[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#912770: stretch-pu: package apache2/2.4.25-3+deb9u6



Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

please review apache2/2.4.25-3+deb9u6 for inclusion into the next
stretch point release. Here is the changelog:

* CVE-2018-1333: mod_http2: Fix DoS by worker exhaustion. Closes: #904106
* CVE-2018-11763: mod_http2: Fix DoS by continuous SETTINGS.
  Closes: #909591
* mod_proxy_fcgi: Fix segfault. Closes: #902906

Debdiff is attached.

Cheers,
Stefan
diff -Nru apache2-2.4.25/debian/changelog apache2-2.4.25/debian/changelog
--- apache2-2.4.25/debian/changelog	2018-06-02 10:01:13.000000000 +0200
+++ apache2-2.4.25/debian/changelog	2018-11-03 19:46:19.000000000 +0100
@@ -1,3 +1,12 @@
+apache2 (2.4.25-3+deb9u6) stretch; urgency=medium
+
+  * CVE-2018-1333: mod_http2: Fix DoS by worker exhaustion. Closes: #904106
+  * CVE-2018-11763: mod_http2: Fix DoS by continuous SETTINGS.
+    Closes: #909591
+  * mod_proxy_fcgi: Fix segfault. Closes: #902906
+
+ -- Stefan Fritsch <sf@debian.org>  Sat, 03 Nov 2018 19:46:19 +0100
+
 apache2 (2.4.25-3+deb9u5) stretch; urgency=medium
 
   * Upgrade mod_http and mod_proxy_http2 to the versions from 2.4.33. This
diff -Nru apache2-2.4.25/debian/patches/CVE-2018-11763-mod_http2_DoS-SETTINGS.diff apache2-2.4.25/debian/patches/CVE-2018-11763-mod_http2_DoS-SETTINGS.diff
--- apache2-2.4.25/debian/patches/CVE-2018-11763-mod_http2_DoS-SETTINGS.diff	1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.4.25/debian/patches/CVE-2018-11763-mod_http2_DoS-SETTINGS.diff	2018-11-03 19:45:38.000000000 +0100
@@ -0,0 +1,458 @@
+# https://svn.apache.org/viewvc?view=revision&revision=1840757
+# CVE-2018-11763
+--- apache2.orig/modules/http2/h2_session.c
++++ apache2/modules/http2/h2_session.c
+@@ -235,6 +235,7 @@ static int on_data_chunk_recv_cb(nghttp2
+     stream = h2_session_stream_get(session, stream_id);
+     if (stream) {
+         status = h2_stream_recv_DATA(stream, flags, data, len);
++        dispatch_event(session, H2_SESSION_EV_STREAM_CHANGE, 0, "stream data rcvd");
+     }
+     else {
+         ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, session->c, APLOGNO(03064)
+@@ -317,9 +318,9 @@ static int on_header_cb(nghttp2_session
+ }
+ 
+ /**
+- * nghttp2 session has received a complete frame. Most, it uses
+- * for processing of internal state. HEADER and DATA frames however
+- * we need to handle ourself.
++ * nghttp2 session has received a complete frame. Most are used by nghttp2
++ * for processing of internal state. Some, like HEADER and DATA frames,
++ * we need to act on.
+  */
+ static int on_frame_recv_cb(nghttp2_session *ng2s,
+                             const nghttp2_frame *frame,
+@@ -376,6 +377,9 @@ static int on_frame_recv_cb(nghttp2_sess
+                           "h2_stream(%ld-%d): WINDOW_UPDATE incr=%d", 
+                           session->id, (int)frame->hd.stream_id,
+                           frame->window_update.window_size_increment);
++            if (nghttp2_session_want_write(session->ngh2)) {
++                dispatch_event(session, H2_SESSION_EV_FRAME_RCVD, 0, "window update");
++            }
+             break;
+         case NGHTTP2_RST_STREAM:
+             ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, session->c, APLOGNO(03067)
+@@ -402,6 +406,12 @@ static int on_frame_recv_cb(nghttp2_sess
+                                frame->goaway.error_code, NULL);
+             }
+             break;
++        case NGHTTP2_SETTINGS:
++            if (APLOGctrace2(session->c)) {
++                ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, session->c,
++                              H2_SSSN_MSG(session, "SETTINGS, len=%ld"), (long)frame->hd.length);
++            }
++            break;
+         default:
+             if (APLOGctrace2(session->c)) {
+                 char buffer[256];
+@@ -413,7 +423,40 @@ static int on_frame_recv_cb(nghttp2_sess
+             }
+             break;
+     }
+-    return (APR_SUCCESS == rv)? 0 : NGHTTP2_ERR_PROTO;
++    
++    if (session->state == H2_SESSION_ST_IDLE) {
++        /* We received a frame, but session is in state IDLE. That means the frame
++         * did not really progress any of the (possibly) open streams. It was a meta
++         * frame, e.g. SETTINGS/WINDOW_UPDATE/unknown/etc.
++         * Remember: IDLE means we cannot send because either there are no streams open or
++         * all open streams are blocked on exhausted WINDOWs for outgoing data.
++         * The more frames we receive that do not change this, the less interested we
++         * become in serving this connection. This is expressed in increasing "idle_delays".
++         * Eventually, the connection will timeout and we'll close it. */
++        session->idle_frames = H2MIN(session->idle_frames + 1, session->frames_received);
++            ap_log_cerror( APLOG_MARK, APLOG_TRACE2, 0, session->c,
++                          H2_SSSN_MSG(session, "session has %ld idle frames"), 
++                          (long)session->idle_frames);
++        if (session->idle_frames > 10) {
++            apr_size_t busy_frames = H2MAX(session->frames_received - session->idle_frames, 1);
++            int idle_ratio = (int)(session->idle_frames / busy_frames); 
++            if (idle_ratio > 100) {
++                session->idle_delay = apr_time_from_msec(H2MIN(1000, idle_ratio));
++            }
++            else if (idle_ratio > 10) {
++                session->idle_delay = apr_time_from_msec(10);
++            }
++            else if (idle_ratio > 1) {
++                session->idle_delay = apr_time_from_msec(1);
++            }
++            else {
++                session->idle_delay = 0;
++            }
++        }
++    }
++    
++    if (APR_SUCCESS != rv) return NGHTTP2_ERR_PROTO;
++    return 0;
+ }
+ 
+ static int h2_session_continue_data(h2_session *session) {
+@@ -1600,23 +1643,57 @@ static void update_child_status(h2_sessi
+ 
+ static void transit(h2_session *session, const char *action, h2_session_state nstate)
+ {
++    apr_time_t timeout;
++    int ostate, loglvl;
++    const char *s;
++    
+     if (session->state != nstate) {
+-        int loglvl = APLOG_DEBUG;
+-        if ((session->state == H2_SESSION_ST_BUSY && nstate == H2_SESSION_ST_WAIT)
+-            || (session->state == H2_SESSION_ST_WAIT && nstate == H2_SESSION_ST_BUSY)){
++        ostate = session->state;
++        session->state = nstate;
++        
++        loglvl = APLOG_DEBUG;
++        if ((ostate == H2_SESSION_ST_BUSY && nstate == H2_SESSION_ST_WAIT)
++            || (ostate == H2_SESSION_ST_WAIT && nstate == H2_SESSION_ST_BUSY)){
+             loglvl = APLOG_TRACE1;
+         }
+         ap_log_cerror(APLOG_MARK, loglvl, 0, session->c, 
+                       H2_SSSN_LOG(APLOGNO(03078), session, 
+                       "transit [%s] -- %s --> [%s]"), 
+-                      h2_session_state_str(session->state), action, 
++                      h2_session_state_str(ostate), action, 
+                       h2_session_state_str(nstate));
+-        session->state = nstate;
++        
+         switch (session->state) {
+             case H2_SESSION_ST_IDLE:
+-                update_child_status(session, (session->open_streams == 0? 
+-                                              SERVER_BUSY_KEEPALIVE
+-                                              : SERVER_BUSY_READ), "idle");
++                if (!session->remote.emitted_count) {
++                    /* on fresh connections, with async mpm, do not return
++                     * to mpm for a second. This gives the first request a better
++                     * chance to arrive (und connection leaving IDLE state).
