[Bug 837991] Re: Please merge apache2 2.2.20-1 to fix CVE-2011-3192+regressions

Dave Walker davewalker at ubuntu.com
Tue Sep 6 17:46:32 UTC 2011


** Also affects: apache2 (Ubuntu Oneiric)
   Importance: High
       Status: In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/837991

Title:
  Please merge apache2 2.2.20-1 to fix CVE-2011-3192+regressions

Status in “apache2” package in Ubuntu:
  Fix Released
Status in “apache2” source package in Oneiric:
  Fix Released

Bug description:
  CVE-2011-3192 relates to an exploit in Apache that could cause Denial
  of Service through use of excess range headers.

  Debian has released an update that fixes this problem (apache2
  2.2.19-2) - http://security-tracker.debian.org/tracker/CVE-2011-3192

  Debian version 2.2.20-1 includes the upstream fix for CVE-2011-3192 as
  well as a fix for a regression introduced by that fix
  (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=639825). Both
  2.2.19-2 and 2.2.20-1 are bugfix-only releases:

  +apache2 (2.2.20-1) unstable; urgency=low
  +
  +  * New upstream release.
  +  * Fix some regressions related to Range requests caused by the CVE-2011-3192
  +    fix. Closes: #639825
  +  * Add build-arch and build-indep rules targets to make Lintian happy.
  +  * Bump Standards-Version (no changes).
  +
  + -- Stefan Fritsch <sf at debian.org>  Sun, 04 Sep 2011 21:50:22 +0200
  +
  +apache2 (2.2.19-2) unstable; urgency=high
  +
  +  * Fix CVE-2011-3192: DoS by high memory usage for a large number of
  +    overlapping ranges.
  +  * Reduce default KeepAliveTimeout from 15 to 5 seconds.
  +  * Use "linux-any" in build-deps. Closes: #634709
  +  * Improve reload message of a2enmod. Closes: #639291
  +  * Improve description of the prefork MPM. Closes: #634242
  +  * Mention .conf files in a2enmod man page. Closes: #634834
  +
  + -- Stefan Fritsch <sf at debian.org>  Mon, 29 Aug 2011 17:08:17 +0200

  and the upstream revision 2.2.20 is a bugfix only release as well,
  see: http://www.apache.org/dist/httpd/CHANGES_2.2.20

  There is one user (sysadmin) visible change in 2.2.19-2 to the a2enmod
  command's output:

  -info("To to activate the new configuration, you need to run:\n /etc/init.d/apache2 $reload\n")                                         
  +info("To activate the new configuration, you need to run:\n  service apache2 $reload\n")

  I've verified that the output string does not show up in the current
  version of the Ubuntu Server Guide, and contacted the person working
  on the apache portion of the Ubuntu Server Guide according to
  http://pad.ubuntu.com/serverguide , Gary Roberts
  (https://launchpad.net/~ag1t) and confirmed that this change does not
  interfere with his intended updates.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/837991/+subscriptions



More information about the Ubuntu-sponsors mailing list