apache2: CVE-2007-4465

Debian Bug report logs - #453783
apache2: CVE-2007-4465

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Paul Szabo <psz@maths.usyd.edu.au>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: apache2: CVE-2007-4465

Date: Sat, 01 Dec 2007 19:35:45 +1100

Package: apache2
Severity: grave
Justification: user security hole

Seems to me that Debian (sarge or etch or even sid) apache packages are
not yet patched against

  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4465
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465

Seems to me that the obvious workarounds of turning Indexes off or
having an index.html everywhere, protects just fine; and wonder why
Apache does not say so.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-spm1.11
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Message #10 received at 453783@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: Paul Szabo <psz@maths.usyd.edu.au>

Cc: 453783@bugs.debian.org, control@bugs.debian.org

Subject: Re: Bug#453783: apache2: CVE-2007-4465

Date: Sat, 1 Dec 2007 10:37:10 +0100

severity 453783 normal
tags 453783 security
found 453783 2.2.3-4
fixed 453783 2.2.6-1
thanks

Hi,

On Saturday 01 December 2007, Paul Szabo wrote:
> Seems to me that Debian (sarge or etch or even sid) apache packages
> are not yet patched against
>
>   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4465
>   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465
>
> Seems to me that the obvious workarounds of turning Indexes off or
> having an index.html everywhere, protects just fine; and wonder why
> Apache does not say so.

This is actually a bug in MSIE, see CVE-2006-5152. Sid and lenny have 
the workaround, but there is currently no plan to backport it to 
sarge and etch (as it is of low impact).

Besides switching directory indexes of, setting AddDefaultCharset also 
protects from the issue. AddDefaultCharset is on in the default 
configurations in sarge and etch.

Cheers,
Stefan

Message #23 received at 453783@bugs.debian.org (full text, mbox, reply):

From: Paul Szabo <psz@maths.usyd.edu.au>

To: 453783@bugs.debian.org, sf@sfritsch.de

Subject: Re: Bug#453783: apache2: CVE-2007-4465

Date: Sat, 1 Dec 2007 21:44:15 +1100

Dear Stefan,

> This is actually a bug in MSIE, see CVE-2006-5152.

Not a bug in IE only, I have a demo that exploits it under Firefox.
(In fact my demo does not seem to work for IE, yet...)

Not really related to CVE-2006-5152. In fact that is a non-issue: the
CVE references my posts, but fails to reference my retraction
http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049828.html

> ... no plan to backport ... it is of low impact.

I do not think that XSS and cookie theft (thus access to all data
protected by web login) is of low impact.

> ... setting AddDefaultCharset also protects from the issue.
> AddDefaultCharset is on in the default configurations ...

Thanks for that other workaround: yes it seems to protect my machines.
Now I am puzzled why AddDefaultCharset was commented out in my configs.
Still puzzled why Apache did not mention these workarounds.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

Message #28 received at 453783@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: Paul Szabo <psz@maths.usyd.edu.au>

Cc: 453783@bugs.debian.org

Subject: Re: Bug#453783: apache2: CVE-2007-4465

Date: Sat, 1 Dec 2007 12:47:24 +0100

Hi Paul,

On Saturday 01 December 2007, you wrote:
> > This is actually a bug in MSIE, see CVE-2006-5152.
>
> Not a bug in IE only, I have a demo that exploits it under Firefox.
> (In fact my demo does not seem to work for IE, yet...)

If you can exploit that with Firefox, Firefox should be fixed. Can you 
give more details? I would be very interested.

> Not really related to CVE-2006-5152. In fact that is a non-issue:
> the CVE references my posts, but fails to reference my retraction
> http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049
>828.html

Any broswer that interprets ascii as utf7 without being told to do so 
is severely buggy. And CVE-2006-5152 is about MSIE, not about Apache. 
Your retraction was about Apache.

> > ... no plan to backport ... it is of low impact.
>
> I do not think that XSS and cookie theft (thus access to all data
> protected by web login) is of low impact.

If it affects only one buggy browser, it's low impact. And since the 
patch for the workaround is not that small (and is changing default 
behaviour and is adding a new config directive), I didn't want to 
backport it to stable. If it affects more browsers, I might 
reconsider.

> > ... setting AddDefaultCharset also protects from the issue.
> > AddDefaultCharset is on in the default configurations ...
>
> Thanks for that other workaround: yes it seems to protect my
> machines. Now I am puzzled why AddDefaultCharset was commented out
> in my configs. Still puzzled why Apache did not mention these
> workarounds.

AddDefaultCharset has some often unwanted side effects. It overrides 
the charset in meta http-equiv tags. See

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=397886
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=415775

It is not the default anymore in lenny and sid.

Cheers,
Stefan

Message #33 received at 453783@bugs.debian.org (full text, mbox, reply):

From: Paul Szabo <psz@maths.usyd.edu.au>

To: sf@sfritsch.de

Cc: 453783@bugs.debian.org

Subject: Re: Bug#453783: apache2: CVE-2007-4465

Date: Sun, 2 Dec 2007 06:47:15 +1100

Dear Stefan,

> If you can exploit that with Firefox, Firefox should be fixed. Can you 
> give more details? I would be very interested.

Will do, offline (because it affects the main web login site of my Uni).
Essentially, I found that Firefox will inherit the charset of the parent
page, when that had been selected manually (does not inherit the charset
specified in headers or meta). I guess this is a "new" bug in Firefox,
maybe they should be told...

> Any broswer that interprets ascii as utf7 without being told to do so 
> is severely buggy. And CVE-2006-5152 is about MSIE, not about Apache. 
> Your retraction was about Apache.

So IE "encoding autoselect" is severely buggy: I almost agree.

Whatever people think CVE-2006-5152 is about, I meant my posts to be
about Apache. (No use trying to get MS to fix IE.)

> If it affects only one buggy browser, it's low impact. ...

If that buggy browser is IE, used by 90% of the (deluded) population,
then is it not low impact.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

Message #38 received at 453783@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: Paul Szabo <psz@maths.usyd.edu.au>

Subject: Re: Bug#453783: apache2: CVE-2007-4465

Date: Tue, 4 Dec 2007 22:43:26 +0100

Dear Paul,

thanks for the information.

On Saturday 01 December 2007, you wrote:
> > If you can exploit that with Firefox, Firefox should be fixed.
> > Can you give more details? I would be very interested.
>
> Will do, offline (because it affects the main web login site of my
> Uni). Essentially, I found that Firefox will inherit the charset of
> the parent page, when that had been selected manually (does not
> inherit the charset specified in headers or meta). I guess this is
> a "new" bug in Firefox, maybe they should be told...

This would require some social engineering but could probably be  
exploited in some cases. I think reporting it to the Firefox bugzilla 
would be a good idea.

> > If it affects only one buggy browser, it's low impact. ...
>
> If that buggy browser is IE, used by 90% of the (deluded)
> population, then is it not low impact.

I have commited the patch to our SVN repository for etch. It will 
probably be released with etch r3 (or maybe r2, if that is delayed 
further). I still do not think it is important enough for a security 
advisory.

Cheers,
Stefan

Message #47 received at 453783@bugs.debian.org (full text, mbox, reply):

From: Paul Szabo <psz@maths.usyd.edu.au>

To: 453783@bugs.debian.org

Subject: Re: Bug#453783: apache2: CVE-2007-4465

Date: Wed, 5 Dec 2007 09:10:40 +1100

Dear Stefan,

> ... I think reporting it to the Firefox bugzilla would be a good idea.

Had done so:

https://bugzilla.mozilla.org/show_bug.cgi?id=406777
https://bugzilla.mozilla.org/show_bug.cgi?id=356280

>>> If it affects only one buggy browser, it's low impact. ...
>> If that buggy browser is IE ...
> ... I still do not think it is important enough for a security 
> advisory.

So far I failed in producing an exploit for IE... even though that is
expected/reported to be easy! (The Firefox bug "trumps" any fix you may
make.)

Thanks,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

Message #52 received at 453783@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: 453783@bugs.debian.org

Subject: Re: Bug#453783: apache2: CVE-2007-4465

Date: Tue, 4 Dec 2007 23:17:18 +0100

Just for completeness:

On Tuesday 04 December 2007, Paul Szabo wrote:
> > ... I think reporting it to the Firefox bugzilla would be a good
> > idea.
>
> Had done so:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=406777
> https://bugzilla.mozilla.org/show_bug.cgi?id=356280

Message #57 received at 453783-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@debian.org>

To: 453783-close@bugs.debian.org

Subject: Bug#453783: fixed in apache2 2.2.3-4+etch4

Date: Thu, 31 Jan 2008 07:52:14 +0000

Source: apache2
Source-Version: 2.2.3-4+etch4

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:

apache2-doc_2.2.3-4+etch4_all.deb
  to pool/main/a/apache2/apache2-doc_2.2.3-4+etch4_all.deb
apache2-mpm-event_2.2.3-4+etch4_i386.deb
  to pool/main/a/apache2/apache2-mpm-event_2.2.3-4+etch4_i386.deb
apache2-mpm-perchild_2.2.3-4+etch4_all.deb
  to pool/main/a/apache2/apache2-mpm-perchild_2.2.3-4+etch4_all.deb
apache2-mpm-prefork_2.2.3-4+etch4_i386.deb
  to pool/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch4_i386.deb
apache2-mpm-worker_2.2.3-4+etch4_i386.deb
  to pool/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch4_i386.deb
apache2-prefork-dev_2.2.3-4+etch4_i386.deb
  to pool/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch4_i386.deb
apache2-src_2.2.3-4+etch4_all.deb
  to pool/main/a/apache2/apache2-src_2.2.3-4+etch4_all.deb
apache2-threaded-dev_2.2.3-4+etch4_i386.deb
  to pool/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch4_i386.deb
apache2-utils_2.2.3-4+etch4_i386.deb
  to pool/main/a/apache2/apache2-utils_2.2.3-4+etch4_i386.deb
apache2.2-common_2.2.3-4+etch4_i386.deb
  to pool/main/a/apache2/apache2.2-common_2.2.3-4+etch4_i386.deb
apache2_2.2.3-4+etch4.diff.gz
  to pool/main/a/apache2/apache2_2.2.3-4+etch4.diff.gz
apache2_2.2.3-4+etch4.dsc
  to pool/main/a/apache2/apache2_2.2.3-4+etch4.dsc
apache2_2.2.3-4+etch4_all.deb
  to pool/main/a/apache2/apache2_2.2.3-4+etch4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 453783@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 27 Jan 2008 19:05:30 +0100
Source: apache2
Binary: apache2-utils apache2-prefork-dev apache2 apache2-mpm-prefork apache2-doc apache2-mpm-event apache2.2-common apache2-mpm-worker apache2-src apache2-threaded-dev apache2-mpm-perchild
Architecture: source all i386
Version: 2.2.3-4+etch4
Distribution: stable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 apache2    - Next generation, scalable, extendable web server
 apache2-doc - documentation for apache2
 apache2-mpm-event - Event driven model for Apache HTTPD 2.1
 apache2-mpm-perchild - Transitional package - please remove
 apache2-mpm-prefork - Traditional model for Apache HTTPD 2.1
 apache2-mpm-worker - High speed threaded model for Apache HTTPD 2.1
 apache2-prefork-dev - development headers for apache2
 apache2-src - Apache source code
 apache2-threaded-dev - development headers for apache2
 apache2-utils - utility programs for webservers
 apache2.2-common - Next generation, scalable, extendable web server
Closes: 399776 421557 453630 453783
Changes: 
 apache2 (2.2.3-4+etch4) stable; urgency=low
 .
   * Fix various cross site scripting vulnerabilities with browsers that do not
     conform to RFC 2616: Apache now adds explicit ContentType and Charset
     headers to the output of various modules, even if AddDefaultCharset is
     commented out. This includes directory indexes generated by mod_autoindex
     and mod_proxy_ftp, which are now marked as iso-8859-1 by default.
     (CVE-2007-4465, CVE-2008-0005, closes: #453783)
     To allow to specify the character set for the directory indexes, the
     Charset and Type IndexOptions and the ProxyFtpDirCharset directive have
     been backported from 2.2.8.
     If you use mod_autoindex and use UTF-8 for your filenames, you should add
     Charset=UTF-8 to the IndexOptions line in /etc/apache2/apache2.conf .
     If you use mod_proxy_ftp, the default charset can be set with the
     ProxyFtpDirCharset directive in /etc/apache2/mods-available/proxy.conf .
     ProxyFtpDirCharset can also be used inside <Proxy ...> </Proxy> blocks to
     set the charset for specific servers.
   * Reduce memory usage of chunk filter and ap_rwrite/ap_rflush
     (Closes: #399776, #421557)
   * More minor security fixes:
     - XSS in mod_imagemap (CVE-2007-5000)
     - XSS in mod_proxy_balancer's balancer manager (CVE-2007-6421)
     - XSS in HTTP method in 413 error message (CVE-2007-6203)
     - possible crash in mod_proxy_balancer's balancer manager (CVE-2007-6422)
   * Fix mod_proxy_balancer configuration file parsing (closes: #453630).
   * Don't ship NEWS.Debian with apache2-utils as it affects only the server.
     Remove bogus reference to 2.2.3-5 from README.Debian, and add note about
     MSIE SSL workaround.
Files: 
 7a9f7cae5c4368048798889955526454 1068 web optional apache2_2.2.3-4+etch4.dsc
 968d61aa99c002e26f9716ba30668311 119551 web optional apache2_2.2.3-4+etch4.diff.gz
 c653dbf159be545ea5f4150349432702 963826 web optional apache2.2-common_2.2.3-4+etch4_i386.deb
 fcee959fa33420648a00c70127022974 423734 web optional apache2-mpm-worker_2.2.3-4+etch4_i386.deb
 ab752e1733e8d807ef6e6f070942e892 419912 web optional apache2-mpm-prefork_2.2.3-4+etch4_i386.deb
 266d8e5f5f43d8ea1ed5eddd793e283a 424260 web optional apache2-mpm-event_2.2.3-4+etch4_i386.deb
 02d5d921ff18d6f669baa75978cfaabb 341652 web optional apache2-utils_2.2.3-4+etch4_i386.deb
 d5505286937f678397f6c3e8cc734a43 408130 devel optional apache2-prefork-dev_2.2.3-4+etch4_i386.deb
 83cd44960ce9e8fef3d205b81c25ed30 408814 devel optional apache2-threaded-dev_2.2.3-4+etch4_i386.deb
 e36c2d1d3f3672e737714b11a5b4267a 274740 web optional apache2-mpm-perchild_2.2.3-4+etch4_all.deb
 c751eb38da32683f6402cce6bf9c52be 41442 web optional apache2_2.2.3-4+etch4_all.deb
 a336153800f26c8875170b20de281fc7 2209280 doc optional apache2-doc_2.2.3-4+etch4_all.deb
 f84520523c20161149c508f00752767a 6615728 devel extra apache2-src_2.2.3-4+etch4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHnMzMbxelr8HyTqQRAnz9AJ0fo83STQrPCTqt3uAhr6PTJ59xzgCgna8l
3VZD992mATegUXxekL6UmEw=
=p49f
-----END PGP SIGNATURE-----

Message #62 received at 453783-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@debian.org>

To: 453783-close@bugs.debian.org

Subject: Bug#453783: fixed in apache2 2.2.3-4+etch4

Date: Sat, 16 Feb 2008 12:17:00 +0000

Source: apache2
Source-Version: 2.2.3-4+etch4

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:

apache2-doc_2.2.3-4+etch4_all.deb
  to pool/main/a/apache2/apache2-doc_2.2.3-4+etch4_all.deb
apache2-mpm-event_2.2.3-4+etch4_i386.deb
  to pool/main/a/apache2/apache2-mpm-event_2.2.3-4+etch4_i386.deb
apache2-mpm-perchild_2.2.3-4+etch4_all.deb
  to pool/main/a/apache2/apache2-mpm-perchild_2.2.3-4+etch4_all.deb
apache2-mpm-prefork_2.2.3-4+etch4_i386.deb
  to pool/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch4_i386.deb
apache2-mpm-worker_2.2.3-4+etch4_i386.deb
  to pool/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch4_i386.deb
apache2-prefork-dev_2.2.3-4+etch4_i386.deb
  to pool/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch4_i386.deb
apache2-src_2.2.3-4+etch4_all.deb
  to pool/main/a/apache2/apache2-src_2.2.3-4+etch4_all.deb
apache2-threaded-dev_2.2.3-4+etch4_i386.deb
  to pool/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch4_i386.deb
apache2-utils_2.2.3-4+etch4_i386.deb
  to pool/main/a/apache2/apache2-utils_2.2.3-4+etch4_i386.deb
apache2.2-common_2.2.3-4+etch4_i386.deb
  to pool/main/a/apache2/apache2.2-common_2.2.3-4+etch4_i386.deb
apache2_2.2.3-4+etch4.diff.gz
  to pool/main/a/apache2/apache2_2.2.3-4+etch4.diff.gz
apache2_2.2.3-4+etch4.dsc
  to pool/main/a/apache2/apache2_2.2.3-4+etch4.dsc
apache2_2.2.3-4+etch4_all.deb
  to pool/main/a/apache2/apache2_2.2.3-4+etch4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 453783@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 27 Jan 2008 19:05:30 +0100
Source: apache2
Binary: apache2-utils apache2-prefork-dev apache2 apache2-mpm-prefork apache2-doc apache2-mpm-event apache2.2-common apache2-mpm-worker apache2-src apache2-threaded-dev apache2-mpm-perchild
Architecture: source all i386
Version: 2.2.3-4+etch4
Distribution: stable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 apache2    - Next generation, scalable, extendable web server
 apache2-doc - documentation for apache2
 apache2-mpm-event - Event driven model for Apache HTTPD 2.1
 apache2-mpm-perchild - Transitional package - please remove
 apache2-mpm-prefork - Traditional model for Apache HTTPD 2.1
 apache2-mpm-worker - High speed threaded model for Apache HTTPD 2.1
 apache2-prefork-dev - development headers for apache2
 apache2-src - Apache source code
 apache2-threaded-dev - development headers for apache2
 apache2-utils - utility programs for webservers
 apache2.2-common - Next generation, scalable, extendable web server
Closes: 399776 421557 453630 453783
Changes: 
 apache2 (2.2.3-4+etch4) stable; urgency=low
 .
   * Fix various cross site scripting vulnerabilities with browsers that do not
     conform to RFC 2616: Apache now adds explicit ContentType and Charset
     headers to the output of various modules, even if AddDefaultCharset is
     commented out. This includes directory indexes generated by mod_autoindex
     and mod_proxy_ftp, which are now marked as iso-8859-1 by default.
     (CVE-2007-4465, CVE-2008-0005, closes: #453783)
     To allow to specify the character set for the directory indexes, the
     Charset and Type IndexOptions and the ProxyFtpDirCharset directive have
     been backported from 2.2.8.
     If you use mod_autoindex and use UTF-8 for your filenames, you should add
     Charset=UTF-8 to the IndexOptions line in /etc/apache2/apache2.conf .
     If you use mod_proxy_ftp, the default charset can be set with the
     ProxyFtpDirCharset directive in /etc/apache2/mods-available/proxy.conf .
     ProxyFtpDirCharset can also be used inside <Proxy ...> </Proxy> blocks to
     set the charset for specific servers.
   * Reduce memory usage of chunk filter and ap_rwrite/ap_rflush
     (Closes: #399776, #421557)
   * More minor security fixes:
     - XSS in mod_imagemap (CVE-2007-5000)
     - XSS in mod_proxy_balancer's balancer manager (CVE-2007-6421)
     - XSS in HTTP method in 413 error message (CVE-2007-6203)
     - possible crash in mod_proxy_balancer's balancer manager (CVE-2007-6422)
   * Fix mod_proxy_balancer configuration file parsing (closes: #453630).
   * Don't ship NEWS.Debian with apache2-utils as it affects only the server.
     Remove bogus reference to 2.2.3-5 from README.Debian, and add note about
     MSIE SSL workaround.
Files: 
 7a9f7cae5c4368048798889955526454 1068 web optional apache2_2.2.3-4+etch4.dsc
 968d61aa99c002e26f9716ba30668311 119551 web optional apache2_2.2.3-4+etch4.diff.gz
 c653dbf159be545ea5f4150349432702 963826 web optional apache2.2-common_2.2.3-4+etch4_i386.deb
 fcee959fa33420648a00c70127022974 423734 web optional apache2-mpm-worker_2.2.3-4+etch4_i386.deb
 ab752e1733e8d807ef6e6f070942e892 419912 web optional apache2-mpm-prefork_2.2.3-4+etch4_i386.deb
 266d8e5f5f43d8ea1ed5eddd793e283a 424260 web optional apache2-mpm-event_2.2.3-4+etch4_i386.deb
 02d5d921ff18d6f669baa75978cfaabb 341652 web optional apache2-utils_2.2.3-4+etch4_i386.deb
 d5505286937f678397f6c3e8cc734a43 408130 devel optional apache2-prefork-dev_2.2.3-4+etch4_i386.deb
 83cd44960ce9e8fef3d205b81c25ed30 408814 devel optional apache2-threaded-dev_2.2.3-4+etch4_i386.deb
 e36c2d1d3f3672e737714b11a5b4267a 274740 web optional apache2-mpm-perchild_2.2.3-4+etch4_all.deb
 c751eb38da32683f6402cce6bf9c52be 41442 web optional apache2_2.2.3-4+etch4_all.deb
 a336153800f26c8875170b20de281fc7 2209280 doc optional apache2-doc_2.2.3-4+etch4_all.deb
 f84520523c20161149c508f00752767a 6615728 devel extra apache2-src_2.2.3-4+etch4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHnMzMbxelr8HyTqQRAnz9AJ0fo83STQrPCTqt3uAhr6PTJ59xzgCgna8l
3VZD992mATegUXxekL6UmEw=
=p49f
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.