++                     * If we return to mpm right away, this connection has the
++                     * same chance of being cleaned up by the mpm as connections
++                     * that already served requests - not fair. */
++                    session->idle_sync_until = apr_time_now() + apr_time_from_sec(1);
++                    s = "timeout";
++                    timeout = H2MAX(session->s->timeout, session->s->keep_alive_timeout);
++                    update_child_status(session, SERVER_BUSY_READ, "idle");
++                    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, session->c, 
++                                  H2_SSSN_LOG("", session, "enter idle, timeout = %d sec"), 
++                                  (int)apr_time_sec(H2MAX(session->s->timeout, session->s->keep_alive_timeout)));
++                }
++                else if (session->open_streams) {
++                    s = "timeout";
++                    timeout = session->s->keep_alive_timeout;
++                    update_child_status(session, SERVER_BUSY_KEEPALIVE, "idle");
++                }
++                else {
++                    /* normal keepalive setup */
++                    s = "keepalive";
++                    timeout = session->s->keep_alive_timeout;
++                    update_child_status(session, SERVER_BUSY_KEEPALIVE, "idle");
++                }
++                session->idle_until = apr_time_now() + timeout; 
++                ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, session->c, 
++                              H2_SSSN_LOG("", session, "enter idle, %s = %d sec"), 
++                              s, (int)apr_time_sec(timeout));
+                 break;
+             case H2_SESSION_ST_DONE:
+                 update_child_status(session, SERVER_CLOSING, "done");
+@@ -1723,8 +1800,6 @@ static void h2_session_ev_no_io(h2_sessi
+                      * This means we only wait for WINDOW_UPDATE from the 
+                      * client and can block on READ. */
+                     transit(session, "no io (flow wait)", H2_SESSION_ST_IDLE);
+-                    session->idle_until = apr_time_now() + session->s->timeout;
+-                    session->keep_sync_until = session->idle_until;
+                     /* Make sure we have flushed all previously written output
+                      * so that the client will react. */
+                     if (h2_conn_io_flush(&session->io) != APR_SUCCESS) {
+@@ -1735,12 +1810,7 @@ static void h2_session_ev_no_io(h2_sessi
+             }
+             else if (session->local.accepting) {
+                 /* When we have no streams, but accept new, switch to idle */
+-                apr_time_t now = apr_time_now();
+                 transit(session, "no io (keepalive)", H2_SESSION_ST_IDLE);
+-                session->idle_until = (session->remote.emitted_count? 
+-                                       session->s->keep_alive_timeout : 
+-                                       session->s->timeout) + now;
+-                session->keep_sync_until = now + apr_time_from_sec(1);
+             }
+             else {
+                 /* We are no longer accepting new streams and there are
+@@ -1755,12 +1825,25 @@ static void h2_session_ev_no_io(h2_sessi
+     }
+ }
+ 
+-static void h2_session_ev_data_read(h2_session *session, int arg, const char *msg)
++static void h2_session_ev_frame_rcvd(h2_session *session, int arg, const char *msg)
++{
++    switch (session->state) {
++        case H2_SESSION_ST_IDLE:
++        case H2_SESSION_ST_WAIT:
++            transit(session, "frame received", H2_SESSION_ST_BUSY);
++            break;
++        default:
++            /* nop */
++            break;
++    }
++}
++
++static void h2_session_ev_stream_change(h2_session *session, int arg, const char *msg)
+ {
+     switch (session->state) {
+         case H2_SESSION_ST_IDLE:
+         case H2_SESSION_ST_WAIT:
+-            transit(session, "data read", H2_SESSION_ST_BUSY);
++            transit(session, "stream change", H2_SESSION_ST_BUSY);
+             break;
+         default:
+             /* nop */
+@@ -1800,16 +1883,6 @@ static void h2_session_ev_pre_close(h2_s
+ static void ev_stream_open(h2_session *session, h2_stream *stream)
+ {
+     h2_iq_append(session->in_process, stream->id);
+-    switch (session->state) {
+-        case H2_SESSION_ST_IDLE:
+-            if (session->open_streams == 1) {
+-                /* enter timeout, since we have a stream again */
+-                session->idle_until = (session->s->timeout + apr_time_now());
+-            }
+-            break;
+-        default:
+-            break;
+-    }
+ }
+ 
+ static void ev_stream_closed(h2_session *session, h2_stream *stream)
+@@ -1822,11 +1895,6 @@ static void ev_stream_closed(h2_session
+     }
+     switch (session->state) {
+         case H2_SESSION_ST_IDLE:
+-            if (session->open_streams == 0) {
+-                /* enter keepalive timeout, since we no longer have streams */
+-                session->idle_until = (session->s->keep_alive_timeout
+-                                       + apr_time_now());
+-            }
+             break;
+         default:
+             break;
+@@ -1884,6 +1952,7 @@ static void on_stream_state_enter(void *
+         default:
+             break;
+     }
++    dispatch_event(session, H2_SESSION_EV_STREAM_CHANGE, 0, "stream state change");
+ }
+ 
+ static void on_stream_event(void *ctx, h2_stream *stream, 
+@@ -1942,8 +2011,8 @@ static void dispatch_event(h2_session *s
+         case H2_SESSION_EV_NO_IO:
+             h2_session_ev_no_io(session, arg, msg);
+             break;
+-        case H2_SESSION_EV_DATA_READ:
+-            h2_session_ev_data_read(session, arg, msg);
++        case H2_SESSION_EV_FRAME_RCVD:
++            h2_session_ev_frame_rcvd(session, arg, msg);
+             break;
+         case H2_SESSION_EV_NGH2_DONE:
+             h2_session_ev_ngh2_done(session, arg, msg);
+@@ -1954,6 +2023,9 @@ static void dispatch_event(h2_session *s
+         case H2_SESSION_EV_PRE_CLOSE:
+             h2_session_ev_pre_close(session, arg, msg);
+             break;
++        case H2_SESSION_EV_STREAM_CHANGE:
++            h2_session_ev_stream_change(session, arg, msg);
++            break;
+         default:
+             ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, session->c,
+                           H2_SSSN_MSG(session, "unknown event %d"), ev);
+@@ -1987,13 +2059,15 @@ apr_status_t h2_session_process(h2_sessi
+     apr_status_t status = APR_SUCCESS;
+     conn_rec *c = session->c;
+     int rv, mpm_state, trace = APLOGctrace3(c);
+-
++    apr_time_t now;
++    
+     if (trace) {
+         ap_log_cerror( APLOG_MARK, APLOG_TRACE3, status, c,
+                       H2_SSSN_MSG(session, "process start, async=%d"), async);
+     }
+                   
+     while (session->state != H2_SESSION_ST_DONE) {
++        now = apr_time_now();
+         session->have_read = session->have_written = 0;
+ 
+         if (session->local.accepting 
+@@ -2031,39 +2105,42 @@ apr_status_t h2_session_process(h2_sessi
+                 break;
+                 
+             case H2_SESSION_ST_IDLE:
+-                /* We trust our connection into the default timeout/keepalive
+-                 * handling of the core filters/mpm iff:
+-                 * - keep_sync_until is not set
+-                 * - we have an async mpm
+-                 * - we have no open streams to process
+-                 * - we are not sitting on a Upgrade: request
+-                 * - we already have seen at least one request
+-                 */
+-                if (!session->keep_sync_until && async && !session->open_streams
+-                    && !session->r && session->remote.emitted_count) {
++                if (session->idle_until && (apr_time_now() + session->idle_delay) > session->idle_until) {
++                    ap_log_cerror( APLOG_MARK, APLOG_TRACE1, status, c,
++                                  H2_SSSN_MSG(session, "idle, timeout reached, closing"));
