Bugzilla – Bug 713966
VUL-0: CVE-2011-3192: apache2: remote denial of service
Last modified: 2016-06-08 20:33:30 UTC
There was a posting on full-disclosure recently about an apache2 remote denial of service vulnerability, see: * http://marc.info/?t=131379269200002&r=1&w=2 * http://marc.info/?t=131409787700005&r=1&w=2 At least a SLE-11-SP1 with its newest version of apache2 is affected.
temporary workaround: # a2enmod rewrite RewriteEngine On RewriteCond %{HTTP:Range} bytes=0-.* [NC] RewriteRule .? http://%{SERVER_NAME}/ [R=302,L] Verified to be working.
two other workarounds: RequestHeader unset Range (from http://seclists.org/fulldisclosure/2011/Aug/253) or RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC] RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+ RewriteRule .* - [F] (from http://seclists.org/fulldisclosure/2011/Aug/241)
*** Bug 714306 has been marked as a duplicate of this bug. ***
it looks like the flurry of commits stopped meanwhile: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http/byterange_filter.c?view=log&sortby=date possibly final patch: svn diff -r1135172:HEAD http://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/http/byterange_filter.c
fixed in home:dirkmueller:branches:Apache/apache2
There were some more changes later and Apache developers decided to use only part of the trunk fix for 2.2.x branch. I've prepared package for Evergreen with what is likely to get to 2.2.20 in (external) OBS project home:mkubecek:branches:openSUSE:Evergreen:11.1:Test but didn't have time to test it yet.
Created attachment 448420 [details] patch from Michal's home prj
The patch is diff from SVN branch 2.2.x http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/http/byterange_filter.c?view=log between revisions 916627 and 1162885 (with small modification because apr_brigade_destroy->apr_brigade_cleanup change from revision 916627 isn't present in last OpenSuSE 11.1 update).
ack. ibs home:draht:branches:SUSE:SLE-11-SP2:GA/apache2 has the patch. I'd like to wait until at least tomorrow if the apache upstream developers will recommend a specific patch, even though the one in the package above appears to work cleanly. Unless security-team@ advises differently. I can submit immediately, sle10 can be done in one hour.
Note: a regression caused by the patch has been reported at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=639825 but without more details one cannot say whether this is really a bug in the Apache fix or a bug in the client.
The regression is likely to appear where video files are served and the player skips to the next i-frame upon transfer loss. This is VERY uncomfortable for a fix.
But this would be a new HTTP request with only one range, wouldn't it?
Adding Dmitry to cc. because of bug 714961
apahce has released, so lets go with updates: https://www.apache.org/dist/httpd/Announcement2.2.html
Created attachment 448629 [details] patch for SLES 10 (httpd 2.2.3) Patch had to be adjusted a bit for version 2.2.3 due to missing upstream commit 589616.
(In reply to comment #27) > apahce has released, so lets go with updates: > https://www.apache.org/dist/httpd/Announcement2.2.html Investigating the changes they made... Working on the packages.
The SWAMPID for this issue is 42959. This issue was rated as important. Please submit fixed packages until 2011-09-07. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
submissions are complete. sle11-sp1,2, sle10-sp4 with identical submission to sp3, 11.3 and 11.4 in obs. Reassigning to security-team@suse.de for further tracking, leaving NEEDINFO intact.
This is an autogenerated message for OBS integration: This bug (713966) was mentioned in https://build.opensuse.org/request/show/80441 11.4 / apache2 https://build.opensuse.org/request/show/80442 11.3 / apache2 https://build.opensuse.org/request/show/80443 11.4 / apache2
make public.
*** Bug 715372 has been marked as a duplicate of this bug. ***
Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-event-debuginfo, apache2-example-certificates, apache2-example-pages, apache2-itk, apache2-itk-debuginfo, apache2-prefork, apache2-prefork-debuginfo, apache2-utils, apache2-utils-debuginfo, apache2-worker, apache2-worker-debuginfo Products: openSUSE 11.3 (debug, i586, x86_64) openSUSE 11.4 (debug, i586, x86_64)
QA is still taking time for SLES. So SLES updates will not released today, but likely Monday.
Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-utils, apache2-worker Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker Products: SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker Products: SLE-DEBUGINFO 10-SP3 (i386, ia64, ppc, s390x, x86_64) SLE-SAP-APL 10-SP3 (x86_64) SLE-SDK 10-SP3 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP3-TERADATA (x86_64)
we have released updates. can the needinfo ajohannsson be removed and this bug resolved/fixed now?
I'd say so, yes. We can close the L3
Thank you. Closing L3:36118 and setting bug status to RESOLVED/FIXED.
2.0 is also affected. This also qualifies for a LTSS update, (SLES 9 SP4 LTSS and SLES 10 SP2 LTSS)
bug 716634 is the public facing bug for this, as this bug is not able to be it.
The SWAMPID for this issue is 43133. This issue was rated as important. Please submit fixed packages until 2011-09-16. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
2.2.21 is being queued for Monday with some additional fixes according to httpd-dev. Lets see what it brings. :/
too bad. There is a regression fix in 2.2.21 vs 2.2.20. links: https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http/byterange_filter.c?view=log&pathrev=1163985 https://svn.apache.org/viewvc?view=revision&revision=1163985 https://issues.apache.org/bugzilla/show_bug.cgi?id=51748 Complete sweep, redo from start.
packages submitted to sle11-sp2:ga (2.2.12), sle11-sp1 (2.2.10), sle10-sp4,3,2 (identical package), 11.3 and 11.4 in obs. reassigning to security-team@ for further handling. Dankeschön!
repeated: packages submitted, this time with MaxRanges directive backport from 2.2.21. This change does not necessarily qualify for a new run of updates for already released packages according to comment#59 - the regression is very unlikely to trigger at all. I vote for the inclusion of this update with MaxRanges directive for the next occasion. I'm unclear which packages (which products) have not been released. LTSS for SLE10 is a candidate.
not released yet: sles10 sp2 ltss (2.2 based) (already in QA) as you respun the patch, should we respin this updater again? sles9 sp4 ltss (2.0 based) sles9 sp3 teradata (2.0 based)
re: sles10-sp2: If it's not in testing, and if the update is not urgently requested by an LTSS customer, I'd suggest to restart. If a customer is requesting it, we could attempt to re-order the qa-queue to at least the last position. confirmed sles9 packages (2.0 based) are NOT ready.
Created attachment 455028 [details] patch for 2.0.x branch upstream SVN revision 1167184 from 2.0.x branch
Created attachment 455029 [details] patch for backward compatible handling of the "0-" case upstream SVN 1177080 adjusted for 2.0.x by Jim Jagielsky
Update released for: apache2, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker Products: SLE-SERVER 10-SP2-LTSS (i386, s390x, x86_64)
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker Products: SLE-DEBUGINFO 10-SP3 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64) SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: apache2, apache2-devel, apache2-doc, apache2-example-pages, apache2-leader, apache2-metuxmpm, apache2-perchild, apache2-prefork, apache2-worker, libapr0 Products: SUSE-CORE 9-LTSS (i386, s390, s390x, x86_64)
Update released for: apache2, apache2-devel, apache2-doc, apache2-example-pages, apache2-leader, apache2-metuxmpm, apache2-perchild, apache2-prefork, apache2-worker, libapr0 Products: SUSE-CORE 9-SP3-TERADATA (x86_64)