Bug#551727: apache2: CVE-2009-1890 - backport patch from Apache 2.2.12

Package: apache2.2-common
Version: 2.2.9-10+lenny4
Severity: normal


see http://httpd.apache.org/security/vulnerabilities_22.html - there is a
mod_proxy DOS attack vulnerability that should be fixed in some of the next
revisions of the apache2 Debian packages

-- Package-specific info:
List of enabled modules from 'apache2 -M':
  alias auth_basic authn_file authz_default authz_groupfile
  authz_host authz_user autoindex cgi dir env mime negotiation perl
  php5 proxy_connect proxy_http proxy python security2 setenvif
  status unique_id

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork      2.2.9-10+lenny4 Apache HTTP Server - traditional n

apache2 recommends no packages.

apache2 suggests no packages.

Versions of packages apache2.2-common depends on:
ii  apache2-utils       2.2.9-10+lenny4      utility programs for webservers
ii  libapr1             1.2.12-5+lenny1      The Apache Portable Runtime Librar
ii  libaprutil1         1.2.12+dfsg-8+lenny4 The Apache Portable Runtime Utilit
ii  libc6               2.7-18               GNU C Library: Shared libraries
ii  libmagic1           4.26-1               File type determination library us
ii  libssl0.9.8         0.9.8g-15+lenny5     SSL shared libraries
ii  lsb-base            3.2-20               Linux Standard Base 3.2 init scrip
ii  mime-support        3.44-1               MIME files 'mime.types' & 'mailcap
ii  net-tools           1.60-22              The NET-3 networking toolkit
ii  perl                5.10.0-19lenny2      Larry Wall's Practical Extraction
ii  procps              1:3.2.7-11           /proc file system utilities
ii  zlib1g              1:1.2.3.3.dfsg-12    compression library - runtime

-- no debconf information



--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Tuesday 20 October 2009, Tobias Barth wrote:
> see http://httpd.apache.org/security/vulnerabilities_22.html -
>  there is a mod_proxy DOS attack vulnerability that should be fixed
>  in some of the next revisions of the apache2 Debian packages

These are not very severe issues and will be fixed in 2.2.9-10+lenny5
in the next stable point release. Packages are already available in
stable-proposed-updates for most architectures.



--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Your message dated Sun, 1 Nov 2009 19:05:06 +0100
with message-id <200911011905.06467.sf@...>
and subject line Re: Bug#551727: apache2: CVE-2009-1890 - backport patch from Apache 2.2.12
has caused the Debian Bug report #551727,
regarding apache2: CVE-2009-1890 - backport patch from Apache 2.2.12
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@...
immediately.)


--
551727: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=551727
Debian Bug Tracking System
Contact owner@... with problems

Package: apache2.2-common
Version: 2.2.9-10+lenny4
Severity: normal


see http://httpd.apache.org/security/vulnerabilities_22.html - there is a
mod_proxy DOS attack vulnerability that should be fixed in some of the next
revisions of the apache2 Debian packages

-- Package-specific info:
List of enabled modules from 'apache2 -M':
  alias auth_basic authn_file authz_default authz_groupfile
  authz_host authz_user autoindex cgi dir env mime negotiation perl
  php5 proxy_connect proxy_http proxy python security2 setenvif
  status unique_id

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork      2.2.9-10+lenny4 Apache HTTP Server - traditional n

apache2 recommends no packages.

apache2 suggests no packages.

Versions of packages apache2.2-common depends on:
ii  apache2-utils       2.2.9-10+lenny4      utility programs for webservers
ii  libapr1             1.2.12-5+lenny1      The Apache Portable Runtime Librar
ii  libaprutil1         1.2.12+dfsg-8+lenny4 The Apache Portable Runtime Utilit
ii  libc6               2.7-18               GNU C Library: Shared libraries
ii  libmagic1           4.26-1               File type determination library us
ii  libssl0.9.8         0.9.8g-15+lenny5     SSL shared libraries
ii  lsb-base            3.2-20               Linux Standard Base 3.2 init scrip
ii  mime-support        3.44-1               MIME files 'mime.types' & 'mailcap
ii  net-tools           1.60-22              The NET-3 networking toolkit
ii  perl                5.10.0-19lenny2      Larry Wall's Practical Extraction
ii  procps              1:3.2.7-11           /proc file system utilities
ii  zlib1g              1:1.2.3.3.dfsg-12    compression library - runtime

-- no debconf information



On Tuesday 20 October 2009, Stefan Fritsch wrote: CVE-2009-1890 is already fixed in 2.2.9-10+lenny4.