Bug 713966 (CVE-2011-3192)

Summary: VUL-0: CVE-2011-3192: apache2: remote denial of service
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Weckbecker <mweckbecker>
Component: GeneralAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P1 - Urgent CC: andrej.semen, chris.randles, david.chenworth, Dmitry_Vensko, dmueller, mattehle, mcihar, meissner, mge, mkubecek, mrueckert, security-team, stefan.kunze, stephan.barth, ursula.brueckner
Version: unspecifiedKeywords: DSLA_REQUIRED, DSLA_SOLUTION_PROVIDED
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: wasL3:36118 maint:released:11.3:42977 maint:released:11.4:42977 maint:released:sle11-sp1:42964 maint:released:sle10-sp4:42965 maint:released:sle10-sp3:42962 wasL3:36288 maint:released:11.3:43657 maint:released:11.4:43657 maint:released:sle11-sp1:43888 maint:released:sle10-sp2:43259 maint:released:sle10-sp3:43977 maint:released:sles9:44384 maint:released:sles9-sp3-teradata:44408
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 726139, 718106, 732051    
Attachments: patch from Michal's home prj
patch for SLES 10 (httpd 2.2.3)
patch for 2.0.x branch
patch for backward compatible handling of the "0-" case

Description Matthias Weckbecker 2011-08-24 10:53:12 UTC
There was a posting on full-disclosure recently about an apache2 remote denial of service vulnerability, see:

  * http://marc.info/?t=131379269200002&r=1&w=2
  * http://marc.info/?t=131409787700005&r=1&w=2

At least a SLE-11-SP1 with its newest version of apache2 is affected.
Comment 2 Matthias Weckbecker 2011-08-24 11:17:28 UTC
temporary workaround:

# a2enmod rewrite

RewriteEngine On
RewriteCond %{HTTP:Range} bytes=0-.* [NC]
RewriteRule .? http://%{SERVER_NAME}/ [R=302,L]

Verified to be working.
Comment 3 Marcus Rückert 2011-08-24 11:23:25 UTC
two other workarounds:

RequestHeader unset Range

(from http://seclists.org/fulldisclosure/2011/Aug/253)

or

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]
RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
RewriteRule .* - [F]

(from http://seclists.org/fulldisclosure/2011/Aug/241)
Comment 5 Matthias Weckbecker 2011-08-26 13:45:07 UTC
*** Bug 714306 has been marked as a duplicate of this bug. ***
Comment 6 Dirk Mueller 2011-08-27 08:16:58 UTC
it looks like the flurry of commits stopped meanwhile:

http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http/byterange_filter.c?view=log&sortby=date

possibly final patch: svn diff -r1135172:HEAD http://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/http/byterange_filter.c
Comment 7 Dirk Mueller 2011-08-27 09:36:31 UTC
fixed in home:dirkmueller:branches:Apache/apache2
Comment 9 Michal Kubeček 2011-08-30 13:57:52 UTC
There were some more changes later and Apache developers decided to use only part of the trunk fix for 2.2.x branch. I've prepared package for Evergreen with what is likely to get to 2.2.20 in (external) OBS project home:mkubecek:branches:openSUSE:Evergreen:11.1:Test but didn't have time to test it yet.
Comment 11 Roman Drahtmueller 2011-08-30 14:10:12 UTC
Created attachment 448420 [details]
patch from Michal's home prj
Comment 12 Michal Kubeček 2011-08-30 14:16:56 UTC
The patch is diff from SVN branch 2.2.x

http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/http/byterange_filter.c?view=log

between revisions 916627 and 1162885 (with small modification because apr_brigade_destroy->apr_brigade_cleanup change from revision 916627 isn't present in last OpenSuSE 11.1 update).
Comment 13 Roman Drahtmueller 2011-08-30 15:05:01 UTC
ack. ibs home:draht:branches:SUSE:SLE-11-SP2:GA/apache2 has the patch.

I'd like to wait until at least tomorrow if the apache upstream developers will recommend a specific patch, even though the one in the package above appears to work cleanly.

Unless security-team@ advises differently. I can submit immediately, sle10 can be done in one hour.
Comment 16 Michal Kubeček 2011-08-31 06:07:25 UTC
Note: a regression caused by the patch has been reported at

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=639825

but without more details one cannot say whether this is really a bug in the Apache fix or a bug in the client.
Comment 21 Roman Drahtmueller 2011-08-31 08:26:10 UTC
The regression is likely to appear where video files are served and the player skips to the next i-frame upon transfer loss. This is VERY uncomfortable for a fix.
Comment 22 Michal Kubeček 2011-08-31 08:42:22 UTC
But this would be a new HTTP request with only one range, wouldn't it?
Comment 25 Anders Johansson 2011-08-31 09:23:12 UTC
Adding Dmitry to cc. because of bug 714961
Comment 27 Marcus Meissner 2011-08-31 11:20:29 UTC
apahce has released, so lets go with updates:
https://www.apache.org/dist/httpd/Announcement2.2.html
Comment 29 Michal Kubeček 2011-08-31 11:22:06 UTC
Created attachment 448629 [details]
patch for SLES 10 (httpd 2.2.3)

Patch had to be adjusted a bit for version 2.2.3 due to missing upstream commit 589616.
Comment 30 Roman Drahtmueller 2011-08-31 11:29:04 UTC
(In reply to comment #27)
> apahce has released, so lets go with updates:
> https://www.apache.org/dist/httpd/Announcement2.2.html

Investigating the changes they made... Working on the packages.
Comment 34 Swamp Workflow Management 2011-08-31 14:27:32 UTC
The SWAMPID for this issue is 42959.
This issue was rated as important.
Please submit fixed packages until 2011-09-07.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 36 Roman Drahtmueller 2011-08-31 18:42:14 UTC
submissions are complete. sle11-sp1,2, sle10-sp4 with identical submission to sp3, 11.3 and 11.4 in obs.

Reassigning to security-team@suse.de for further tracking, leaving NEEDINFO intact.
Comment 37 Bernhard Wiedemann 2011-08-31 19:00:27 UTC
This is an autogenerated message for OBS integration:
This bug (713966) was mentioned in
https://build.opensuse.org/request/show/80441 11.4 / apache2
https://build.opensuse.org/request/show/80442 11.3 / apache2
https://build.opensuse.org/request/show/80443 11.4 / apache2
Comment 38 Marcus Meissner 2011-09-01 08:31:30 UTC
make public.
Comment 39 Marcus Meissner 2011-09-01 08:31:46 UTC
*** Bug 715372 has been marked as a duplicate of this bug. ***
Comment 43 Swamp Workflow Management 2011-09-02 12:12:16 UTC
Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-event-debuginfo, apache2-example-certificates, apache2-example-pages, apache2-itk, apache2-itk-debuginfo, apache2-prefork, apache2-prefork-debuginfo, apache2-utils, apache2-utils-debuginfo, apache2-worker, apache2-worker-debuginfo
Products:
openSUSE 11.3 (debug, i586, x86_64)
openSUSE 11.4 (debug, i586, x86_64)
Comment 44 Marcus Meissner 2011-09-02 15:01:42 UTC
QA is still taking time for SLES.

So SLES updates will not released today, but likely Monday.
Comment 45 Swamp Workflow Management 2011-09-06 01:32:54 UTC
Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-utils, apache2-worker
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 46 Swamp Workflow Management 2011-09-06 05:05:30 UTC
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker
Products:
SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 47 Swamp Workflow Management 2011-09-06 12:11:18 UTC
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker
Products:
SLE-DEBUGINFO 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-SAP-APL 10-SP3 (x86_64)
SLE-SDK 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 48 Marcus Meissner 2011-09-06 12:56:24 UTC
we have released updates.

can the needinfo ajohannsson be removed and this bug resolved/fixed now?
Comment 49 Anders Johansson 2011-09-06 13:04:53 UTC
I'd say so, yes. We can close the L3
Comment 50 Michal Kubeček 2011-09-06 13:18:29 UTC
Thank you. Closing L3:36118 and setting bug status to RESOLVED/FIXED.
Comment 53 Marcus Meissner 2011-09-08 11:51:32 UTC
2.0 is also affected.

This also qualifies for a LTSS update, (SLES 9 SP4 LTSS and SLES 10 SP2 LTSS)
Comment 54 Marcus Meissner 2011-09-08 11:56:34 UTC
bug 716634  is the public facing bug for this, as this bug is not able to be it.
Comment 56 Swamp Workflow Management 2011-09-09 09:32:30 UTC
The SWAMPID for this issue is 43133.
This issue was rated as important.
Please submit fixed packages until 2011-09-16.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 58 Marcus Meissner 2011-09-09 16:26:06 UTC
2.2.21 is being queued for Monday with some additional fixes according to httpd-dev.

Lets see what it brings. :/
Comment 60 Roman Drahtmueller 2011-09-13 23:33:31 UTC
packages submitted to sle11-sp2:ga (2.2.12), sle11-sp1 (2.2.10), sle10-sp4,3,2 (identical package), 11.3 and 11.4 in obs.

reassigning to security-team@ for further handling.
Dankeschön!
Comment 61 Roman Drahtmueller 2011-09-19 10:16:34 UTC
repeated: packages submitted, this time with MaxRanges directive backport from 2.2.21. This change does not necessarily qualify for a new run of updates for already released packages according to comment#59 - the regression is very unlikely to trigger at all. I vote for the inclusion of this update with MaxRanges directive for the next occasion.

I'm unclear which packages (which products) have not been released. LTSS for SLE10 is a candidate.
Comment 62 Marcus Meissner 2011-09-19 11:24:08 UTC
not released yet:

sles10 sp2 ltss (2.2 based) (already in QA)
as you respun the patch, should we respin this updater again?

sles9 sp4 ltss (2.0 based)
sles9 sp3 teradata  (2.0 based)
Comment 63 Roman Drahtmueller 2011-09-19 11:31:00 UTC
re: sles10-sp2: If it's not in testing, and if the update is not urgently requested by an LTSS customer, I'd suggest to restart.
If a customer is requesting it, we could attempt to re-order the qa-queue to at least the last position.

confirmed sles9 packages (2.0 based) are NOT ready.
Comment 68 Michal Kubeček 2011-10-07 10:08:54 UTC
Created attachment 455028 [details]
patch for 2.0.x branch

upstream SVN revision 1167184 from 2.0.x branch
Comment 69 Michal Kubeček 2011-10-07 10:10:38 UTC
Created attachment 455029 [details]
patch for backward compatible handling of the "0-" case

upstream SVN 1177080 adjusted for 2.0.x by Jim Jagielsky
Comment 78 Swamp Workflow Management 2011-11-03 15:24:41 UTC
Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-event-debuginfo, apache2-example-certificates, apache2-example-pages, apache2-itk, apache2-itk-debuginfo, apache2-prefork, apache2-prefork-debuginfo, apache2-utils, apache2-utils-debuginfo, apache2-worker, apache2-worker-debuginfo
Products:
openSUSE 11.3 (debug, i586, x86_64)
openSUSE 11.4 (debug, i586, x86_64)
Comment 79 Swamp Workflow Management 2011-11-04 04:16:36 UTC
Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-utils, apache2-worker
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 80 Swamp Workflow Management 2011-11-04 04:40:45 UTC
Update released for: apache2, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker
Products:
SLE-SERVER 10-SP2-LTSS (i386, s390x, x86_64)
Comment 81 Swamp Workflow Management 2011-11-09 14:54:17 UTC
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker
Products:
SLE-DEBUGINFO 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 83 Swamp Workflow Management 2011-12-09 15:02:18 UTC
Update released for: apache2, apache2-devel, apache2-doc, apache2-example-pages, apache2-leader, apache2-metuxmpm, apache2-perchild, apache2-prefork, apache2-worker, libapr0
Products:
SUSE-CORE 9-LTSS (i386, s390, s390x, x86_64)
Comment 85 Swamp Workflow Management 2011-12-16 10:20:59 UTC
Update released for: apache2, apache2-devel, apache2-doc, apache2-example-pages, apache2-leader, apache2-metuxmpm, apache2-perchild, apache2-prefork, apache2-worker, libapr0
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 86 Swamp Workflow Management 2011-12-28 16:20:51 UTC
Update released for: apache2, apache2-devel, apache2-doc, apache2-example-pages, apache2-leader, apache2-metuxmpm, apache2-perchild, apache2-prefork, apache2-worker, libapr0
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)