Bug#989683: unblock: apache2/2.4.46-5

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#989683: unblock: apache2/2.4.46-5
From: Yadd <yadd@debian.org>
Date: Thu, 10 Jun 2021 12:21:37 +0200
Message-id: <[🔎] 162332049791.3061837.6415976749055919898.reportbug@deb007.xnr.fr>
Reply-to: Yadd <yadd@debian.org>, 989683@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: security@debian.org

Please unblock package apache2

[ Reason ]
Apache2 is vulnerable to a denial of service due to a NULL pointer
dereference on specially crafted HTTP/2 request (#989562,
CVE-2021-31618)

[ Impact ]
Denial of service

[ Tests ]
No new test

[ Risks ]
Patch is really trivial

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock apache2/2.4.46-5

diff --git a/debian/changelog b/debian/changelog
index 8a02325f..7ddeb00a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+apache2 (2.4.46-5) unstable; urgency=medium
+
+  * Fix "NULL pointer dereference on specially crafted HTTP/2 request"
+    (Closes: #989562, CVE-2021-31618)
+
+ -- Yadd <yadd@debian.org>  Thu, 10 Jun 2021 11:57:38 +0200
+
 apache2 (2.4.46-4) unstable; urgency=medium
 
   * Ignore other random another test failures (Closes: #979664)
diff --git a/debian/patches/CVE-2021-31618.patch b/debian/patches/CVE-2021-31618.patch
new file mode 100644
index 00000000..12d59c8b
--- /dev/null
+++ b/debian/patches/CVE-2021-31618.patch
@@ -0,0 +1,20 @@
+Description: fix NULL pointer dereference on specially crafted HTTP/2 request
+Author: Upstream
+Origin: upstream, http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/http2/h2_stream.c?r1=1889759&r2=1889758&pathrev=1889759
+Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-31618
+Bug-Debian: https://bugs.debian.org/989562
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-06-10
+
+--- a/modules/http2/h2_stream.c
++++ b/modules/http2/h2_stream.c
+@@ -638,7 +638,7 @@
+ 
+ static void set_error_response(h2_stream *stream, int http_status)
+ {
+-    if (!h2_stream_is_ready(stream)) {
++    if (!h2_stream_is_ready(stream) && stream->rtmp) {
+         conn_rec *c = stream->session->c;
+         apr_bucket *b;
+         h2_headers *response;
diff --git a/debian/patches/series b/debian/patches/series
index 20bc4b61..8dfa2af8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,4 @@ tlsv13-add-logno.diff
 # This patch is applied manually
 #suexec-custom.patch
 spelling-errors.diff
+CVE-2021-31618.patch

Reply to:

Follow-Ups:
- Processed: Re: unblock: apache2/2.4.46-5
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#989683: unblock: apache2/2.4.46-5
  - From: Yadd <yadd@debian.org>
- Bug#989683: Fwd: [Bug 1968013] CVE-2021-31618 httpd: NULL pointer dereference on specially crafted HTTP/2 request
  - From: Yadd <yadd@debian.org>
- Bug#989683: Fwd: [Bug 1968013] CVE-2021-31618 httpd: NULL pointer dereference on specially crafted HTTP/2 request
  - From: Yadd <yadd@debian.org>
- Bug#989683: marked as done (unblock: apache2/2.4.46-6)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#988662: unblock: apt/2.2.4
Next by Date: Bug#989498: unblock: golang-1.15/1.15.9-5
Previous by thread: Bug#987958: buster-pu: package liferea/1.12.6-1+deb10u1
Next by thread: Processed: Re: unblock: apache2/2.4.46-5
Index(es):
- Date
- Thread