Ubuntu
apache2 package

CVE-2008-2364 Apache2 mod_proxy_http.c DOS

Bug #239894 reported by Emanuele Gentili
256
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Fix Released
Low
Emanuele Gentili
Dapper
Fix Released
Low
Marc Deslauriers
Feisty
Won't Fix
Low
Emanuele Gentili
Gutsy
Fix Released
Low
Marc Deslauriers
Hardy
Fix Released
Low
Marc Deslauriers
Intrepid
Fix Released
Low
Emanuele Gentili

Bug Description

The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses.

Emanuele Gentili (emgent)
Changed in apache2:
assignee: nobody → emgent
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Emanuele Gentili (emgent) wrote :

Intrepid fix avaiable by upstream and work fine to solve the problem.

Actually build faild:
libaprutil1-dev: Depends: libdb4.6-dev but it is not installable

more info:
https://edge.launchpad.net/ubuntu/intrepid/i386/libdb4.6-dev

(i will attach it later)

Revision history for this message
Emanuele Gentili (emgent) wrote :

UPSTREAM FIX:

http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=666154&r2=666153&pathrev=666154

Revision history for this message
Emanuele Gentili (emgent) wrote :
Revision history for this message
Emanuele Gentili (emgent) wrote :
Revision history for this message
Emanuele Gentili (emgent) wrote :
Changed in apache2:
status: Confirmed → In Progress
Revision history for this message
Emanuele Gentili (emgent) wrote :

@Pitti: can you write here when you solve libdb4.6-dev problem in intrepid?

Revision history for this message
Emanuele Gentili (emgent) wrote :

according to CVE/upstream dapper apache2 version not affected.

ent@amnistia:~$ rmadison apache2
   apache2 | 2.0.55-4ubuntu2 | dapper | source, amd64, i386, powerpc
   apache2 | 2.0.55-4ubuntu2.3 | dapper-security | source, amd64, i386, powerpc
   apache2 | 2.0.55-4ubuntu2.3 | dapper-updates | source, amd64, i386, powerpc
   apache2 | 2.2.3-3.2build1 | feisty | source, all
   apache2 | 2.2.3-3.2ubuntu2.1 | feisty-security | source, all
   apache2 | 2.2.3-3.2ubuntu2.1 | feisty-updates | source, all
   apache2 | 2.2.4-3build1 | gutsy | source, all
   apache2 | 2.2.4-3ubuntu0.1 | gutsy-security | source, all
   apache2 | 2.2.4-3ubuntu0.1 | gutsy-updates | source, all
   apache2 | 2.2.8-1 | hardy | source, all
   apache2 | 2.2.8-1ubuntu0.2 | hardy-updates | source, all
   apache2 | 2.2.8-4ubuntu2 | intrepid | source, all

Revision history for this message
Michael Bienia (geser) wrote :

libdb4.6-dev (source: db4.6) is in intrepid again (and should appear soon on the archive).

Revision history for this message
Stefan Fritsch (sf-sfritsch) wrote :

fixed in 2.2.9, which has been uploaded to Debian

Emanuele Gentili (emgent)
Changed in apache2:
importance: Undecided → High
status: New → In Progress
importance: Undecided → High
status: New → In Progress
importance: Undecided → High
status: New → In Progress
Revision history for this message
Martin Pitt (pitti) wrote :

Packages should build-depend on libdb-dev, not a specific version. The new standard db version in Intrepid is 4.7, we shouldn't proliferate 4.6.

Revision history for this message
Emanuele Gentili (emgent) wrote :

Security issue in Intrepid Ibex fixed by Chuck Short with Debian Merge.

Emanuele Gentili (emgent)
Changed in apache2:
assignee: nobody → emgent
assignee: nobody → emgent
assignee: nobody → emgent
Kees Cook (kees)
Changed in apache2:
status: In Progress → Fix Released
Revision history for this message
Kees Cook (kees) wrote :

Based on the CVE, apache2 in Dapper *is* vulnerable, but the backporting of this fix isn't trivial. Emgent, can you describe your testing environment? That would help in testing the Dapper backport.

Changed in apache2:
status: New → Confirmed
Revision history for this message
Kees Cook (kees) wrote :

Upstream has no plans to backport the fix due to how unlikely the situation is.

Revision history for this message
Emanuele Gentili (emgent) wrote :

more info avaiable here:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2364

Revision history for this message
Emanuele Gentili (emgent) wrote :

Upstream fix for apache 2.0.X.

http://archive.apache.org/dist/httpd/patches/apply_to_2.0.63/CVE-2008-2364-patch-2.0.txt

I will complete dapper fix and tests tomorrow.

E.

Changed in apache2:
importance: Undecided → High
status: Confirmed → In Progress
assignee: nobody → emgent
Revision history for this message
Emanuele Gentili (emgent) wrote :

POC: http://svn.apache.org/viewvc/httpd/test/framework/trunk/t/security/CVE-2008-2364.t?revision=666283&view=markup

Revision history for this message
LumpyCustard (orangelumpycustard) wrote :

Please could someone mark this as Won't Fix for Feisty?

Martin Pitt (pitti)
Changed in apache2:
status: In Progress → Won't Fix
Kees Cook (kees)
Changed in apache2:
importance: High → Low
importance: High → Low
importance: High → Low
importance: High → Low
importance: High → Low
importance: High → Low
Kees Cook (kees)
Changed in apache2:
status: Fix Released → New
status: New → In Progress
status: In Progress → Fix Released
Kees Cook (kees)
Changed in apache2:
assignee: emgent → mdeslaur
status: In Progress → Fix Committed
assignee: emgent → mdeslaur
status: In Progress → Fix Committed
assignee: emgent → mdeslaur
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.4-3ubuntu0.2

---------------
apache2 (2.2.4-3ubuntu0.2) gutsy-security; urgency=low

  [ Emanuele Gentili ]
  * SECURITY UPDATE:
   + debian/patches/111_CVE-2008-2364.dpatch (LP: #239894)
    - The ap_proxy_http_process_response function in mod_proxy_http.c
      in the mod_proxy module does not limit the number of forwarded
      interim responses, which allows remote HTTP servers to cause a
      denial of service (memory consumption) via a large number of
      interim responses.
   + References
    - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2364

  [ Marc Deslauriers ]
  * SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in "413 Request
    Entity Too Large" error message
    - debian/patches/107_CVE-2007-6203.dpatch: properly escape some error
      messages in modules/http/http_protocol.c.
    - CVE-2007-6203
  * SECURITY UPDATE: Cross-site request forgery (CSRF) in balancer-manager in
    mod_proxy_balancer
    - debian/patches/108_CVE-2007-6420.dpatch: generate and validate a nonce in
      modules/proxy/mod_proxy_balancer.c.
    - CVE-2007-6420
  * SECURITY UPDATE: Denial of service via memory leak in the zlib_stateful_init
    function (LP: #224945)
    - debian/patches/109_CVE-2008-1678.dpatch: don't call
      CRYPTO_cleanup_all_ex_data in modules/ssl/mod_ssl.c.
    - CVE-2008-1678
  * SECURITY UPDATE: Cross-site scripting (XSS) vulnerability via UTF-7 encoded
    URLs
    - debian/patches/110_CVE-2008-2168.dpatch: specify a default charset in
      modules/dav/main/mod_dav.c, modules/generators/mod_info.c and
      modules/proxy/mod_proxy_balancer.c.
    - CVE-2008-2168
  * SECURITY UPDATE: Denial of service via large number of interim responses in
    mod_proxy module (LP: #239894)
    - debian/patches/111_CVE-2008-2364.dpatch: updated patch to newer version.
    - CVE-2008-2364
  * SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in the
    mod_proxy_ftp module
    - debian/patches/112_CVE-2008-2939.dpatch: escape the html
      contained in the wildcard value in modules/proxy/mod_proxy_ftp.c.
    - CVE-2008-2939

 -- Marc Deslauriers <email address hidden> Thu, 05 Mar 2009 15:54:32 -0500

Changed in apache2:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.8-1ubuntu0.4

---------------
apache2 (2.2.8-1ubuntu0.4) hardy-security; urgency=low

  [ Emanuele Gentili ]
  * SECURITY UPDATE:
   + debian/patches/201_security_CVE-2008-2364.dpatch (LP: #239894)
    - The ap_proxy_http_process_response function in mod_proxy_http.c
      in the mod_proxy module does not limit the number of forwarded
      interim responses, which allows remote HTTP servers to cause a
      denial of service (memory consumption) via a large number of
      interim responses.
   + References
    - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2364

  [ Marc Deslauriers ]
  * SECURITY UPDATE: Cross-site request forgery (CSRF) in balancer-manager in
    mod_proxy_balancer
    - debian/patches/200_security_CVE-2007-6420.dpatch: generate and validate a
      nonce in modules/proxy/mod_proxy_balancer.c.
    - CVE-2007-6420
  * SECURITY UPDATE: Denial of service via large number of interim responses in
    mod_proxy module (LP: #239894)
    - debian/patches/201_security_CVE-2008-2364.dpatch: updated patch to newer
      version.
    - CVE-2008-2364
  * SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in the
    mod_proxy_ftp module
    - debian/patches/202_security_CVE-2008-2939.dpatch: escape the html
      contained in the wildcard value in modules/proxy/mod_proxy_ftp.c.
    - CVE-2008-2939

 -- Marc Deslauriers <email address hidden> Thu, 05 Mar 2009 17:20:17 -0500

Changed in apache2:
status: Fix Committed → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Fix released in http://www.ubuntu.com/usn/USN-731-1

Changed in apache2:
status: Fix Committed → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

http://www.ubuntu.com/usn/USN-731-1

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.