Ubuntu
apache2 package

consider a newer version of apache2 for lucid or backport some changes

Bug #551221 reported by Stefan Fritsch
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: apache2

Apache2 in an LTS release would greatly benefit from some recent changes in the Debian package:

In 2.2.14-6:
  * Add a hook to apache2.2-common's postrm script that may come in handy
    when upgrading to 2.4.

This may allow to do the 2.2 -> 2.4 upgrade in a cleaner way than the hack that was done for 2.0 -> 2.2 (which involved apache2.2-common deleting apache2-common's postrm script).

In 2.2.15:
    - mod_ssl: Add SSLInsecureRenegotiation directive to allows insecure
      renegotiation with clients which do not yet support the secure
      renegotiation protocol. As this requires openssl 0.9.8m, bump
      build dependency accordingly.

This allows an admin to configure how to treat clients that are vulnerable to CVE-2009-3555. Also, 2.2.15 has some improved protection for vulnerable clients.

In case you want to update to the most recent version despite the sizable changes, you should use 2.2.15-3, which has some important bug fixes over 2.2.15-2.

CVE References

Revision history for this message
Mathias Gug (mathiaz) wrote :

Thanks Stefan for the heads up about what's going on in Debian.

According to the Debian changelog 2.2.15 requires openssl 0.9.8m which is not available in lucid. I'm not sure we could update to this version of openssl in Lucid.

2.2.14-6 also introduces a bunch of new features which would require a Feature Freeze Exception.

Given where we are in the Lucid release cycle it seems the best option would be to backport the apache2.2-common postrm hook to the package in Lucid.

Changed in apache2 (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

openssl 0.9.8m is not in lucid yet for compatibility reasons. It is pretty late in the dev cycle to update to 0.9.8m now. It would risk breaking renegotiation for servers that need it.

For that reason, I don't think pulling in apache 2.2.15 would be feasible at this time.

Revision history for this message
Stefan Fritsch (sf-sfritsch) wrote :

I am not sure how wise it is to make a release that is supported for 5 years and does not contain the fix for CVE-2009-3555 (unless you mean to add it later). Clients may change their behaviour and refuse to connect to insecure servers at some time in the future.

The "improved protection for vulnerable clients" I mentiond in my first post is already in 2.2.14-5, so just ignore that.

The postrm hook is not urgent but may be required for the update to the next LTS release. Maybe it would be enough to add it later in a point release.

Disclaimer: I don't know much about the Ubuntu release process.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This has been released for Lucid now

http://www.ubuntu.com/usn/usn-990-1
http://www.ubuntu.com/usn/usn-990-2

Changed in apache2 (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.