[Bug 837991] Re: Update apache2 to 2.2.19-2 to fix CVE-2011-3192

Steve Beattie sbeattie at ubuntu.com
Tue Sep 6 17:41:49 UTC 2011 

Attached is a debdiff for the merge of apache 2.2.20-1 (I was unable to
do this via bzr due to bug 842144). I've verified that the package
builds on i386 and amd64 and ran the lp:qa-regression-testing tests
against that package, and confirmed that no regressions occur.

** Description changed:

  CVE-2011-3192 relates to an exploit in Apache that could cause Denial of
  Service through use of excess range headers.
  
  Debian has released an update that fixes this problem (apache2 2.2.19-2)
  - http://security-tracker.debian.org/tracker/CVE-2011-3192
+ 
+ Debian version 2.2.20-1 includes the upstream fix for CVE-2011-3192 as
+ well as a fix for a regression introduced by that fix
+ (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=639825). Both 2.2.19-2
+ and 2.2.20-1 are bugfix-only releases:
+ 
+ +apache2 (2.2.20-1) unstable; urgency=low
+ +
+ +  * New upstream release.
+ +  * Fix some regressions related to Range requests caused by the CVE-2011-3192
+ +    fix. Closes: #639825
+ +  * Add build-arch and build-indep rules targets to make Lintian happy.
+ +  * Bump Standards-Version (no changes).
+ +
+ + -- Stefan Fritsch <sf at debian.org>  Sun, 04 Sep 2011 21:50:22 +0200
+ +
+ +apache2 (2.2.19-2) unstable; urgency=high
+ +
+ +  * Fix CVE-2011-3192: DoS by high memory usage for a large number of
+ +    overlapping ranges.
+ +  * Reduce default KeepAliveTimeout from 15 to 5 seconds.
+ +  * Use "linux-any" in build-deps. Closes: #634709
+ +  * Improve reload message of a2enmod. Closes: #639291
+ +  * Improve description of the prefork MPM. Closes: #634242
+ +  * Mention .conf files in a2enmod man page. Closes: #634834
+ +
+ + -- Stefan Fritsch <sf at debian.org>  Mon, 29 Aug 2011 17:08:17 +0200
+ 
+ and the upstream revision 2.2.20 is a bugfix only release as well, see:
+ http://www.apache.org/dist/httpd/CHANGES_2.2.20
+ 
+ There is one user (sysadmin) visible change in 2.2.19-2 to the a2enmod
+ command's output:
+ 
+ -info("To to activate the new configuration, you need to run:\n /etc/init.d/apache2 $reload\n")                                         
+ +info("To activate the new configuration, you need to run:\n  service apache2 $reload\n")
+ 
+ I've verified that the output string does not show up in the current
+ version of the Ubuntu Server Guide, and contacted the person working on
+ the apache portion of the Ubuntu Server Guide according to
+ http://pad.ubuntu.com/serverguide , Gary Roberts
+ (https://launchpad.net/~ag1t) and confirmed that this change does not
+ interfere with his intended updates.

** Summary changed:

- Update apache2 to 2.2.19-2 to fix CVE-2011-3192
+ Please merge apache2 2.2.20-1 to fix CVE-2011-3192+regressions

** Patch added: "apache2_2.2.20-1ubuntu1.debdiff"
   https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/837991/+attachment/2362702/+files/apache2_2.2.20-1ubuntu1.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/837991

Title:
  Please merge apache2 2.2.20-1 to fix CVE-2011-3192+regressions

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/837991/+subscriptions

More information about the Ubuntu-server-bugs mailing list