++                    if (session->idle_delay) {
++                        apr_table_setn(session->c->notes, "short-lingering-close", "1"); 
++                    }
++                    dispatch_event(session, H2_SESSION_EV_CONN_TIMEOUT, 0, "timeout");
++                    goto out;
++                }
++                
++                if (session->idle_delay) {
++                    /* we are less interested in spending time on this connection */
++                    ap_log_cerror( APLOG_MARK, APLOG_TRACE2, status, c,
++                                  H2_SSSN_MSG(session, "session is idle (%ld ms), idle wait %ld sec left"), 
++                                  (long)apr_time_as_msec(session->idle_delay),
++                                  (long)apr_time_sec(session->idle_until - now));
++                    apr_sleep(session->idle_delay);
++                    session->idle_delay = 0;
++                }
++
++                h2_conn_io_flush(&session->io);
++                if (async && !session->r && (now > session->idle_sync_until)) {
+                     if (trace) {
+                         ap_log_cerror(APLOG_MARK, APLOG_TRACE3, status, c,
+                                       H2_SSSN_MSG(session, 
+                                       "nonblock read, %d streams open"), 
+                                       session->open_streams);
+                     }
+-                    h2_conn_io_flush(&session->io);
+                     status = h2_session_read(session, 0);
+                     
+                     if (status == APR_SUCCESS) {
+                         session->have_read = 1;
+-                        dispatch_event(session, H2_SESSION_EV_DATA_READ, 0, NULL);
+                     }
+-                    else if (APR_STATUS_IS_EAGAIN(status) 
+-                        || APR_STATUS_IS_TIMEUP(status)) {
+-                        if (apr_time_now() > session->idle_until) {
+-                            dispatch_event(session, 
+-                                           H2_SESSION_EV_CONN_TIMEOUT, 0, NULL);
+-                        }
+-                        else {
+-                            status = APR_EAGAIN;
+-                            goto out;
+-                        }
++                    else if (APR_STATUS_IS_EAGAIN(status) || APR_STATUS_IS_TIMEUP(status)) {
++                        status = APR_EAGAIN;
++                        goto out;
+                     }
+                     else {
+                         ap_log_cerror(APLOG_MARK, APLOG_DEBUG, status, c,
+@@ -2075,7 +2152,6 @@ apr_status_t h2_session_process(h2_sessi
+                 }
+                 else {
+                     /* make certain, we send everything before we idle */
+-                    h2_conn_io_flush(&session->io);
+                     if (trace) {
+                         ap_log_cerror(APLOG_MARK, APLOG_TRACE3, status, c,
+                                       H2_SSSN_MSG(session, 
+@@ -2087,7 +2163,6 @@ apr_status_t h2_session_process(h2_sessi
+                      */
+                     status = h2_mplx_idle(session->mplx);
+                     if (status == APR_EAGAIN) {
+-                        dispatch_event(session, H2_SESSION_EV_DATA_READ, 0, NULL);
+                         break;
+                     }
+                     else if (status != APR_SUCCESS) {
+@@ -2098,33 +2173,11 @@ apr_status_t h2_session_process(h2_sessi
+                     status = h2_session_read(session, 1);
+                     if (status == APR_SUCCESS) {
+                         session->have_read = 1;
+-                        dispatch_event(session, H2_SESSION_EV_DATA_READ, 0, NULL);
+                     }
+                     else if (status == APR_EAGAIN) {
+                         /* nothing to read */
+                     }
+                     else if (APR_STATUS_IS_TIMEUP(status)) {
+-                        apr_time_t now = apr_time_now();
+-                        if (now > session->keep_sync_until) {
+-                            /* if we are on an async mpm, now is the time that
+-                             * we may dare to pass control to it. */
+-                            session->keep_sync_until = 0;
+-                        }
+-                        if (now > session->idle_until) {
+-                            if (trace) {
+-                                ap_log_cerror(APLOG_MARK, APLOG_TRACE3, status, c,
+-                                              H2_SSSN_MSG(session, 
+-                                              "keepalive timeout"));
+-                            }
+-                            dispatch_event(session, 
+-                                           H2_SESSION_EV_CONN_TIMEOUT, 0, "timeout");
+-                        }
+-                        else if (trace) {                        
+-                            ap_log_cerror(APLOG_MARK, APLOG_TRACE3, status, c,
+-                                          H2_SSSN_MSG(session, 
+-                                          "keepalive, %f sec left"),
+-                                          (session->idle_until - now) / 1000000.0f);
+-                        }
+                         /* continue reading handling */
+                     }
+                     else if (APR_STATUS_IS_ECONNABORTED(status)
+@@ -2142,6 +2195,18 @@ apr_status_t h2_session_process(h2_sessi
+                         dispatch_event(session, H2_SESSION_EV_CONN_ERROR, 0, "error");
+                     }
+                 }
++                if (nghttp2_session_want_write(session->ngh2)) {
++                    ap_update_child_status(session->c->sbh, SERVER_BUSY_WRITE, NULL);
++                    status = h2_session_send(session);
++                    if (status == APR_SUCCESS) {
++                        status = h2_conn_io_flush(&session->io);
++                    }
++                    if (status != APR_SUCCESS) {
++                        dispatch_event(session, H2_SESSION_EV_CONN_ERROR, 
++                                       H2_ERR_INTERNAL_ERROR, "writing");
++                        break;
++                    }
++                }
+                 break;
+                 
+             case H2_SESSION_ST_BUSY:
+@@ -2151,7 +2216,6 @@ apr_status_t h2_session_process(h2_sessi
+                     status = h2_session_read(session, 0);
+                     if (status == APR_SUCCESS) {
+                         session->have_read = 1;
+-                        dispatch_event(session, H2_SESSION_EV_DATA_READ, 0, NULL);
+                     }
+                     else if (status == APR_EAGAIN) {
+                         /* nothing to read */
+@@ -2215,7 +2279,7 @@ apr_status_t h2_session_process(h2_sessi
+                                              session->iowait);
+                 if (status == APR_SUCCESS) {
+                     session->wait_us = 0;
+-                    dispatch_event(session, H2_SESSION_EV_DATA_READ, 0, NULL);
++                        dispatch_event(session, H2_SESSION_EV_STREAM_CHANGE, 0, NULL);
+                 }
+                 else if (APR_STATUS_IS_TIMEUP(status)) {
+                     /* go back to checking all inputs again */
+--- apache2.orig/modules/http2/h2_session.h
++++ apache2/modules/http2/h2_session.h
+@@ -66,10 +66,11 @@ typedef enum {
+     H2_SESSION_EV_PROTO_ERROR,      /* protocol error */
+     H2_SESSION_EV_CONN_TIMEOUT,     /* connection timeout */
+     H2_SESSION_EV_NO_IO,            /* nothing has been read or written */
+-    H2_SESSION_EV_DATA_READ,        /* connection data has been read */
++    H2_SESSION_EV_FRAME_RCVD,       /* a frame has been received */
+     H2_SESSION_EV_NGH2_DONE,        /* nghttp2 wants neither read nor write anything */
+     H2_SESSION_EV_MPM_STOPPING,     /* the process is stopping */
+     H2_SESSION_EV_PRE_CLOSE,        /* connection will close after this */
++    H2_SESSION_EV_STREAM_CHANGE,    /* a stream (state/input/output) changed */
+ } h2_session_event_t;
+ 
+ typedef struct h2_session {
+@@ -118,7 +119,9 @@ typedef struct h2_session {
+     apr_size_t max_stream_mem;      /* max buffer memory for a single stream */
+     
+     apr_time_t idle_until;          /* Time we shut down due to sheer boredom */
+-    apr_time_t keep_sync_until;     /* Time we sync wait until passing to async mpm */
++    apr_time_t idle_sync_until;     /* Time we sync wait until keepalive handling kicks in */
++    apr_size_t idle_frames;         /* number of rcvd frames that kept session in idle state */
++    apr_interval_time_t idle_delay; /* Time we delay processing rcvd frames in idle state */
+     
+     apr_bucket_brigade *bbtmp;      /* brigade for keeping temporary data */
+     struct apr_thread_cond_t *iowait; /* our cond when trywaiting for data */
diff -Nru apache2-2.4.25/debian/patches/CVE-2018-1333-mod_http2_DoS.diff apache2-2.4.25/debian/patches/CVE-2018-1333-mod_http2_DoS.diff
--- apache2-2.4.25/debian/patches/CVE-2018-1333-mod_http2_DoS.diff	1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.4.25/debian/patches/CVE-2018-1333-mod_http2_DoS.diff	2018-11-03 19:06:06.000000000 +0100
@@ -0,0 +1,29 @@
+# https://svn.apache.org/viewvc?view=revision&revision=1832487
+# CVE-2018-1333
+--- apache2.orig/modules/http2/h2_bucket_beam.c
++++ apache2/modules/http2/h2_bucket_beam.c
+@@ -550,6 +550,7 @@ static void recv_buffer_cleanup(h2_bucke
+         apr_brigade_destroy(bb);
+         if (bl) enter_yellow(beam, bl);
+         
++        apr_thread_cond_broadcast(beam->change);
+         if (beam->cons_ev_cb) { 
+             beam->cons_ev_cb(beam->cons_ctx, beam);
+         }
+@@ -707,12 +708,10 @@ void h2_beam_abort(h2_bucket_beam *beam)
+     h2_beam_lock bl;
+     
+     if (beam && enter_yellow(beam, &bl) == APR_SUCCESS) {
+-        if (!beam->aborted) {
+-            beam->aborted = 1;
+-            r_purge_sent(beam);
+-            h2_blist_cleanup(&beam->send_list);
+-            report_consumption(beam, &bl);
+-        }
++        beam->aborted = 1;
++        r_purge_sent(beam);
++        h2_blist_cleanup(&beam->send_list);
++        report_consumption(beam, &bl);
+         apr_thread_cond_broadcast(beam->change);
+         leave_yellow(beam, &bl);
+     }
diff -Nru apache2-2.4.25/debian/patches/fcgi_crash.diff apache2-2.4.25/debian/patches/fcgi_crash.diff
--- apache2-2.4.25/debian/patches/fcgi_crash.diff	1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.4.25/debian/patches/fcgi_crash.diff	2018-11-03 15:29:50.000000000 +0100
@@ -0,0 +1,37 @@
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902906
+# https://bz.apache.org/bugzilla/show_bug.cgi?id=60275
+# https://svn.apache.org/r1778050
+--- apache2.orig/server/util_fcgi.c
++++ apache2/server/util_fcgi.c
+@@ -153,7 +153,7 @@ AP_DECLARE(apr_size_t) ap_fcgi_encoded_e
+ 
+         envlen += keylen;
+ 
+-        vallen = strlen(elts[i].val);
++        vallen = elts[i].val ? strlen(elts[i].val) : 0;
+ 
+         if (vallen >> 7 == 0) {
+             envlen += 1;
+@@ -226,7 +226,7 @@ AP_DECLARE(apr_status_t) ap_fcgi_encode_
+             buflen -= 4;
+         }
+ 
+-        vallen = strlen(elts[i].val);
++        vallen = elts[i].val ? strlen(elts[i].val) : 0;
+ 
+         if (vallen >> 7 == 0) {
+             if (buflen < 1) {
+@@ -262,8 +262,11 @@ AP_DECLARE(apr_status_t) ap_fcgi_encode_
+             rv = APR_ENOSPC; /* overflow */
+             break;
+         }
+-        memcpy(itr, elts[i].val, vallen);
+-        itr += vallen;
++
++        if (elts[i].val) {
++            memcpy(itr, elts[i].val, vallen);
++            itr += vallen;
++        }
+ 
+         if (buflen == vallen) {
+             (*starting_elem)++;
diff -Nru apache2-2.4.25/debian/patches/series apache2-2.4.25/debian/patches/series
--- apache2-2.4.25/debian/patches/series	2018-06-02 09:48:33.000000000 +0200
+++ apache2-2.4.25/debian/patches/series	2018-11-03 19:42:40.000000000 +0100
@@ -27,3 +27,6 @@
 mod_http2-upgrade-to-2.4.33.diff
 mod_http2-revert-new-proxy-features.diff
 mod_http2_mem_usage_32bit.diff
+fcgi_crash.diff
+CVE-2018-1333-mod_http2_DoS.diff
+CVE-2018-11763-mod_http2_DoS-SETTINGS.diff

Reply to: