apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1

Debian Bug report logs - #920220
apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1

Date: Tue, 22 Jan 2019 21:18:38 +0100

Source: apache2
Version: 2.4.37-1
Severity: grave
Tags: patch security upstream

Hi (Stefan),

I agree the severity is not the best choosen one for this issue, it is
more to ensure we could release buster with an appropriate fix already
before the release. If you disagree, please do downgrade.

The following vulnerability was published for apache2.

CVE-2019-0190[0]:
mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-0190
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0190
[1] https://marc.info/?l=oss-security&m=154817901921421&w=2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 920220@bugs.debian.org (full text, mbox, reply):

From: Xavier <yadd@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 920220@bugs.debian.org

Subject: Re: Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1

Date: Wed, 23 Jan 2019 09:18:36 +0100

Hello,

Debian bug is tagged as "patch", but I didn't find any patch in the
related documents. Can you give me the link to patch ?

Cheers,
Xavier

Le 22/01/2019 à 21:18, Salvatore Bonaccorso a écrit :
> Source: apache2
> Version: 2.4.37-1
> Severity: grave
> Tags: patch security upstream
> 
> Hi (Stefan),
> 
> I agree the severity is not the best choosen one for this issue, it is
> more to ensure we could release buster with an appropriate fix already
> before the release. If you disagree, please do downgrade.
> 
> The following vulnerability was published for apache2.
> 
> CVE-2019-0190[0]:
> mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2019-0190
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0190
> [1] https://marc.info/?l=oss-security&m=154817901921421&w=2
> 
> Please adjust the affected versions in the BTS as needed.
> 
> Regards,
> Salvatore
> 

Message #15 received at 920220@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Xavier <yadd@debian.org>

Cc: 920220@bugs.debian.org

Subject: Re: Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1

Date: Wed, 23 Jan 2019 20:57:07 +0100

Control: tags -1 + fixed-upstream
Control: tags -1 - patch

Hi Xavier,

On Wed, Jan 23, 2019 at 09:18:36AM +0100, Xavier wrote:
> Hello,
> 
> Debian bug is tagged as "patch", but I didn't find any patch in the
> related documents. Can you give me the link to patch ?

Well you are right, not a patch per se, maybe fixed-upstream and
"there is a patch" would have been better. Let me fix that.

If feasible possibly updating to the new upstream version fixing this
CVE (and two other) would be better if still feasible so short before
the soft freeze.

Regards,
Salvatore

Message #24 received at 920220@bugs.debian.org (full text, mbox, reply):

From: Xavier <yadd@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 920220@bugs.debian.org

Subject: Re: Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1

Date: Wed, 23 Jan 2019 21:46:44 +0100

Le 23/01/2019 à 20:57, Salvatore Bonaccorso a écrit :
> Control: tags -1 + fixed-upstream
> Control: tags -1 - patch
> 
> Hi Xavier,
> 
> On Wed, Jan 23, 2019 at 09:18:36AM +0100, Xavier wrote:
>> Hello,
>>
>> Debian bug is tagged as "patch", but I didn't find any patch in the
>> related documents. Can you give me the link to patch ?
> 
> Well you are right, not a patch per se, maybe fixed-upstream and
> "there is a patch" would have been better. Let me fix that.
> 
> If feasible possibly updating to the new upstream version fixing this
> CVE (and two other) would be better if still feasible so short before
> the soft freeze.
> 
> Regards,
> Salvatore

Hello,

looking at last release changelog, bug seems not fixed

Message #29 received at 920220@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Xavier <yadd@debian.org>

Cc: 920220@bugs.debian.org

Subject: Re: Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1

Date: Wed, 23 Jan 2019 21:50:31 +0100

Hi Xavier,

On Wed, Jan 23, 2019 at 09:46:44PM +0100, Xavier wrote:
> Le 23/01/2019 à 20:57, Salvatore Bonaccorso a écrit :
> > Control: tags -1 + fixed-upstream
> > Control: tags -1 - patch
> > 
> > Hi Xavier,
> > 
> > On Wed, Jan 23, 2019 at 09:18:36AM +0100, Xavier wrote:
> >> Hello,
> >>
> >> Debian bug is tagged as "patch", but I didn't find any patch in the
> >> related documents. Can you give me the link to patch ?
> > 
> > Well you are right, not a patch per se, maybe fixed-upstream and
> > "there is a patch" would have been better. Let me fix that.
> > 
> > If feasible possibly updating to the new upstream version fixing this
> > CVE (and two other) would be better if still feasible so short before
> > the soft freeze.
> > 
> > Regards,
> > Salvatore
> 
> Hello,
> 
> looking at last release changelog, bug seems not fixed

Cf. https://www.openwall.com/lists/oss-security/2019/01/22/4, where it
is fixed in 2.4.38 upstream.

HTH,

Regards,
Salvatore

Message #34 received at 920220@bugs.debian.org (full text, mbox, reply):

From: Xavier <yadd@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 920220@bugs.debian.org

Subject: Re: Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1

Date: Wed, 23 Jan 2019 21:54:29 +0100

Le 23/01/2019 à 21:50, Salvatore Bonaccorso a écrit :
> Hi Xavier,
> 
> On Wed, Jan 23, 2019 at 09:46:44PM +0100, Xavier wrote:
>> Le 23/01/2019 à 20:57, Salvatore Bonaccorso a écrit :
>>> Control: tags -1 + fixed-upstream
>>> Control: tags -1 - patch
>>>
>>> Hi Xavier,
>>>
>>> On Wed, Jan 23, 2019 at 09:18:36AM +0100, Xavier wrote:
>>>> Hello,
>>>>
>>>> Debian bug is tagged as "patch", but I didn't find any patch in the
>>>> related documents. Can you give me the link to patch ?
>>>
>>> Well you are right, not a patch per se, maybe fixed-upstream and
>>> "there is a patch" would have been better. Let me fix that.
>>>
>>> If feasible possibly updating to the new upstream version fixing this
>>> CVE (and two other) would be better if still feasible so short before
>>> the soft freeze.
>>>
>>> Regards,
>>> Salvatore
>>
>> Hello,
>>
>> looking at last release changelog, bug seems not fixed
> 
> Cf. https://www.openwall.com/lists/oss-security/2019/01/22/4, where it
> is fixed in 2.4.38 upstream.
> 
> HTH,
> 
> Regards,
> Salvatore

I see that but the provided link [1] doesn't mention it, neither apache2
changelog.

[1] https://httpd.apache.org/security/vulnerabilities_24.html

Message #39 received at 920220@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Xavier <yadd@debian.org>

Cc: 920220@bugs.debian.org

Subject: Re: Bug#920220: apache2: CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1

Date: Wed, 23 Jan 2019 22:10:13 +0100

Hi Xavier,

On Wed, Jan 23, 2019 at 09:54:29PM +0100, Xavier wrote:
> Le 23/01/2019 à 21:50, Salvatore Bonaccorso a écrit :
> > Hi Xavier,
> > 
> > On Wed, Jan 23, 2019 at 09:46:44PM +0100, Xavier wrote:
> >> Le 23/01/2019 à 20:57, Salvatore Bonaccorso a écrit :
> >>> Control: tags -1 + fixed-upstream
> >>> Control: tags -1 - patch
> >>>
> >>> Hi Xavier,
> >>>
> >>> On Wed, Jan 23, 2019 at 09:18:36AM +0100, Xavier wrote:
> >>>> Hello,
> >>>>
> >>>> Debian bug is tagged as "patch", but I didn't find any patch in the
> >>>> related documents. Can you give me the link to patch ?
> >>>
> >>> Well you are right, not a patch per se, maybe fixed-upstream and
> >>> "there is a patch" would have been better. Let me fix that.
> >>>
> >>> If feasible possibly updating to the new upstream version fixing this
> >>> CVE (and two other) would be better if still feasible so short before
> >>> the soft freeze.
> >>>
> >>> Regards,
> >>> Salvatore
> >>
> >> Hello,
> >>
> >> looking at last release changelog, bug seems not fixed
> > 
> > Cf. https://www.openwall.com/lists/oss-security/2019/01/22/4, where it
> > is fixed in 2.4.38 upstream.
> > 
> > HTH,
> > 
> > Regards,
> > Salvatore
> 
> I see that but the provided link [1] doesn't mention it, neither apache2
> changelog.

I'm almost sure this is just because the respective vulnerabilities_24
page has just not yet been updated accordingly. The fixes are
mentioned already in the upstream changelog at
https://www.apache.org/dist/httpd/CHANGES_2.4.38 .

Regards,
Salvatore

Message #44 received at 920220-close@bugs.debian.org (full text, mbox, reply):

From: Xavier Guimard <yadd@debian.org>

To: 920220-close@bugs.debian.org

Subject: Bug#920220: fixed in apache2 2.4.38-1

Date: Tue, 29 Jan 2019 23:19:31 +0000

Source: apache2
Source-Version: 2.4.38-1

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 920220@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Xavier Guimard <yadd@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 29 Jan 2019 23:49:49 +0100
Source: apache2
Binary: apache2 apache2-bin apache2-bin-dbgsym apache2-data apache2-dev apache2-doc apache2-ssl-dev apache2-suexec-custom apache2-suexec-custom-dbgsym apache2-suexec-pristine apache2-suexec-pristine-dbgsym apache2-utils apache2-utils-dbgsym libapache2-mod-md libapache2-mod-proxy-uwsgi
Architecture: source
Version: 2.4.38-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Xavier Guimard <yadd@debian.org>
Closes: 880993 920220 920302 920303
Description: 
 apache2    - Apache HTTP Server
 apache2-bin - Apache HTTP Server (modules and other binary files)
 apache2-data - Apache HTTP Server (common files)
 apache2-dev - Apache HTTP Server (development headers)
 apache2-doc - Apache HTTP Server (on-site documentation)
 apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers)
 apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
 apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
 apache2-utils - Apache HTTP Server (utility programs for web servers)
 libapache2-mod-md - transitional package
 libapache2-mod-proxy-uwsgi - transitional package
Changes:
 apache2 (2.4.38-1) unstable; urgency=medium
 .
   [ Jelmer Vernooij ]
   * Reverted for now: Transition to automatic debug package (from: apache2-dbg)
   * Trim trailing whitespace
   * Use secure copyright file specification URI
 .
   [ Niels Thykier ]
   * Add Rules-Requires-Root: binary-targets
 .
   [ Xavier Guimard ]
   * Convert signing-key.pgp into signing-key.asc
   * Add http2.conf (Closes: #880993)
   * Remove unnecessary greater-than versioned dependency to dpkg-dev,
     libbrotli-dev and libapache2-mod-md
   * Declare compliance with policy 4.2.1
   * Add spelling errors patch (reported)
   * Fix some spelling errors in debian files
   * Add myself to uploaders
   * Refresh patches
   * Bump debhelper compatibility level to 10
   * debian/rules:
     - Remove unnecessary dh argument --parallel
     - use /usr/share/dpkg/pkg-info.mk instead of dpkg-parsechangelog
   * Add upstream/metadata
   * Replace MIT by Expat in debian/copyright
   * debian/watch: use https url
   * Add documentation links in systemd service files
   * Team upload
 .
   [ Cyrille Bollu ]
   * Put HTTP2 configuration within <IfModule !mpm_prefork></IfModule> tags as
     it gets automatically de-activated upon apache 'startup when using
     mpm_prefork.
   * Updated http2.conf to inform user that they may want to change their
     LogFormat directives.
 .
   [ Xavier Guimard ]
   * New upstream version 2.4.38 (Closes: #920220, #920302, #920303)
   * Refresh patches
   * Remove setenvifexpr.diff patch now included in upstream
   * Replace libapache2-mod-proxy-uwsgi.{post*,prerm} by a maintscript
   * Add a "sleep" in debian/tests/htcacheclean and skip result if "stop" failed
   * Declare compliance with policy 4.3.0
   * Fix homepage to https
   * Update debian/copyright
Checksums-Sha1: 
 46ae13d548daa63ae4a15e285d9c99edc0ad409b 3478 apache2_2.4.38-1.dsc
 6ee19a7b936a6ddbbf81b313c4a8b38bf232b40e 9187294 apache2_2.4.38.orig.tar.gz
 bb42f56e0716ca824776a6452b98b4a49956f711 488 apache2_2.4.38.orig.tar.gz.asc
 daeae57532511f16324e5dbbf6952b685287f840 1011620 apache2_2.4.38-1.debian.tar.xz
Checksums-Sha256: 
 da523e698fed6e88d6a9c351bfc5ca7a937c9cd95dd8f4795258c0ce59c8ec2d 3478 apache2_2.4.38-1.dsc
 38d0b73aa313c28065bf58faf64cec12bf7c7d5196146107df2ad07541aa26a6 9187294 apache2_2.4.38.orig.tar.gz
 4931fdd5833dc79592edd351047b9f153e3bac4323157e3f5d733d276d2a4997 488 apache2_2.4.38.orig.tar.gz.asc
 4980d2f56a5eb2d0471aea974a34c2f607d8a123032496d276540766d9af41f7 1011620 apache2_2.4.38-1.debian.tar.xz
Files: 
 1928c854cc75db06169a78be9d19c55e 3478 httpd optional apache2_2.4.38-1.dsc
 626083caac6d85a048abac6d5ea61e5b 9187294 httpd optional apache2_2.4.38.orig.tar.gz
 6933fc9cc71319ec87333b7e44b319ec 488 httpd optional apache2_2.4.38.orig.tar.gz.asc
 41fd24233e9d70d312ff3c33385ae31c 1011620 httpd optional apache2_2.4.38-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAlxQ2kcACgkQ9tdMp8mZ
7um22BAAkje2GOsJIRx+1XaQQFcTbUbriPETtQ+69EeBK4Io0gb2HGkcFz0ootKc
cQu0IoqHTcypg5al2eTk8x1OH+AW5FPcbZvgMoHz3Yd/D42FxfuosNcMXVb46B+l
b+ujWZIZnBA3oSle16F94fRuR/wlPY8jjz3guVHXAVL5iiypePYKKLFoBbaay4Rq
eFaVmUPfTwSCCzyshQXeJijD+MGuykUm7NUdGJprtu1JOKZ+RZ+xM4LCzIjE1Xfa
DJa20VsJPajXyz/50m6lU3vspAy29ZL8YLCf5uHxRfwUF3PXerhrz75zf1h49vIG
d3j8W+g98n0DLxz3YCG+96sMMk8Qo82uIZnDOk6nO5/lMnHvuft5Llow8HgYD5Yn
s9/WTOaqR45gqTff0avAOwbdgMNLkaJhsvOaw8tZ9GldRhNNqqpnCQJWR+u4FQTT
uipXSwP2hZyuud0co2c/UfSKNx0r5ETRbi/EnNoNDaIPvrx1LT7WzXQgd+GV59r7
gPZHCzNrkDYajN1Fdit2r4EFj9402RSJL58j05tULGdn2kbdcBsXIuvore1plS7b
1jcWGxwVeft9ogg7PfXYyy53cJtuH31H/2ClrLMTci71mFgzrbfK6vUOO2trIpGm
zcYyUtPFbBYYq0ZgKKQZFXW8yehBHY+dZW6PyWJSQiJvQgQkWHA=
=tC4E
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.