apache2.2-common: DOS possible with mod_deflate

Debian Bug report logs - #534712
apache2.2-common: DOS possible with mod_deflate

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: François Guerraz <kubrick@fgv6.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: apache2.2-common: DOS possible with mod_deflate

Date: Fri, 26 Jun 2009 17:23:16 +0200

Package: apache2.2-common
Version: 2.2.9-10+lenny3
Severity: normal
Tags: patch security

There is a bug in mod_deflate that can lead to a DOS with a very small
network traffic.

The problem is the following : when downloading a file with mod_deflate
enabled and aborting the connexion before the end, mod_deflate will take
100% of a CPU and finish to compress the file for nothing.

Even with a not-so-big file (a few dozen of MB), it is possible to
"lock" apache by opening simultaneous request on this file and abort the
connexion very soon, as the
file will be compressed multiple times in parallel, it will make
compression times grow and keep the threads busy for a while.

The problem arises because mod_deflate doesn't check if the connexion is
aborted and goes on whatever happen.

The following patch fixes the problem, but at reading the code, I guess
that the inflate function is also impacted.

Best regards,

François


--- mod_deflate.c	2008-01-04 15:23:50.000000000 +0100
+++ mod_deflate.c.new	2009-06-26 16:50:36.000000000 +0200
@@ -691,6 +691,10 @@
             continue;
         }

+	if (r->connection->aborted) {
+            return APR_ECONNABORTED;
+        }
+
         /* read */
         apr_bucket_read(e, &data, &len, APR_BLOCK_READ);



-- Package-specific info:
List of enabled modules from 'apache2 -M':
  alias auth_basic authn_file authz_default authz_groupfile
  authz_host authz_user autoindex cgi deflate dir env expires headers
  mime negotiation perl php5 python setenvif status userdir

-- System Information:
Debian Release: 5.0.1
  APT prefers stable
  APT policy: (990, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.30 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages apache2.2-common depends on:
ii  apache2-utils       2.2.9-10+lenny3      utility programs for webservers
ii  libapr1             1.2.12-5             The Apache Portable Runtime
Librar
ii  libaprutil1         1.2.12+dfsg-8+lenny2 The Apache Portable Runtime
Utilit
ii  libc6               2.7-18               GNU C Library: Shared libraries
ii  libmagic1           4.26-1               File type determination
library us
ii  libssl0.9.8         0.9.8g-15+lenny1     SSL shared libraries
ii  lsb-base            3.2-20               Linux Standard Base 3.2
init scrip
ii  mime-support        3.44-1               MIME files 'mime.types' &
'mailcap
ii  net-tools           1.60-22              The NET-3 networking toolkit
ii  perl                5.10.0-19            Larry Wall's Practical
Extraction
ii  procps              1:3.2.7-11           /proc file system utilities
ii  zlib1g              1:1.2.3.3.dfsg-12    compression library - runtime

Versions of packages apache2.2-common recommends:
ii  ssl-cert                      1.0.23     simple debconf wrapper for
OpenSSL

Versions of packages apache2.2-common suggests:
ii  apache2-doc              2.2.9-10+lenny3 Apache HTTP Server
documentation
pn  apache2-suexec | apache2 <none>          (no description available)
ii  dillo [www-browser]      0.8.6-3         Small and fast web browser
ii  elinks [www-browser]     0.11.4-3        advanced text-mode WWW browser
ii  epiphany-gecko [www-brow 2.22.3-9        Intuitive GNOME web browser
- Geck
ii  iceape-browser [www-brow 1.1.14-1        Iceape Navigator (Internet
browser
ii  iceweasel [www-browser]  3.0.6-1         lightweight web browser
based on M
ii  w3m [www-browser]        0.5.2-2+b1      WWW browsable pager with
excellent

Versions of packages apache2.2-common is related to:
pn  apache2-mpm-event        <none>          (no description available)
pn  apache2-mpm-itk          <none>          (no description available)
ii  apache2-mpm-prefork      2.2.9-10+lenny3 Apache HTTP Server -
traditional n
pn  apache2-mpm-worker       <none>          (no description available)

-- no debconf information

Message #10 received at 534712@bugs.debian.org (full text, mbox, reply):

From: Marc Deslauriers <marc.deslauriers@canonical.com>

To: 534712@bugs.debian.org

Subject: Re: apache2.2-common: DOS possible with mod_deflate

Date: Thu, 09 Jul 2009 14:50:27 -0400

This is CVE-2009-1891:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1891

Upstream patch:

http://svn.apache.org/viewvc?view=rev&revision=791454

Message #15 received at 534712-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@debian.org>

To: 534712-close@bugs.debian.org

Subject: Bug#534712: fixed in apache2 2.2.11-7

Date: Fri, 10 Jul 2009 21:32:30 +0000

Source: apache2
Source-Version: 2.2.11-7

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:

apache2-dbg_2.2.11-7_i386.deb
  to pool/main/a/apache2/apache2-dbg_2.2.11-7_i386.deb
apache2-doc_2.2.11-7_all.deb
  to pool/main/a/apache2/apache2-doc_2.2.11-7_all.deb
apache2-mpm-event_2.2.11-7_all.deb
  to pool/main/a/apache2/apache2-mpm-event_2.2.11-7_all.deb
apache2-mpm-prefork_2.2.11-7_all.deb
  to pool/main/a/apache2/apache2-mpm-prefork_2.2.11-7_all.deb
apache2-mpm-worker_2.2.11-7_all.deb
  to pool/main/a/apache2/apache2-mpm-worker_2.2.11-7_all.deb
apache2-prefork-dev_2.2.11-7_i386.deb
  to pool/main/a/apache2/apache2-prefork-dev_2.2.11-7_i386.deb
apache2-src_2.2.11-7_all.deb
  to pool/main/a/apache2/apache2-src_2.2.11-7_all.deb
apache2-suexec-custom_2.2.11-7_i386.deb
  to pool/main/a/apache2/apache2-suexec-custom_2.2.11-7_i386.deb
apache2-suexec_2.2.11-7_i386.deb
  to pool/main/a/apache2/apache2-suexec_2.2.11-7_i386.deb
apache2-threaded-dev_2.2.11-7_i386.deb
  to pool/main/a/apache2/apache2-threaded-dev_2.2.11-7_i386.deb
apache2-utils_2.2.11-7_i386.deb
  to pool/main/a/apache2/apache2-utils_2.2.11-7_i386.deb
apache2.2-bin_2.2.11-7_i386.deb
  to pool/main/a/apache2/apache2.2-bin_2.2.11-7_i386.deb
apache2.2-common_2.2.11-7_all.deb
  to pool/main/a/apache2/apache2.2-common_2.2.11-7_all.deb
apache2_2.2.11-7.diff.gz
  to pool/main/a/apache2/apache2_2.2.11-7.diff.gz
apache2_2.2.11-7.dsc
  to pool/main/a/apache2/apache2_2.2.11-7.dsc
apache2_2.2.11-7_all.deb
  to pool/main/a/apache2/apache2_2.2.11-7_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 534712@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 10 Jul 2009 22:42:57 +0200
Source: apache2
Binary: apache2.2-common apache2.2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-utils apache2-suexec apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev apache2-threaded-dev apache2-src apache2-dbg
Architecture: source i386 all
Version: 2.2.11-7
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 apache2    - Apache HTTP Server metapackage
 apache2-dbg - Apache debugging symbols
 apache2-doc - Apache HTTP Server documentation
 apache2-mpm-event - Apache HTTP Server - event driven model
 apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
 apache2-mpm-worker - Apache HTTP Server - high speed threaded model
 apache2-prefork-dev - Apache development headers - non-threaded MPM
 apache2-src - Apache source code
 apache2-suexec - Standard suexec program for Apache 2 mod_suexec
 apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
 apache2-threaded-dev - Apache development headers - threaded MPM
 apache2-utils - utility programs for webservers
 apache2.2-bin - Apache HTTP Server common binary files
 apache2.2-common - Apache HTTP Server common files
Closes: 534712 535849
Changes: 
 apache2 (2.2.11-7) unstable; urgency=low
 .
   * Security fixes:
     - CVE-2009-1890: denial of service in mod_proxy
     - CVE-2009-1891: denial of service in mod_deflate (closes: #534712)
   * Add symlinks for the debug info to the mpm packages.
   * Be slightly more informative in the default index.html without pointing
     to Apache or Debian (LP: #89364)
   * Remove dependency on net-tools, which is no longer necessary
     (closes: #535849)
   * Bump Standards-Version (no changes)
Checksums-Sha1: 
 89ee0a8edf86a4db88d5c8a1bbe695896159fadd 1670 apache2_2.2.11-7.dsc
 3f452bc15966b5309b91d3e3f78074569b2258b0 139798 apache2_2.2.11-7.diff.gz
 d95c98e372e7808b7a1ffa84890a4a621ada320f 1091360 apache2.2-bin_2.2.11-7_i386.deb
 86d1e5eede7a51fced49759d868583ff46fccd5d 146464 apache2-utils_2.2.11-7_i386.deb
 f4c1ad754f4ac9c3b1b7e8ccf7d522a4cf9ed26b 85478 apache2-suexec_2.2.11-7_i386.deb
 910a8d013494c9bcade8476e385c5efa68c635f4 87060 apache2-suexec-custom_2.2.11-7_i386.deb
 ab5722c125c7b6870a3c946d965340244a3a9c02 137744 apache2-prefork-dev_2.2.11-7_i386.deb
 98368d3d85c8e14bddbfa2cb3c5e975c69c69f31 138910 apache2-threaded-dev_2.2.11-7_i386.deb
 9f6f3361505256a211f91544f426ce2c890fa5aa 2288502 apache2-dbg_2.2.11-7_i386.deb
 f6850a8a5bf9a29329ae73d5c76681e8e496b29f 269946 apache2.2-common_2.2.11-7_all.deb
 cc7033a9b811f7ec825d1674da59122a1ac21209 2258 apache2-mpm-worker_2.2.11-7_all.deb
 d8c776c1838016dcd8b743bfe323a481ea366443 2322 apache2-mpm-prefork_2.2.11-7_all.deb
 cdca3dcf3ba670b6b77a904811a506fccf39a04c 2292 apache2-mpm-event_2.2.11-7_all.deb
 d3a0118a9a8a34b0a2c500bd4b840bafc0569ad4 1372 apache2_2.2.11-7_all.deb
 67c48523bdf7ac251dc5aff69998fc9ec5ec5c76 2227630 apache2-doc_2.2.11-7_all.deb
 3d50155ea00e516b5fb89c780d096418ac569942 6948660 apache2-src_2.2.11-7_all.deb
Checksums-Sha256: 
 6977a6adf3754bdbdfb3257b54dce966b151905c40c6e43e155799a9aaa59b54 1670 apache2_2.2.11-7.dsc
 cc7470730b1fc3afd93111df810723af9340949d45887dfbdc3ff3879bc696fd 139798 apache2_2.2.11-7.diff.gz
 4c2a07172980736564f860168ac0cbaae1b66ca8655aacda94807cb909d6db3e 1091360 apache2.2-bin_2.2.11-7_i386.deb
 9f02ded28e9f9ad02c4ca353fa8c727b6c804e99ac33d299d4a55bfed37634ce 146464 apache2-utils_2.2.11-7_i386.deb
 7fc417d68cf8f9514fa08830944bd354e6b7e415b061cf7dfcb1001216bbeb5b 85478 apache2-suexec_2.2.11-7_i386.deb
 251fa28a9c71c8cc15ef20a1261de24abef8b289ff5a549205a2b2a70f437ff5 87060 apache2-suexec-custom_2.2.11-7_i386.deb
 1c170541272ce1072b1f2eda170c715d938fd54ebcbda5185f7d52d426bcae21 137744 apache2-prefork-dev_2.2.11-7_i386.deb
 f96be7da7f83281db63f92ffe0cdb7939c6992a774dd1256e46077d834ddce1b 138910 apache2-threaded-dev_2.2.11-7_i386.deb
 0c85c7d98cd35330dbea84a58e65c4a5f001580983acaed8fb40a040bf327075 2288502 apache2-dbg_2.2.11-7_i386.deb
 f06a896623748f2b2b752c44f146dca332c4d4f516f7a89cdf4b5d7ccd9160bd 269946 apache2.2-common_2.2.11-7_all.deb
 1aad3c9f1488531e1675543baf764f1dcd9000e90765fed6709341b37cc7db18 2258 apache2-mpm-worker_2.2.11-7_all.deb
 1032582db012ed97e70926a435451d69ac944f388170422756359c3a22661597 2322 apache2-mpm-prefork_2.2.11-7_all.deb
 7ad9e858ba4b849025c97d16589217b5e46ae86ea10c4af912cca259cef3ab04 2292 apache2-mpm-event_2.2.11-7_all.deb
 3fba85b75ee4a0920b413c8a934f18b8724866911c72b56500f2e76aadcac230 1372 apache2_2.2.11-7_all.deb
 8b1f37c9b6d3e22a9753ddfe29503ba628235b9750ab818a98fc9914773d00c4 2227630 apache2-doc_2.2.11-7_all.deb
 59e591e209e6ea62dbb9c68959880c32aeeab2304df47adc8aaa337f18970322 6948660 apache2-src_2.2.11-7_all.deb
Files: 
 5376daaa2d6c05bb4244b94ec81c25fa 1670 httpd optional apache2_2.2.11-7.dsc
 f817415d2cc3228bac3068010384898d 139798 httpd optional apache2_2.2.11-7.diff.gz
 5e33d95e38de2ce2c913966d0deb679e 1091360 httpd optional apache2.2-bin_2.2.11-7_i386.deb
 5bfd70b6c4cfed7ff872e6acba916ce8 146464 httpd optional apache2-utils_2.2.11-7_i386.deb
 c606db755d28e294985703ed552435f5 85478 httpd optional apache2-suexec_2.2.11-7_i386.deb
 2c78406464a12fc3bd1edb91589b04bc 87060 httpd extra apache2-suexec-custom_2.2.11-7_i386.deb
 55128d18d5a993f256d03f986bf48f2c 137744 httpd extra apache2-prefork-dev_2.2.11-7_i386.deb
 b39b532c0befc27a885bc8fd6db65c03 138910 httpd extra apache2-threaded-dev_2.2.11-7_i386.deb
 2275feb7a08161fd99133319ebaa3f9f 2288502 debug extra apache2-dbg_2.2.11-7_i386.deb
 fab9fb13044c30423b219e717fd92c01 269946 httpd optional apache2.2-common_2.2.11-7_all.deb
 d5d6268eaa9545c711ca8138f1e4de02 2258 httpd optional apache2-mpm-worker_2.2.11-7_all.deb
 42c1e0ec4d4aaf6d8b122c665968d7ab 2322 httpd optional apache2-mpm-prefork_2.2.11-7_all.deb
 91191b8b26d259679108a958dccd3c7b 2292 httpd optional apache2-mpm-event_2.2.11-7_all.deb
 f0aecb92b975deb106489e5cded68153 1372 httpd optional apache2_2.2.11-7_all.deb
 76aea36c5674fe11e8baae7add1b9041 2227630 doc optional apache2-doc_2.2.11-7_all.deb
 3cbd8507c04f3572e3aac9cebcb6bffc 6948660 httpd extra apache2-src_2.2.11-7_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKV6mkbxelr8HyTqQRAp6qAKDBnNACidolSAkWaMn4ZtzbvhL9TQCdE1k8
8GlclMeSvyl6MbOeOUGvPy4=
=2SBX
-----END PGP SIGNATURE-----

Message #20 received at 534712-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@debian.org>

To: 534712-close@bugs.debian.org

Subject: Bug#534712: fixed in apache2 2.2.3-4+etch9

Date: Wed, 05 Aug 2009 19:58:54 +0000

Source: apache2
Source-Version: 2.2.3-4+etch9

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:

apache2-doc_2.2.3-4+etch9_all.deb
  to pool/main/a/apache2/apache2-doc_2.2.3-4+etch9_all.deb
apache2-mpm-event_2.2.3-4+etch9_i386.deb
  to pool/main/a/apache2/apache2-mpm-event_2.2.3-4+etch9_i386.deb
apache2-mpm-perchild_2.2.3-4+etch9_all.deb
  to pool/main/a/apache2/apache2-mpm-perchild_2.2.3-4+etch9_all.deb
apache2-mpm-prefork_2.2.3-4+etch9_i386.deb
  to pool/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch9_i386.deb
apache2-mpm-worker_2.2.3-4+etch9_i386.deb
  to pool/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch9_i386.deb
apache2-prefork-dev_2.2.3-4+etch9_i386.deb
  to pool/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch9_i386.deb
apache2-src_2.2.3-4+etch9_all.deb
  to pool/main/a/apache2/apache2-src_2.2.3-4+etch9_all.deb
apache2-threaded-dev_2.2.3-4+etch9_i386.deb
  to pool/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch9_i386.deb
apache2-utils_2.2.3-4+etch9_i386.deb
  to pool/main/a/apache2/apache2-utils_2.2.3-4+etch9_i386.deb
apache2.2-common_2.2.3-4+etch9_i386.deb
  to pool/main/a/apache2/apache2.2-common_2.2.3-4+etch9_i386.deb
apache2_2.2.3-4+etch9.diff.gz
  to pool/main/a/apache2/apache2_2.2.3-4+etch9.diff.gz
apache2_2.2.3-4+etch9.dsc
  to pool/main/a/apache2/apache2_2.2.3-4+etch9.dsc
apache2_2.2.3-4+etch9_all.deb
  to pool/main/a/apache2/apache2_2.2.3-4+etch9_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 534712@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 14 Jul 2009 23:06:43 +0200
Source: apache2
Binary: apache2-utils apache2-prefork-dev apache2 apache2-mpm-prefork apache2-doc apache2-mpm-event apache2.2-common apache2-mpm-worker apache2-src apache2-threaded-dev apache2-mpm-perchild
Architecture: source all i386
Version: 2.2.3-4+etch9
Distribution: oldstable-security
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 apache2    - Next generation, scalable, extendable web server
 apache2-doc - documentation for apache2
 apache2-mpm-event - Event driven model for Apache HTTPD 2.1
 apache2-mpm-perchild - Transitional package - please remove
 apache2-mpm-prefork - Traditional model for Apache HTTPD 2.1
 apache2-mpm-worker - High speed threaded model for Apache HTTPD 2.1
 apache2-prefork-dev - development headers for apache2
 apache2-src - Apache source code
 apache2-threaded-dev - development headers for apache2
 apache2-utils - utility programs for webservers
 apache2.2-common - Next generation, scalable, extendable web server
Closes: 534712
Changes: 
 apache2 (2.2.3-4+etch9) oldstable-security; urgency=high
 .
   * Security:
     CVE-2009-1891: denial of service in mod_deflate (closes: #534712)
     Also prevent compressing the content for HEAD requests.
Files: 
 5090ccfce8dc2e193a0200a5046fc0c2 1068 web optional apache2_2.2.3-4+etch9.dsc
 2705ba251cdd2e979ce85099b4548848 127065 web optional apache2_2.2.3-4+etch9.diff.gz
 9f79ca5450eb153eeb77d0ccdf63af53 962488 web optional apache2.2-common_2.2.3-4+etch9_i386.deb
 80ff91b5681b3b65b9f82510b78995d8 423714 web optional apache2-mpm-worker_2.2.3-4+etch9_i386.deb
 3efc018978b3f6879d4e17cd870da7c6 419898 web optional apache2-mpm-prefork_2.2.3-4+etch9_i386.deb
 f7df4f2e8308b37945d6c9350fb68059 424256 web optional apache2-mpm-event_2.2.3-4+etch9_i386.deb
 473c50b8e3b3ff72f61fd2773ad0a5ec 342508 web optional apache2-utils_2.2.3-4+etch9_i386.deb
 aca126fc936879a914786d64b39582f1 409096 devel optional apache2-prefork-dev_2.2.3-4+etch9_i386.deb
 c973180a87c19636cc18823d872eaaf5 410094 devel optional apache2-threaded-dev_2.2.3-4+etch9_i386.deb
 632e77496c06ac55702187083210c5bd 274258 web optional apache2-mpm-perchild_2.2.3-4+etch9_all.deb
 765f1df6239124b257a17373ec12a25c 41428 web optional apache2_2.2.3-4+etch9_all.deb
 3c97cd0ed50e13730082455509ccf2ea 2243400 doc optional apache2-doc_2.2.3-4+etch9_all.deb
 863bd8f5274dcca2b348ddfb455f1e98 6666600 devel extra apache2-src_2.2.3-4+etch9_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKXPvWbxelr8HyTqQRAo/WAJ9irQharLhdo/7fW0YjUVdNMjsG9QCglfQw
C9R7SgEGPKV+V+D4irwcjzo=
=wOXW
-----END PGP SIGNATURE-----

Message #25 received at 534712-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@debian.org>

To: 534712-close@bugs.debian.org

Subject: Bug#534712: fixed in apache2 2.2.9-10+lenny4

Date: Sat, 15 Aug 2009 01:57:34 +0000

Source: apache2
Source-Version: 2.2.9-10+lenny4

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:

apache2-dbg_2.2.9-10+lenny4_i386.deb
  to pool/main/a/apache2/apache2-dbg_2.2.9-10+lenny4_i386.deb
apache2-doc_2.2.9-10+lenny4_all.deb
  to pool/main/a/apache2/apache2-doc_2.2.9-10+lenny4_all.deb
apache2-mpm-event_2.2.9-10+lenny4_i386.deb
  to pool/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny4_i386.deb
apache2-mpm-prefork_2.2.9-10+lenny4_i386.deb
  to pool/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny4_i386.deb
apache2-mpm-worker_2.2.9-10+lenny4_i386.deb
  to pool/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny4_i386.deb
apache2-prefork-dev_2.2.9-10+lenny4_i386.deb
  to pool/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny4_i386.deb
apache2-src_2.2.9-10+lenny4_all.deb
  to pool/main/a/apache2/apache2-src_2.2.9-10+lenny4_all.deb
apache2-suexec-custom_2.2.9-10+lenny4_i386.deb
  to pool/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny4_i386.deb
apache2-suexec_2.2.9-10+lenny4_i386.deb
  to pool/main/a/apache2/apache2-suexec_2.2.9-10+lenny4_i386.deb
apache2-threaded-dev_2.2.9-10+lenny4_i386.deb
  to pool/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny4_i386.deb
apache2-utils_2.2.9-10+lenny4_i386.deb
  to pool/main/a/apache2/apache2-utils_2.2.9-10+lenny4_i386.deb
apache2.2-common_2.2.9-10+lenny4_i386.deb
  to pool/main/a/apache2/apache2.2-common_2.2.9-10+lenny4_i386.deb
apache2_2.2.9-10+lenny4.diff.gz
  to pool/main/a/apache2/apache2_2.2.9-10+lenny4.diff.gz
apache2_2.2.9-10+lenny4.dsc
  to pool/main/a/apache2/apache2_2.2.9-10+lenny4.dsc
apache2_2.2.9-10+lenny4_all.deb
  to pool/main/a/apache2/apache2_2.2.9-10+lenny4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 534712@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 14 Jul 2009 21:53:01 +0200
Source: apache2
Binary: apache2.2-common apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-utils apache2-suexec apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev apache2-threaded-dev apache2-src apache2-dbg
Architecture: source i386 all
Version: 2.2.9-10+lenny4
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 apache2    - Apache HTTP Server metapackage
 apache2-dbg - Apache debugging symbols
 apache2-doc - Apache HTTP Server documentation
 apache2-mpm-event - Apache HTTP Server - event driven model
 apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
 apache2-mpm-worker - Apache HTTP Server - high speed threaded model
 apache2-prefork-dev - Apache development headers - non-threaded MPM
 apache2-src - Apache source code
 apache2-suexec - Standard suexec program for Apache 2 mod_suexec
 apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
 apache2-threaded-dev - Apache development headers - threaded MPM
 apache2-utils - utility programs for webservers
 apache2.2-common - Apache HTTP Server common files
Closes: 534712 536718
Changes: 
 apache2 (2.2.9-10+lenny4) stable-security; urgency=high
 .
   * Security fixes:
     - CVE-2009-1890: denial of service in mod_proxy (closes: #536718)
     - CVE-2009-1891: denial of service in mod_deflate (closes: #534712)
       Also prevent compressing the content for HEAD requests.
Checksums-Sha1: 
 b6985c3c29faf52c7a593aa44cddf3b15981b864 1673 apache2_2.2.9-10+lenny4.dsc
 89c68afe4a74abb0213e17be879155f4a95b5f85 138623 apache2_2.2.9-10+lenny4.diff.gz
 9acb9f447940cbbfca2fae4de3638c3e04eb996a 782590 apache2.2-common_2.2.9-10+lenny4_i386.deb
 c97554508708286d7305af28a53f412a42ac075b 240464 apache2-mpm-worker_2.2.9-10+lenny4_i386.deb
 1329a07a996735a140c67bb886a0584ac4bef237 236982 apache2-mpm-prefork_2.2.9-10+lenny4_i386.deb
 cfdb8b27cba028a2718edb9cd17353b2877e7baa 240950 apache2-mpm-event_2.2.9-10+lenny4_i386.deb
 2a7e88f106a86ae91c345b8c8d29e24c3fc52c79 142984 apache2-utils_2.2.9-10+lenny4_i386.deb
 61451e675e2138780d18ed338ffed84c792c446b 81826 apache2-suexec_2.2.9-10+lenny4_i386.deb
 a74cf4abd63f81074d524130264e711ccc4b1b33 83576 apache2-suexec-custom_2.2.9-10+lenny4_i386.deb
 791dc787b001b16115ea53470d76b820b189ef40 210906 apache2-prefork-dev_2.2.9-10+lenny4_i386.deb
 ed4185e8f8ecd5d08117b948d251a8198e977dd9 212226 apache2-threaded-dev_2.2.9-10+lenny4_i386.deb
 730f886299d7e71d08bd03b23440981d949c5303 2321656 apache2-dbg_2.2.9-10+lenny4_i386.deb
 d0b8c58630ca50924e7f0f62af75cc2bfe0b993c 44714 apache2_2.2.9-10+lenny4_all.deb
 89017171b8c11b62e2bc12267585e54fb094f431 2060300 apache2-doc_2.2.9-10+lenny4_all.deb
 f4121631849bf777c8302a3b674852cb579d2eeb 6734400 apache2-src_2.2.9-10+lenny4_all.deb
Checksums-Sha256: 
 2b696c8027e914658e15871c4ce8dd4fec5db7430f6e00d5f9b2197fd6997f51 1673 apache2_2.2.9-10+lenny4.dsc
 27aa3da621bd4cbae660105aeeee5e5e6745f573c240546b223d42856a2615c4 138623 apache2_2.2.9-10+lenny4.diff.gz
 3b2544bdaf52872eeb90df8f1b92dcf31bc3aabdefd78915fe3203c9a53ce501 782590 apache2.2-common_2.2.9-10+lenny4_i386.deb
 5dc6201e8f96d36d00165c109f993a8e66a31053dd7a99fa86ffe0a6ef122153 240464 apache2-mpm-worker_2.2.9-10+lenny4_i386.deb
 0363d9b28624bf3ce8ddbcaacde1ce28247217d7b4e3c016afaaea1502c0d016 236982 apache2-mpm-prefork_2.2.9-10+lenny4_i386.deb
 c8c99837d0141b0c5186e2dcd91bd4f7a77ab5d36b45522d9a3372c6a89269f7 240950 apache2-mpm-event_2.2.9-10+lenny4_i386.deb
 aa3b21c33fc44b91ebaa13c370b12a269871ac1c12cbf1573a38ce5601f9182c 142984 apache2-utils_2.2.9-10+lenny4_i386.deb
 0fd933959dfceb197a7cd6a1a795757d6367426a71317b5f7a7d6fa321e3e3c1 81826 apache2-suexec_2.2.9-10+lenny4_i386.deb
 3f61c6dbb6ffb0d4c50082cc818c18d6a4ab6355007321bd6d409a80dcf80442 83576 apache2-suexec-custom_2.2.9-10+lenny4_i386.deb
 b4e79bd64fb3bd901c5e80c5683bc39eb83975a4b1dbf48dbe9b534d8177bc4d 210906 apache2-prefork-dev_2.2.9-10+lenny4_i386.deb
 6aebd6d9e5de18fbcba1129fe8007a76202b12ceafab8ac2eeb408430c92e6c3 212226 apache2-threaded-dev_2.2.9-10+lenny4_i386.deb
 97cac91b09821dd0dfb96759627bbde6f89fb7fc472e124088726dcff6ae7404 2321656 apache2-dbg_2.2.9-10+lenny4_i386.deb
 e3f40fe80d7e348f6589897adfc677fdcbb8132d9fa7c49c7db76e66d1868b06 44714 apache2_2.2.9-10+lenny4_all.deb
 9a59cc794efdebbd83a429b64941d776c2d1765922cc07a86a4d1600627f4a65 2060300 apache2-doc_2.2.9-10+lenny4_all.deb
 4cdfad211b7200fa628e3ccb84f8790c7418ef2814218ef1e6aba65fc479a7c3 6734400 apache2-src_2.2.9-10+lenny4_all.deb
Files: 
 3edbeef1b78cdcb238a1b156b1e15bb3 1673 web optional apache2_2.2.9-10+lenny4.dsc
 e83f70e3fe9dc21e23b9e12e0e3509a2 138623 web optional apache2_2.2.9-10+lenny4.diff.gz
 91c5374730252660a652998778f37d8d 782590 web optional apache2.2-common_2.2.9-10+lenny4_i386.deb
 5354fbeaf0547f9a42bb15093325f549 240464 web optional apache2-mpm-worker_2.2.9-10+lenny4_i386.deb
 db7f962144ad83c02e89cf774292288b 236982 web optional apache2-mpm-prefork_2.2.9-10+lenny4_i386.deb
 d071d125f52595d24d7ce27a700125b2 240950 web optional apache2-mpm-event_2.2.9-10+lenny4_i386.deb
 a5f47b4e360f4dfb1af40edc0fd4b029 142984 web optional apache2-utils_2.2.9-10+lenny4_i386.deb
 14dc03b9022352f6ca89cc18d5a0330e 81826 web optional apache2-suexec_2.2.9-10+lenny4_i386.deb
 1bada724cf9b6dd9f63c650467efeba9 83576 web extra apache2-suexec-custom_2.2.9-10+lenny4_i386.deb
 c3f8cc33efaf94bb394269a70c71a0d1 210906 devel extra apache2-prefork-dev_2.2.9-10+lenny4_i386.deb
 962c9711427d4b3040f2682cc76ab86a 212226 devel extra apache2-threaded-dev_2.2.9-10+lenny4_i386.deb
 ec028a4db5a43f4ed9ad5be64752d03a 2321656 libdevel extra apache2-dbg_2.2.9-10+lenny4_i386.deb
 bc0ebb5a9da11e825827315a6899abfb 44714 web optional apache2_2.2.9-10+lenny4_all.deb
 196001254f77a940ad90c9b71a852e77 2060300 doc optional apache2-doc_2.2.9-10+lenny4_all.deb
 79b3f9d5db6aa727567fbe8465ff90d4 6734400 devel extra apache2-src_2.2.9-10+lenny4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKXOoabxelr8HyTqQRAifyAKCtMLqGJ+HNyverlKLoE+R064+afQCgnJog
0EY43IHPqNSnZ4ikE+ARipk=
=kCvs
-----END PGP SIGNATURE-----

Message #30 received at 534712-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@debian.org>

To: 534712-close@bugs.debian.org

Subject: Bug#534712: fixed in apache2 2.2.9-10+lenny4

Date: Fri, 04 Sep 2009 18:31:38 +0000

Source: apache2
Source-Version: 2.2.9-10+lenny4

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:

apache2-dbg_2.2.9-10+lenny4_i386.deb
  to pool/main/a/apache2/apache2-dbg_2.2.9-10+lenny4_i386.deb
apache2-doc_2.2.9-10+lenny4_all.deb
  to pool/main/a/apache2/apache2-doc_2.2.9-10+lenny4_all.deb
apache2-mpm-event_2.2.9-10+lenny4_i386.deb
  to pool/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny4_i386.deb
apache2-mpm-prefork_2.2.9-10+lenny4_i386.deb
  to pool/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny4_i386.deb
apache2-mpm-worker_2.2.9-10+lenny4_i386.deb
  to pool/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny4_i386.deb
apache2-prefork-dev_2.2.9-10+lenny4_i386.deb
  to pool/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny4_i386.deb
apache2-src_2.2.9-10+lenny4_all.deb
  to pool/main/a/apache2/apache2-src_2.2.9-10+lenny4_all.deb
apache2-suexec-custom_2.2.9-10+lenny4_i386.deb
  to pool/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny4_i386.deb
apache2-suexec_2.2.9-10+lenny4_i386.deb
  to pool/main/a/apache2/apache2-suexec_2.2.9-10+lenny4_i386.deb
apache2-threaded-dev_2.2.9-10+lenny4_i386.deb
  to pool/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny4_i386.deb
apache2-utils_2.2.9-10+lenny4_i386.deb
  to pool/main/a/apache2/apache2-utils_2.2.9-10+lenny4_i386.deb
apache2.2-common_2.2.9-10+lenny4_i386.deb
  to pool/main/a/apache2/apache2.2-common_2.2.9-10+lenny4_i386.deb
apache2_2.2.9-10+lenny4.diff.gz
  to pool/main/a/apache2/apache2_2.2.9-10+lenny4.diff.gz
apache2_2.2.9-10+lenny4.dsc
  to pool/main/a/apache2/apache2_2.2.9-10+lenny4.dsc
apache2_2.2.9-10+lenny4_all.deb
  to pool/main/a/apache2/apache2_2.2.9-10+lenny4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 534712@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 14 Jul 2009 21:53:01 +0200
Source: apache2
Binary: apache2.2-common apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-utils apache2-suexec apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev apache2-threaded-dev apache2-src apache2-dbg
Architecture: source i386 all
Version: 2.2.9-10+lenny4
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 apache2    - Apache HTTP Server metapackage
 apache2-dbg - Apache debugging symbols
 apache2-doc - Apache HTTP Server documentation
 apache2-mpm-event - Apache HTTP Server - event driven model
 apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
 apache2-mpm-worker - Apache HTTP Server - high speed threaded model
 apache2-prefork-dev - Apache development headers - non-threaded MPM
 apache2-src - Apache source code
 apache2-suexec - Standard suexec program for Apache 2 mod_suexec
 apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
 apache2-threaded-dev - Apache development headers - threaded MPM
 apache2-utils - utility programs for webservers
 apache2.2-common - Apache HTTP Server common files
Closes: 534712 536718
Changes: 
 apache2 (2.2.9-10+lenny4) stable-security; urgency=high
 .
   * Security fixes:
     - CVE-2009-1890: denial of service in mod_proxy (closes: #536718)
     - CVE-2009-1891: denial of service in mod_deflate (closes: #534712)
       Also prevent compressing the content for HEAD requests.
Checksums-Sha1: 
 b6985c3c29faf52c7a593aa44cddf3b15981b864 1673 apache2_2.2.9-10+lenny4.dsc
 89c68afe4a74abb0213e17be879155f4a95b5f85 138623 apache2_2.2.9-10+lenny4.diff.gz
 9acb9f447940cbbfca2fae4de3638c3e04eb996a 782590 apache2.2-common_2.2.9-10+lenny4_i386.deb
 c97554508708286d7305af28a53f412a42ac075b 240464 apache2-mpm-worker_2.2.9-10+lenny4_i386.deb
 1329a07a996735a140c67bb886a0584ac4bef237 236982 apache2-mpm-prefork_2.2.9-10+lenny4_i386.deb
 cfdb8b27cba028a2718edb9cd17353b2877e7baa 240950 apache2-mpm-event_2.2.9-10+lenny4_i386.deb
 2a7e88f106a86ae91c345b8c8d29e24c3fc52c79 142984 apache2-utils_2.2.9-10+lenny4_i386.deb
 61451e675e2138780d18ed338ffed84c792c446b 81826 apache2-suexec_2.2.9-10+lenny4_i386.deb
 a74cf4abd63f81074d524130264e711ccc4b1b33 83576 apache2-suexec-custom_2.2.9-10+lenny4_i386.deb
 791dc787b001b16115ea53470d76b820b189ef40 210906 apache2-prefork-dev_2.2.9-10+lenny4_i386.deb
 ed4185e8f8ecd5d08117b948d251a8198e977dd9 212226 apache2-threaded-dev_2.2.9-10+lenny4_i386.deb
 730f886299d7e71d08bd03b23440981d949c5303 2321656 apache2-dbg_2.2.9-10+lenny4_i386.deb
 d0b8c58630ca50924e7f0f62af75cc2bfe0b993c 44714 apache2_2.2.9-10+lenny4_all.deb
 89017171b8c11b62e2bc12267585e54fb094f431 2060300 apache2-doc_2.2.9-10+lenny4_all.deb
 f4121631849bf777c8302a3b674852cb579d2eeb 6734400 apache2-src_2.2.9-10+lenny4_all.deb
Checksums-Sha256: 
 2b696c8027e914658e15871c4ce8dd4fec5db7430f6e00d5f9b2197fd6997f51 1673 apache2_2.2.9-10+lenny4.dsc
 27aa3da621bd4cbae660105aeeee5e5e6745f573c240546b223d42856a2615c4 138623 apache2_2.2.9-10+lenny4.diff.gz
 3b2544bdaf52872eeb90df8f1b92dcf31bc3aabdefd78915fe3203c9a53ce501 782590 apache2.2-common_2.2.9-10+lenny4_i386.deb
 5dc6201e8f96d36d00165c109f993a8e66a31053dd7a99fa86ffe0a6ef122153 240464 apache2-mpm-worker_2.2.9-10+lenny4_i386.deb
 0363d9b28624bf3ce8ddbcaacde1ce28247217d7b4e3c016afaaea1502c0d016 236982 apache2-mpm-prefork_2.2.9-10+lenny4_i386.deb
 c8c99837d0141b0c5186e2dcd91bd4f7a77ab5d36b45522d9a3372c6a89269f7 240950 apache2-mpm-event_2.2.9-10+lenny4_i386.deb
 aa3b21c33fc44b91ebaa13c370b12a269871ac1c12cbf1573a38ce5601f9182c 142984 apache2-utils_2.2.9-10+lenny4_i386.deb
 0fd933959dfceb197a7cd6a1a795757d6367426a71317b5f7a7d6fa321e3e3c1 81826 apache2-suexec_2.2.9-10+lenny4_i386.deb
 3f61c6dbb6ffb0d4c50082cc818c18d6a4ab6355007321bd6d409a80dcf80442 83576 apache2-suexec-custom_2.2.9-10+lenny4_i386.deb
 b4e79bd64fb3bd901c5e80c5683bc39eb83975a4b1dbf48dbe9b534d8177bc4d 210906 apache2-prefork-dev_2.2.9-10+lenny4_i386.deb
 6aebd6d9e5de18fbcba1129fe8007a76202b12ceafab8ac2eeb408430c92e6c3 212226 apache2-threaded-dev_2.2.9-10+lenny4_i386.deb
 97cac91b09821dd0dfb96759627bbde6f89fb7fc472e124088726dcff6ae7404 2321656 apache2-dbg_2.2.9-10+lenny4_i386.deb
 e3f40fe80d7e348f6589897adfc677fdcbb8132d9fa7c49c7db76e66d1868b06 44714 apache2_2.2.9-10+lenny4_all.deb
 9a59cc794efdebbd83a429b64941d776c2d1765922cc07a86a4d1600627f4a65 2060300 apache2-doc_2.2.9-10+lenny4_all.deb
 4cdfad211b7200fa628e3ccb84f8790c7418ef2814218ef1e6aba65fc479a7c3 6734400 apache2-src_2.2.9-10+lenny4_all.deb
Files: 
 3edbeef1b78cdcb238a1b156b1e15bb3 1673 web optional apache2_2.2.9-10+lenny4.dsc
 e83f70e3fe9dc21e23b9e12e0e3509a2 138623 web optional apache2_2.2.9-10+lenny4.diff.gz
 91c5374730252660a652998778f37d8d 782590 web optional apache2.2-common_2.2.9-10+lenny4_i386.deb
 5354fbeaf0547f9a42bb15093325f549 240464 web optional apache2-mpm-worker_2.2.9-10+lenny4_i386.deb
 db7f962144ad83c02e89cf774292288b 236982 web optional apache2-mpm-prefork_2.2.9-10+lenny4_i386.deb
 d071d125f52595d24d7ce27a700125b2 240950 web optional apache2-mpm-event_2.2.9-10+lenny4_i386.deb
 a5f47b4e360f4dfb1af40edc0fd4b029 142984 web optional apache2-utils_2.2.9-10+lenny4_i386.deb
 14dc03b9022352f6ca89cc18d5a0330e 81826 web optional apache2-suexec_2.2.9-10+lenny4_i386.deb
 1bada724cf9b6dd9f63c650467efeba9 83576 web extra apache2-suexec-custom_2.2.9-10+lenny4_i386.deb
 c3f8cc33efaf94bb394269a70c71a0d1 210906 devel extra apache2-prefork-dev_2.2.9-10+lenny4_i386.deb
 962c9711427d4b3040f2682cc76ab86a 212226 devel extra apache2-threaded-dev_2.2.9-10+lenny4_i386.deb
 ec028a4db5a43f4ed9ad5be64752d03a 2321656 libdevel extra apache2-dbg_2.2.9-10+lenny4_i386.deb
 bc0ebb5a9da11e825827315a6899abfb 44714 web optional apache2_2.2.9-10+lenny4_all.deb
 196001254f77a940ad90c9b71a852e77 2060300 doc optional apache2-doc_2.2.9-10+lenny4_all.deb
 79b3f9d5db6aa727567fbe8465ff90d4 6734400 devel extra apache2-src_2.2.9-10+lenny4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKXOoabxelr8HyTqQRAifyAKCtMLqGJ+HNyverlKLoE+R064+afQCgnJog
0EY43IHPqNSnZ4ikE+ARipk=
=kCvs
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.