <[🔎] handler.780973.D780973.142705347926515.ackdone@bugs.debian.org>
References: <1427053469.26766.4.camel@adam-barratt.org.uk> <[🔎] 20150322175447.14217.86284.reportbug@pisco.westfalen.local>

Your message dated Sun, 22 Mar 2015 19:44:29 +0000
with message-id <1427053469.26766.4.camel@adam-barratt.org.uk>
and subject line Re: Bug#780973: unblock: apache2/2.4.10-10
has caused the Debian Bug report #780973,
regarding unblock: apache2/2.4.10-10
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
780973: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780973
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: apache2/2.4.10-10
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Sun, 22 Mar 2015 18:54:47 +0100
Message-id: <[🔎] 20150322175447.14217.86284.reportbug@pisco.westfalen.local>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package apache2. It fixes CVE-2015-0228.

unblock apache2/2.4.10-10

Debdiff:

diff -Nru apache2-2.4.10/debian/apache2.NEWS apache2-2.4.10/debian/apache2.NEWS
--- apache2-2.4.10/debian/apache2.NEWS	2014-11-08 23:16:55.000000000 +0100
+++ apache2-2.4.10/debian/apache2.NEWS	2015-02-01 09:25:15.000000000 +0100
@@ -15,10 +15,11 @@
   modules, you have to re-compile them for apache2 2.4.
 
   The authorization and authentication system has changed. Existing
-  configurations using deprecated Order/Allow/Deny directives should be
+  configurations using deprecated Order/Allow/Deny directives need to be
   upgraded to the new system. Please review upstream's "Authentication,
-  Authorization and Access Control Howto" [1]. However, "mod_access_compat" is
-  loaded by default to provide backward compatibility.
+  Authorization and Access Control Howto" [1]. There is a new module
+  "mod_access_compat", which is supposed to provide backward compatibility,
+  but it does not work well in practice.
 
   Furthermore, MPMs are simple modules now. Thus, the MPM can be changed
   at any time by (un-)loading a specific module. Be careful when upgrading. An
diff -Nru apache2-2.4.10/debian/changelog apache2-2.4.10/debian/changelog
--- apache2-2.4.10/debian/changelog	2014-12-22 21:46:14.000000000 +0100
+++ apache2-2.4.10/debian/changelog	2015-03-15 10:47:36.000000000 +0100
@@ -1,3 +1,14 @@
+apache2 (2.4.10-10) unstable; urgency=medium
+
+  * CVE-2015-0228: mod_lua: Fix denial of service vulnerability in
+    wsupgrade().
+  * Fix setup-instance example script to handle a2enconf/a2disconf.
+    LP: #1430936
+  * Tweak mention of mod_access_compat in NEWS.Debian. The module does
+    not really work in practice.
+
+ -- Stefan Fritsch <sf@debian.org>  Sun, 15 Mar 2015 10:47:36 +0100
+
 apache2 (2.4.10-9) unstable; urgency=medium
 
   * CVE-2014-8109: mod_lua: Fix handling of the Require line when a
diff -Nru apache2-2.4.10/debian/patches/CVE-2015-0228_mod_lua.diff apache2-2.4.10/debian/patches/CVE-2015-0228_mod_lua.diff
--- apache2-2.4.10/debian/patches/CVE-2015-0228_mod_lua.diff	1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.4.10/debian/patches/CVE-2015-0228_mod_lua.diff	2015-03-15 10:33:38.000000000 +0100
@@ -0,0 +1,53 @@
+#commit 1f1375a2a615337d3fd1da2aad7a080243cbdcb7
+#Author: Eric Covener <covener@apache.org>
+#Date:   Wed Mar 4 19:18:27 2015 +0000
+#
+#    Merge r1657261 from trunk:
+#    
+#      *) SECURITY: CVE-2015-0228 (cve.mitre.org)
+#         mod_lua: A maliciously crafted websockets PING after a script
+#         calls r:wsupgrade() can cause a child process crash.
+#         [Edward Lu <Chaosed0 gmail.com>]
+#    
+#    Discovered by Guido Vranken <guidovranken gmail.com>
+#    
+#    Submitted by: Edward Lu
+#    Committed by: covener
+#    
+#    
+#    
+#    
+#    git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1664118 13f79535-47bb-0310-9956-ffa450edef68
+#
+--- apache2.orig/modules/lua/lua_request.c
++++ apache2/modules/lua/lua_request.c
+@@ -2229,6 +2229,7 @@ static int lua_websocket_read(lua_State
+ {
+     apr_socket_t *sock;
+     apr_status_t rv;
++    int do_read = 1;
+     int n = 0;
+     apr_size_t len = 1;
+     apr_size_t plen = 0;
+@@ -2246,6 +2247,8 @@ static int lua_websocket_read(lua_State
+     mask_bytes = apr_pcalloc(r->pool, 4);
+     sock = ap_get_conn_socket(r->connection);
+ 
++    while (do_read) { 
++    do_read = 0;
+     /* Get opcode and FIN bit */
+     if (plaintext) {
+         rv = apr_socket_recv(sock, &byte, &len);
+@@ -2372,10 +2375,11 @@ static int lua_websocket_read(lua_State
+                 frame[0] = 0x8A;
+                 frame[1] = 0;
+                 apr_socket_send(sock, frame, &plen); /* Pong! */
+-                lua_websocket_read(L); /* read the next frame instead */
++                do_read = 1;
+             }
+         }
+     }
++    }
+     return 0;
+ }
+ 
diff -Nru apache2-2.4.10/debian/patches/series apache2-2.4.10/debian/patches/series
--- apache2-2.4.10/debian/patches/series	2014-12-22 19:53:05.000000000 +0100
+++ apache2-2.4.10/debian/patches/series	2015-03-15 10:33:23.000000000 +0100
@@ -11,3 +11,4 @@
 mod_ssl_memleak.diff
 mod_ssl-oscp_stapling_crash.diff
 CVE-2014-8109_mod_lua.diff
+CVE-2015-0228_mod_lua.diff
diff -Nru apache2-2.4.10/debian/setup-instance apache2-2.4.10/debian/setup-instance
--- apache2-2.4.10/debian/setup-instance	2014-11-08 23:16:56.000000000 +0100
+++ apache2-2.4.10/debian/setup-instance	2015-03-15 10:37:19.000000000 +0100
@@ -25,7 +25,7 @@
 chmod 755 /etc/init.d/apache2-$SUFFIX
 
 echo -n Setting up symlinks: 
-for a in a2enmod a2dismod a2ensite a2dissite apache2ctl ; do
+for a in a2enmod a2dismod a2ensite a2dissite a2enconf a2disconf apache2ctl ; do
 	echo -n " $a-$SUFFIX"
 	ln -s /usr/sbin/$a /usr/local/sbin/$a-$SUFFIX
 done


-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---

--- Begin Message ---

To: Moritz Muehlenhoff <jmm@debian.org>, 780973-done@bugs.debian.org

Subject: Re: Bug#780973: unblock: apache2/2.4.10-10

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sun, 22 Mar 2015 19:44:29 +0000

Message-id: <1427053469.26766.4.camel@adam-barratt.org.uk>

In-reply-to: <[🔎] 20150322175447.14217.86284.reportbug@pisco.westfalen.local>

References: <[🔎] 20150322175447.14217.86284.reportbug@pisco.westfalen.local>
On Sun, 2015-03-22 at 18:54 +0100, Moritz Muehlenhoff wrote:
> Please unblock package apache2. It fixes CVE-2015-0228.

Unblocked.

Regards,

Adam
--- End Message ---

Reply to:

References:
- Bug#780973: unblock: apache2/2.4.10-10
  - From: Moritz Muehlenhoff <jmm@debian.org>

Prev by Date: Bug#780983: unblock: tor/0.2.5.11-1
Next by Date: Bug#780976: marked as done (unblock: dokuwiki/0.0.20140505.a+dfsg-4)
Previous by thread: Bug#780973: unblock: apache2/2.4.10-10
Next by thread: Bug#780974: unblock: autofs/5.0.8-2
Index(es):
- Date
- Thread