Bug 713966 - (CVE-2011-3192) VUL-0: CVE-2011-3192: apache2: remote denial of service
(CVE-2011-3192)
VUL-0: CVE-2011-3192: apache2: remote denial of service
Status: RESOLVED FIXED
: 714306 715372 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P1 - Urgent : Major
: ---
Assigned To: Security Team bot
Security Team bot
wasL3:36118 maint:released:11.3:42977...
: DSLA_REQUIRED, DSLA_SOLUTION_PROVIDED
Depends on:
Blocks: 726139 718106 732051
  Show dependency treegraph
 
Reported: 2011-08-24 10:53 UTC by Matthias Weckbecker
Modified: 2016-06-08 20:33 UTC (History)
15 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
patch from Michal's home prj (20.70 KB, patch)
2011-08-30 14:10 UTC, Roman Drahtmueller
Details | Diff
patch for SLES 10 (httpd 2.2.3) (19.85 KB, patch)
2011-08-31 11:22 UTC, Michal Kubeček
Details | Diff
patch for 2.0.x branch (19.86 KB, patch)
2011-10-07 10:08 UTC, Michal Kubeček
Details | Diff
patch for backward compatible handling of the "0-" case (1.41 KB, patch)
2011-10-07 10:10 UTC, Michal Kubeček
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2011-08-24 10:53:12 UTC
There was a posting on full-disclosure recently about an apache2 remote denial of service vulnerability, see:

  * http://marc.info/?t=131379269200002&r=1&w=2
  * http://marc.info/?t=131409787700005&r=1&w=2

At least a SLE-11-SP1 with its newest version of apache2 is affected.
Comment 2 Matthias Weckbecker 2011-08-24 11:17:28 UTC
temporary workaround:

# a2enmod rewrite

RewriteEngine On
RewriteCond %{HTTP:Range} bytes=0-.* [NC]
RewriteRule .? http://%{SERVER_NAME}/ [R=302,L]

Verified to be working.
Comment 3 Marcus Rückert 2011-08-24 11:23:25 UTC
two other workarounds:

RequestHeader unset Range

(from http://seclists.org/fulldisclosure/2011/Aug/253)

or

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]
RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
RewriteRule .* - [F]

(from http://seclists.org/fulldisclosure/2011/Aug/241)
Comment 5 Matthias Weckbecker 2011-08-26 13:45:07 UTC
*** Bug 714306 has been marked as a duplicate of this bug. ***
Comment 6 Dirk Mueller 2011-08-27 08:16:58 UTC
it looks like the flurry of commits stopped meanwhile:

http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http/byterange_filter.c?view=log&sortby=date

possibly final patch: svn diff -r1135172:HEAD http://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/http/byterange_filter.c
Comment 7 Dirk Mueller 2011-08-27 09:36:31 UTC
fixed in home:dirkmueller:branches:Apache/apache2
Comment 9 Michal Kubeček 2011-08-30 13:57:52 UTC
There were some more changes later and Apache developers decided to use only part of the trunk fix for 2.2.x branch. I've prepared package for Evergreen with what is likely to get to 2.2.20 in (external) OBS project home:mkubecek:branches:openSUSE:Evergreen:11.1:Test but didn't have time to test it yet.
Comment 11 Roman Drahtmueller 2011-08-30 14:10:12 UTC
Created attachment 448420 [details]
patch from Michal's home prj
Comment 12 Michal Kubeček 2011-08-30 14:16:56 UTC
The patch is diff from SVN branch 2.2.x

http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/http/byterange_filter.c?view=log

between revisions 916627 and 1162885 (with small modification because apr_brigade_destroy->apr_brigade_cleanup change from revision 916627 isn't present in last OpenSuSE 11.1 update).
Comment 13 Roman Drahtmueller 2011-08-30 15:05:01 UTC
ack. ibs home:draht:branches:SUSE:SLE-11-SP2:GA/apache2 has the patch.

I'd like to wait until at least tomorrow if the apache upstream developers will recommend a specific patch, even though the one in the package above appears to work cleanly.

Unless security-team@ advises differently. I can submit immediately, sle10 can be done in one hour.
Comment 16 Michal Kubeček 2011-08-31 06:07:25 UTC
Note: a regression caused by the patch has been reported at

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=639825

but without more details one cannot say whether this is really a bug in the Apache fix or a bug in the client.
Comment 21 Roman Drahtmueller 2011-08-31 08:26:10 UTC
The regression is likely to appear where video files are served and the player skips to the next i-frame upon transfer loss. This is VERY uncomfortable for a fix.
Comment 22 Michal Kubeček 2011-08-31 08:42:22 UTC
But this would be a new HTTP request with only one range, wouldn't it?
Comment 25 Anders Johansson 2011-08-31 09:23:12 UTC
Adding Dmitry to cc. because of bug 714961
Comment 27 Marcus Meissner 2011-08-31 11:20:29 UTC
apahce has released, so lets go with updates:
https://www.apache.org/dist/httpd/Announcement2.2.html
Comment 29 Michal Kubeček 2011-08-31 11:22:06 UTC
Created attachment 448629 [details]
patch for SLES 10 (httpd 2.2.3)

Patch had to be adjusted a bit for version 2.2.3 due to missing upstream commit 589616.
Comment 30 Roman Drahtmueller 2011-08-31 11:29:04 UTC
(In reply to comment #27)
> apahce has released, so lets go with updates:
> https://www.apache.org/dist/httpd/Announcement2.2.html

Investigating the changes they made... Working on the packages.
Comment 34 Swamp Workflow Management 2011-08-31 14:27:32 UTC
The SWAMPID for this issue is 42959.
This issue was rated as important.
Please submit fixed packages until 2011-09-07.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 36 Roman Drahtmueller 2011-08-31 18:42:14 UTC
submissions are complete. sle11-sp1,2, sle10-sp4 with identical submission to sp3, 11.3 and 11.4 in obs.

Reassigning to security-team@suse.de for further tracking, leaving NEEDINFO intact.
Comment 37 Bernhard Wiedemann 2011-08-31 19:00:27 UTC
This is an autogenerated message for OBS integration:
This bug (713966) was mentioned in
https://build.opensuse.org/request/show/80441 11.4 / apache2
https://build.opensuse.org/request/show/80442 11.3 / apache2
https://build.opensuse.org/request/show/80443 11.4 / apache2
Comment 38 Marcus Meissner 2011-09-01 08:31:30 UTC
make public.
Comment 39 Marcus Meissner 2011-09-01 08:31:46 UTC
*** Bug 715372 has been marked as a duplicate of this bug. ***
Comment 43 Swamp Workflow Management 2011-09-02 12:12:16 UTC
Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-event-debuginfo, apache2-example-certificates, apache2-example-pages, apache2-itk, apache2-itk-debuginfo, apache2-prefork, apache2-prefork-debuginfo, apache2-utils, apache2-utils-debuginfo, apache2-worker, apache2-worker-debuginfo
Products:
openSUSE 11.3 (debug, i586, x86_64)
openSUSE 11.4 (debug, i586, x86_64)
Comment 44 Marcus Meissner 2011-09-02 15:01:42 UTC
QA is still taking time for SLES.

So SLES updates will not released today, but likely Monday.
Comment 45 Swamp Workflow Management 2011-09-06 01:32:54 UTC
Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-utils, apache2-worker
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 46 Swamp Workflow Management 2011-09-06 05:05:30 UTC
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker
Products:
SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 47 Swamp Workflow Management 2011-09-06 12:11:18 UTC
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker
Products:
SLE-DEBUGINFO 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-SAP-APL 10-SP3 (x86_64)
SLE-SDK 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 48 Marcus Meissner 2011-09-06 12:56:24 UTC
we have released updates.

can the needinfo ajohannsson be removed and this bug resolved/fixed now?
Comment 49 Anders Johansson 2011-09-06 13:04:53 UTC
I'd say so, yes. We can close the L3
Comment 50 Michal Kubeček 2011-09-06 13:18:29 UTC
Thank you. Closing L3:36118 and setting bug status to RESOLVED/FIXED.
Comment 53 Marcus Meissner 2011-09-08 11:51:32 UTC
2.0 is also affected.

This also qualifies for a LTSS update, (SLES 9 SP4 LTSS and SLES 10 SP2 LTSS)
Comment 54 Marcus Meissner 2011-09-08 11:56:34 UTC
bug 716634  is the public facing bug for this, as this bug is not able to be it.
Comment 56 Swamp Workflow Management 2011-09-09 09:32:30 UTC
The SWAMPID for this issue is 43133.
This issue was rated as important.
Please submit fixed packages until 2011-09-16.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 58 Marcus Meissner 2011-09-09 16:26:06 UTC
2.2.21 is being queued for Monday with some additional fixes according to httpd-dev.

Lets see what it brings. :/
Comment 60 Roman Drahtmueller 2011-09-13 23:33:31 UTC
packages submitted to sle11-sp2:ga (2.2.12), sle11-sp1 (2.2.10), sle10-sp4,3,2 (identical package), 11.3 and 11.4 in obs.

reassigning to security-team@ for further handling.
Dankeschön!
Comment 61 Roman Drahtmueller 2011-09-19 10:16:34 UTC
repeated: packages submitted, this time with MaxRanges directive backport from 2.2.21. This change does not necessarily qualify for a new run of updates for already released packages according to comment#59 - the regression is very unlikely to trigger at all. I vote for the inclusion of this update with MaxRanges directive for the next occasion.

I'm unclear which packages (which products) have not been released. LTSS for SLE10 is a candidate.
Comment 62 Marcus Meissner 2011-09-19 11:24:08 UTC
not released yet:

sles10 sp2 ltss (2.2 based) (already in QA)
as you respun the patch, should we respin this updater again?

sles9 sp4 ltss (2.0 based)
sles9 sp3 teradata  (2.0 based)
Comment 63 Roman Drahtmueller 2011-09-19 11:31:00 UTC
re: sles10-sp2: If it's not in testing, and if the update is not urgently requested by an LTSS customer, I'd suggest to restart.
If a customer is requesting it, we could attempt to re-order the qa-queue to at least the last position.

confirmed sles9 packages (2.0 based) are NOT ready.
Comment 68 Michal Kubeček 2011-10-07 10:08:54 UTC
Created attachment 455028 [details]
patch for 2.0.x branch

upstream SVN revision 1167184 from 2.0.x branch
Comment 69 Michal Kubeček 2011-10-07 10:10:38 UTC
Created attachment 455029 [details]
patch for backward compatible handling of the "0-" case

upstream SVN 1177080 adjusted for 2.0.x by Jim Jagielsky
Comment 78 Swamp Workflow Management 2011-11-03 15:24:41 UTC
Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-event-debuginfo, apache2-example-certificates, apache2-example-pages, apache2-itk, apache2-itk-debuginfo, apache2-prefork, apache2-prefork-debuginfo, apache2-utils, apache2-utils-debuginfo, apache2-worker, apache2-worker-debuginfo
Products:
openSUSE 11.3 (debug, i586, x86_64)
openSUSE 11.4 (debug, i586, x86_64)
Comment 79 Swamp Workflow Management 2011-11-04 04:16:36 UTC
Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-utils, apache2-worker
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 80 Swamp Workflow Management 2011-11-04 04:40:45 UTC
Update released for: apache2, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker
Products:
SLE-SERVER 10-SP2-LTSS (i386, s390x, x86_64)
Comment 81 Swamp Workflow Management 2011-11-09 14:54:17 UTC
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker
Products:
SLE-DEBUGINFO 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 83 Swamp Workflow Management 2011-12-09 15:02:18 UTC
Update released for: apache2, apache2-devel, apache2-doc, apache2-example-pages, apache2-leader, apache2-metuxmpm, apache2-perchild, apache2-prefork, apache2-worker, libapr0
Products:
SUSE-CORE 9-LTSS (i386, s390, s390x, x86_64)
Comment 85 Swamp Workflow Management 2011-12-16 10:20:59 UTC
Update released for: apache2, apache2-devel, apache2-doc, apache2-example-pages, apache2-leader, apache2-metuxmpm, apache2-perchild, apache2-prefork, apache2-worker, libapr0
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 86 Swamp Workflow Management 2011-12-28 16:20:51 UTC
Update released for: apache2, apache2-devel, apache2-doc, apache2-example-pages, apache2-leader, apache2-metuxmpm, apache2-perchild, apache2-prefork, apache2-worker, libapr0
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)