Debian Bug report logs -
#441845
CVE-2007-3847: apache2 denial of service vulnerability (for threaded MPMs) in mod_proxy
Reported by: Ramon Garcia Fernandez <ramon.garcia@kotasoft.com>
Date: Tue, 11 Sep 2007 12:54:01 UTC
Severity: important
Tags: etch, sarge, security
Found in versions apache2/2.0.54-5, apache2/2.2.3-4
Fixed in versions apache2/2.2.6-1, 2.2.6-1, apache2/2.2.3-4+etch4
Done: Stefan Fritsch <sf@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#441845; Package apache2.
(full text, mbox, link).
Acknowledgement sent to Ramon Garcia Fernandez <ramon.garcia@kotasoft.com>:
New Bug report received and forwarded. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: apache2
Severity: critical
Justification: root security hole
Tags: security
*** Please type your report below this line ***
A security hole has been disclosed on the Apache web site.
http://httpd.apache.org/security/vulnerabilities_22.html
Although it is disclosed as a denial of service, it seems
to involve a buffer overflow, and thus allow remote code
execution under the apache account. I can confim, from
attacks in systems of a customer, that this is actually the case.
As I have not seen any security upgrade from 4th of september,
date of the disclosure, I request this issue to be fixed.
Ramon Garcia
Systems Administrator
ramon.garcia@kotasoft.com
http://www.kotasoft.com
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-vserver-686
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Reply sent to Lars Eilebrecht <lars@apache.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Ramon Garcia Fernandez <ramon.garcia@kotasoft.com>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 441845-done@bugs.debian.org (full text, mbox, reply):
On behalf of the Apache Security Team I suggest that this bug report
is closed as invalid.
According to further information provided by the original submitter
to the Apache Security Team, there is no evidence that the proxy crash
bug (CVE-2007-3847) could lead to a root exploit. Actually, there
seems to be no evidence at all that the server - to which the original
submitter was referring to - was compromised.
Of course we recommend that Debian updates their Apache packages to the
newest versions available from the ASF, but the proxy crash bug only
has a moderate severity.
--snip--
moderate: mod_proxy crash CVE-2007-3847
A flaw was found in the Apache HTTP Server mod_proxy module. On sites
where a reverse proxy is configured, a remote attacker could send a
carefully crafted request that would cause the Apache child process handling
that request to crash. On sites where a forward proxy is configured, an
attacker could cause a similar crash if a user could be persuaded to visit a
malicious site using the proxy. This could lead to a denial of service if
using a threaded Multi-Processing Module.
Update Released: 7th September 2007
Affects: 2.2.4, 2.2.3, 2.2.2, 2.2.0
--snip--
Best Regards
--
Lars Eilebrecht - The Apache Software Foundation
lars@apache.org - Apache Security Team
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#441845; Package apache2.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>.
(full text, mbox, link).
Message #15 received at 441845@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
On Tuesday 11 September 2007, Ramon Garcia Fernandez wrote:
> Although it is disclosed as a denial of service, it seems
> to involve a buffer overflow, and thus allow remote code
> execution under the apache account. I can confim, from
> attacks in systems of a customer, that this is actually the case.
This is a buffer over-read [1]. With some crafted header, apache will
read beyond the end of the header, possibly into a region where no
memory is allocated. This would result in a segmentation fault and
crash of the process.
The crafted header needs to come from the Server, not from the client.
Therefore this will not affect most reverse proxy configurations,
since usually the server behind a reverse proxy is trusted.
Cheers,
Stefan
[1] http://marc.info/?l=apache-httpd-dev&m=118595556504202&w=2
[signature.asc (application/pgp-signature, inline)]
Severity set to `important' from `critical'
Request was from Stefan Fritsch <sf@debian.org>
to control@bugs.debian.org.
(Tue, 11 Sep 2007 17:15:01 GMT) (full text, mbox, link).
Bug marked as found in version 2.0.54-5 and reopened.
Request was from Stefan Fritsch <sf@debian.org>
to control@bugs.debian.org.
(Tue, 11 Sep 2007 17:15:02 GMT) (full text, mbox, link).
Bug marked as found in version 2.2.3-4.
Request was from Stefan Fritsch <sf@debian.org>
to control@bugs.debian.org.
(Tue, 11 Sep 2007 17:15:03 GMT) (full text, mbox, link).
Bug marked as fixed in version 2.2.6-1.
Request was from Stefan Fritsch <sf@debian.org>
to control@bugs.debian.org.
(Tue, 11 Sep 2007 17:15:03 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#441845; Package apache2.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>.
(full text, mbox, link).
Message #28 received at 441845@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tuesday 11 September 2007, Stefan Fritsch wrote:
> On Tuesday 11 September 2007, Ramon Garcia Fernandez wrote:
> > Although it is disclosed as a denial of service, it seems
> > to involve a buffer overflow, and thus allow remote code
> > execution under the apache account. I can confim, from
> > attacks in systems of a customer, that this is actually the case.
>
> This is a buffer over-read [1]. With some crafted header, apache
> will read beyond the end of the header, possibly into a region
> where no memory is allocated. This would result in a segmentation
> fault and crash of the process.
To clarify further: This does not allow to execute arbitrary code. If
you had an intrusion you should look for another vulnerability.
Cheers,
Stefan
[signature.asc (application/pgp-signature, inline)]
Changed Bug title to `CVE-2007-3847: apache2 denial of service vulnerability (for threaded MPMs) in mod_proxy' from `Subject: apache2: Remote user can crash Apache if reverse proxy is enabled.'.
Request was from Stefan Fritsch <sf@debian.org>
to control@bugs.debian.org.
(Tue, 11 Sep 2007 17:21:07 GMT) (full text, mbox, link).
Tags added: etch
Request was from Stefan Fritsch <sf@debian.org>
to control@bugs.debian.org.
(Sun, 16 Sep 2007 19:42:02 GMT) (full text, mbox, link).
Reply sent to Stefan Fritsch <sf@sfritsch.de>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Ramon Garcia Fernandez <ramon.garcia@kotasoft.com>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #37 received at 441845-done@bugs.debian.org (full text, mbox, reply):
Version: 2.2.6-1
This was fixed in 2.2.6-1
Tags added: sarge
Request was from Stefan Fritsch <sf@debian.org>
to control@bugs.debian.org.
(Wed, 19 Sep 2007 20:51:10 GMT) (full text, mbox, link).
Reply sent to Stefan Fritsch <sf@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Ramon Garcia Fernandez <ramon.garcia@kotasoft.com>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #44 received at 441845-close@bugs.debian.org (full text, mbox, reply):
Source: apache2
Source-Version: 2.2.3-4+etch4
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:
apache2-doc_2.2.3-4+etch4_all.deb
to pool/main/a/apache2/apache2-doc_2.2.3-4+etch4_all.deb
apache2-mpm-event_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2-mpm-event_2.2.3-4+etch4_i386.deb
apache2-mpm-perchild_2.2.3-4+etch4_all.deb
to pool/main/a/apache2/apache2-mpm-perchild_2.2.3-4+etch4_all.deb
apache2-mpm-prefork_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch4_i386.deb
apache2-mpm-worker_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch4_i386.deb
apache2-prefork-dev_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch4_i386.deb
apache2-src_2.2.3-4+etch4_all.deb
to pool/main/a/apache2/apache2-src_2.2.3-4+etch4_all.deb
apache2-threaded-dev_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch4_i386.deb
apache2-utils_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2-utils_2.2.3-4+etch4_i386.deb
apache2.2-common_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2.2-common_2.2.3-4+etch4_i386.deb
apache2_2.2.3-4+etch4.diff.gz
to pool/main/a/apache2/apache2_2.2.3-4+etch4.diff.gz
apache2_2.2.3-4+etch4.dsc
to pool/main/a/apache2/apache2_2.2.3-4+etch4.dsc
apache2_2.2.3-4+etch4_all.deb
to pool/main/a/apache2/apache2_2.2.3-4+etch4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 441845@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 15 Sep 2007 11:33:58 +0200
Source: apache2
Binary: apache2-utils apache2-prefork-dev apache2 apache2-mpm-prefork apache2-doc apache2-mpm-event apache2.2-common apache2-mpm-worker apache2-src apache2-threaded-dev apache2-mpm-perchild
Architecture: source all i386
Version: 2.2.3-4+etch4
Distribution: stable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
apache2 - Next generation, scalable, extendable web server
apache2-doc - documentation for apache2
apache2-mpm-event - Event driven model for Apache HTTPD 2.1
apache2-mpm-perchild - Transitional package - please remove
apache2-mpm-prefork - Traditional model for Apache HTTPD 2.1
apache2-mpm-worker - High speed threaded model for Apache HTTPD 2.1
apache2-prefork-dev - development headers for apache2
apache2-src - Apache source code
apache2-threaded-dev - development headers for apache2
apache2-utils - utility programs for webservers
apache2.2-common - Next generation, scalable, extendable web server
Closes: 441845 443196
Changes:
apache2 (2.2.3-4+etch4) stable; urgency=low
.
* fix CVE-2007-3847: DoS in mod_proxy (for threaded MPMs)
(Closes: #441845)
* Don't eat all memory on graceful restart when config has changed
from many listening sockets to one (Closes: #443196)
Files:
ba55ad79fd3c89a1cfb6b885b1993825 1068 web optional apache2_2.2.3-4+etch4.dsc
6d768b11c97a321a0e8c9249e949ab91 111619 web optional apache2_2.2.3-4+etch4.diff.gz
631e142ac2a0e9e2b2232d93d0f20af3 962480 web optional apache2.2-common_2.2.3-4+etch4_i386.deb
2afcadbdf1c43bbcced0a153f2e6855c 422638 web optional apache2-mpm-worker_2.2.3-4+etch4_i386.deb
9f12ebe74eb26350082106ecb67dbd86 418870 web optional apache2-mpm-prefork_2.2.3-4+etch4_i386.deb
0e719f33bd4c909d5a55acbca33bf23d 423212 web optional apache2-mpm-event_2.2.3-4+etch4_i386.deb
a91938ec934908fa3d50bbd86e54de49 342068 web optional apache2-utils_2.2.3-4+etch4_i386.deb
c4cf8aa286d21e9ce0f8682755ae0488 407284 devel optional apache2-prefork-dev_2.2.3-4+etch4_i386.deb
ea3daac53c745850b8696e22d79afe4e 407898 devel optional apache2-threaded-dev_2.2.3-4+etch4_i386.deb
b37190594bfe638f5aa8a5503f7d4c45 273730 web optional apache2-mpm-perchild_2.2.3-4+etch4_all.deb
5ce5f2c7902102548d2b34640542e9a2 40424 web optional apache2_2.2.3-4+etch4_all.deb
c05606ffde65b8e3276d21f58242917a 2207486 doc optional apache2-doc_2.2.3-4+etch4_all.deb
5381a88a04d93b9985b15614c325cbda 6613604 devel extra apache2-src_2.2.3-4+etch4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG8YKAbxelr8HyTqQRAmc+AKCF1kE0PaPsBUqsdrZst/wxk+OFcgCgkYtx
SDBEfEW/7jvOjetcTbNw5xc=
=CYaH
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 31 Oct 2007 07:27:48 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:30:55 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon