Debian Bug report logs -
#989562
apache2: CVE-2021-31618: NULL pointer dereference on specially crafted HTTP/2 request
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#989562; Package src:apache2.
(Mon, 07 Jun 2021 15:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>.
(Mon, 07 Jun 2021 15:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: apache2
Version: 2.4.47-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for apache2.
CVE-2021-31618[0]:
| httpd: NULL pointer dereference on specially crafted HTTP/2 request
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-31618
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31618
[1] https://github.com/apache/httpd/commit/a4fba223668c554e06bc78d6e3a88f33d4238ae4
[2] https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-31618
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#989562; Package src:apache2.
(Tue, 08 Jun 2021 06:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Yadd <yadd@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>.
(Tue, 08 Jun 2021 06:06:02 GMT) (full text, mbox, link).
Message #10 received at 989562@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Le 07/06/2021 à 17:34, Salvatore Bonaccorso a écrit :
> Source: apache2
> Version: 2.4.47-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
>
> Hi,
>
> The following vulnerability was published for apache2.
>
> CVE-2021-31618[0]:
> | httpd: NULL pointer dereference on specially crafted HTTP/2 request
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2021-31618
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31618
> [1] https://github.com/apache/httpd/commit/a4fba223668c554e06bc78d6e3a88f33d4238ae4
> [2] https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-31618
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
Hi all,
I can't import the whole patch for Bullseye since it is written for
2.4.47. I think the best solution is to import the whole http2 module in
Bullseye. This gives the attached patch
Cheers,
Yadd
[import-http2-module-from-2.4.47.patch (text/x-patch, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#989562; Package src:apache2.
(Tue, 08 Jun 2021 06:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to 989562@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>.
(Tue, 08 Jun 2021 06:27:05 GMT) (full text, mbox, link).
Message #15 received at 989562@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Le 08/06/2021 à 07:58, Yadd a écrit :
> Le 07/06/2021 à 17:34, Salvatore Bonaccorso a écrit :
>> Source: apache2
>> Version: 2.4.47-1
>> Severity: grave
>> Tags: security upstream
>> Justification: user security hole
>> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
>>
>> Hi,
>>
>> The following vulnerability was published for apache2.
>>
>> CVE-2021-31618[0]:
>> | httpd: NULL pointer dereference on specially crafted HTTP/2 request
>>
>> If you fix the vulnerability please also make sure to include the
>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>>
>> For further information see:
>>
>> [0] https://security-tracker.debian.org/tracker/CVE-2021-31618
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31618
>> [1] https://github.com/apache/httpd/commit/a4fba223668c554e06bc78d6e3a88f33d4238ae4
>> [2] https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-31618
>>
>> Please adjust the affected versions in the BTS as needed.
>>
>> Regards,
>> Salvatore
>
> Hi all,
>
> I can't import the whole patch for Bullseye since it is written for
> 2.4.47. I think the best solution is to import the whole http2 module in
> Bullseye. This gives the attached patch
>
> Cheers,
> Yadd
We can also fix this for Buster using the same way (we did it previously
for 2.4.46). Here is the debdiff
[apache2_2.4.38-3+deb10u5.debdiff (text/plain, attachment)]
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#989562.
(Tue, 08 Jun 2021 06:36:02 GMT) (full text, mbox, link).
Message #18 received at 989562-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #989562 in apache2 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/apache-team/apache2/-/commit/e658ca2ee7f09e8f4dd0199f47af20756f90a6ff
------------------------------------------------------------------------
Import the whole HTTP2 module from 2.4.47 (Closes: #989562, CVE-2021-31618)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/989562
Added tag(s) pending.
Request was from Yadd <noreply@salsa.debian.org>
to 989562-submitter@bugs.debian.org.
(Tue, 08 Jun 2021 06:36:02 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#989562.
(Tue, 08 Jun 2021 08:51:03 GMT) (full text, mbox, link).
Message #23 received at 989562-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #989562 in apache2 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/apache-team/apache2/-/commit/77aadf7b7d4f28684d9ddf97f447719245737090
------------------------------------------------------------------------
Import the whole HTTP2 module from 2.4.48 (Closes: #989562, CVE-2021-31618)
x
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/989562
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#989562; Package src:apache2.
(Tue, 08 Jun 2021 08:54:02 GMT) (full text, mbox, link).
Acknowledgement sent
to 989562@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>.
(Tue, 08 Jun 2021 08:54:02 GMT) (full text, mbox, link).
Message #28 received at 989562@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Le 08/06/2021 à 08:25, Yadd a écrit :
> Le 08/06/2021 à 07:58, Yadd a écrit :
>> Le 07/06/2021 à 17:34, Salvatore Bonaccorso a écrit :
>>> Source: apache2
>>> Version: 2.4.47-1
>>> Severity: grave
>>> Tags: security upstream
>>> Justification: user security hole
>>> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
>>>
>>> Hi,
>>>
>>> The following vulnerability was published for apache2.
>>>
>>> CVE-2021-31618[0]:
>>> | httpd: NULL pointer dereference on specially crafted HTTP/2 request
>>>
>>> If you fix the vulnerability please also make sure to include the
>>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>>>
>>> For further information see:
>>>
>>> [0] https://security-tracker.debian.org/tracker/CVE-2021-31618
>>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31618
>>> [1] https://github.com/apache/httpd/commit/a4fba223668c554e06bc78d6e3a88f33d4238ae4
>>> [2] https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-31618
>>>
>>> Please adjust the affected versions in the BTS as needed.
>>>
>>> Regards,
>>> Salvatore
>>
>> Hi all,
>>
>> I can't import the whole patch for Bullseye since it is written for
>> 2.4.47. I think the best solution is to import the whole http2 module in
>> Bullseye. This gives the attached patch
>>
>> Cheers,
>> Yadd
>
> We can also fix this for Buster using the same way (we did it previously
> for 2.4.46). Here is the debdiff
Update for Buster
[apache2_2.4.38-3+deb10u5.debdiff (text/plain, attachment)]
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#989562.
(Tue, 08 Jun 2021 08:54:03 GMT) (full text, mbox, link).
Message #31 received at 989562-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #989562 in apache2 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/apache-team/apache2/-/commit/c5a0d72e842f8d2763a2e12ff48a94b6b12383fe
------------------------------------------------------------------------
Import the whole HTTP2 module from 2.4.48 (Closes: #989562, CVE-2021-31618)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/989562
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#989562; Package src:apache2.
(Tue, 08 Jun 2021 10:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to 989562@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>.
(Tue, 08 Jun 2021 10:15:04 GMT) (full text, mbox, link).
Message #36 received at 989562@bugs.debian.org (full text, mbox, reply):
Le 08/06/2021 à 10:51, Yadd a écrit :
> Le 08/06/2021 à 08:25, Yadd a écrit :
>> Le 08/06/2021 à 07:58, Yadd a écrit :
>>> Le 07/06/2021 à 17:34, Salvatore Bonaccorso a écrit :
>>>> Source: apache2
>>>> Version: 2.4.47-1
>>>> Severity: grave
>>>> Tags: security upstream
>>>> Justification: user security hole
>>>> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
>>>>
>>>> Hi,
>>>>
>>>> The following vulnerability was published for apache2.
>>>>
>>>> CVE-2021-31618[0]:
>>>> | httpd: NULL pointer dereference on specially crafted HTTP/2 request
>>>>
>>>> If you fix the vulnerability please also make sure to include the
>>>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>>>>
>>>> For further information see:
>>>>
>>>> [0] https://security-tracker.debian.org/tracker/CVE-2021-31618
>>>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31618
>>>> [1] https://github.com/apache/httpd/commit/a4fba223668c554e06bc78d6e3a88f33d4238ae4
>>>> [2] https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-31618
>>>>
>>>> Please adjust the affected versions in the BTS as needed.
>>>>
>>>> Regards,
>>>> Salvatore
>>>
>>> Hi all,
>>>
>>> I can't import the whole patch for Bullseye since it is written for
>>> 2.4.47. I think the best solution is to import the whole http2 module in
>>> Bullseye. This gives the attached patch
>>>
>>> Cheers,
>>> Yadd
>>
>> We can also fix this for Buster using the same way (we did it previously
>> for 2.4.46). Here is the debdiff
>
> Update for Buster
I as wrong for both Bullseye and Buster: we can't import HTTP2 from
2.4.28 (too intrusive: SSL stack changed)
So I'll try to patch Apache but it seems not easy to do...
Cheers (and sorry),
Yadd
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#989562.
(Tue, 08 Jun 2021 10:15:06 GMT) (full text, mbox, link).
Message #39 received at 989562-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #989562 in apache2 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/apache-team/apache2/-/commit/822d703bc5a74b79367f8b0b6ecf2d32e7fc1fe2
------------------------------------------------------------------------
Revert "Import the whole HTTP2 module from 2.4.48 (Closes: #989562, CVE-2021-31618)"
This reverts commit c5a0d72e842f8d2763a2e12ff48a94b6b12383fe.
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/989562
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#989562.
(Tue, 08 Jun 2021 10:15:07 GMT) (full text, mbox, link).
Message #42 received at 989562-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #989562 in apache2 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/apache-team/apache2/-/commit/6a41612e278bcedd0b1be1bb4bfe5d757b5bc8c3
------------------------------------------------------------------------
Revert "Import the whole HTTP2 module from 2.4.48 (Closes: #989562, CVE-2021-31618)"
This reverts commit 77aadf7b7d4f28684d9ddf97f447719245737090.
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/989562
Removed tag(s) pending.
Request was from Yadd <yadd@debian.org>
to control@bugs.debian.org.
(Tue, 08 Jun 2021 10:27:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Jun 8 16:13:34 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon