Bug#909591: marked as done (apache2: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Bug#909591: marked as done (apache2: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames)

Debian Bug Tracking System
Your message dated Sun, 04 Nov 2018 11:47:09 +0000
with message-id <[hidden email]>
and subject line Bug#909591: fixed in apache2 2.4.25-3+deb9u6
has caused the Debian Bug report #909591,
regarding apache2: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [hidden email]
immediately.)


--
909591: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909591
Debian Bug Tracking System
Contact [hidden email] with problems

Source: apache2
Version: 2.4.25-1
Severity: important
Tags: security upstream

Hi,

The following vulnerability was published for apache2.

CVE-2018-11763[0]:
mod_http2, DoS via continuous SETTINGS frames

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-11763
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11763
[1] https://lists.apache.org/thread.html/d435b0267a76501b9e06c552b20c887171064cde38e46d678da4d3dd@%3Cannounce.httpd.apache.org%3E

Regards,
Salvatore

Source: apache2
Source-Version: 2.4.25-3+deb9u6

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [hidden email],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <[hidden email]> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [hidden email])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 03 Nov 2018 19:46:19 +0100
Source: apache2
Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg
Architecture: source amd64 all
Version: 2.4.25-3+deb9u6
Distribution: stretch
Urgency: medium
Maintainer: Debian Apache Maintainers <[hidden email]>
Changed-By: Stefan Fritsch <[hidden email]>
Description:
 apache2    - Apache HTTP Server
 apache2-bin - Apache HTTP Server (modules and other binary files)
 apache2-data - Apache HTTP Server (common files)
 apache2-dbg - Apache debugging symbols
 apache2-dev - Apache HTTP Server (development headers)
 apache2-doc - Apache HTTP Server (on-site documentation)
 apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers)
 apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
 apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
 apache2-utils - Apache HTTP Server (utility programs for web servers)
Closes: 902906 904106 909591
Changes:
 apache2 (2.4.25-3+deb9u6) stretch; urgency=medium
 .
   * CVE-2018-1333: mod_http2: Fix DoS by worker exhaustion. Closes: #904106
   * CVE-2018-11763: mod_http2: Fix DoS by continuous SETTINGS.
     Closes: #909591
   * mod_proxy_fcgi: Fix segfault. Closes: #902906
Checksums-Sha1:
 c3590ec3ab4fb75affb8b238a711a5ce17ab27d9 2986 apache2_2.4.25-3+deb9u6.dsc
 ed7c894bcf537c64e69ae288a02977b7d6f6352a 790172 apache2_2.4.25-3+deb9u6.debian.tar.xz
 eeb4ed3ae730ad36c22eed16b8c1bbc057ebd5d5 1186420 apache2-bin_2.4.25-3+deb9u6_amd64.deb
 f8c7f84f2fa3e57dc5367738a976951b185af26c 162112 apache2-data_2.4.25-3+deb9u6_all.deb
 356bd128d69835a7dab11f9cab5a18e3f54b3b64 4017542 apache2-dbg_2.4.25-3+deb9u6_amd64.deb
 6f01daf4d7b79da8edfea8eccc6b7b018d5a261c 313942 apache2-dev_2.4.25-3+deb9u6_amd64.deb
 d8d7f824aef5eb4bd5a5c8be2d204686122ec2df 3770774 apache2-doc_2.4.25-3+deb9u6_all.deb
 4068de545c6fa1356e70a144062b6372b2313a50 2268 apache2-ssl-dev_2.4.25-3+deb9u6_amd64.deb
 55ebadbf1dc57bfb400bec5a6768d790d3600966 155210 apache2-suexec-custom_2.4.25-3+deb9u6_amd64.deb
 d0d29a6e4142c9749bbd5608bb64262eb3d9e76b 153732 apache2-suexec-pristine_2.4.25-3+deb9u6_amd64.deb
 c945f226d0b62fc36ac1f2f0cc1050534f456f4f 217058 apache2-utils_2.4.25-3+deb9u6_amd64.deb
 fb61405e424a0c0770fd7de0df872f7e74a0ae6e 10163 apache2_2.4.25-3+deb9u6_amd64.buildinfo
 1f45b6c2a344a0745f4fb267f4b0ca8bc7435b59 235974 apache2_2.4.25-3+deb9u6_amd64.deb
Checksums-Sha256:
 b0bc6bc5c1daf4d542e2016f36e3c19d1a839d73543c025f7bafa9920ab371b5 2986 apache2_2.4.25-3+deb9u6.dsc
 5fd9d307b0550e919ef03516e8fd0ce4366f20d2ffb349e6a0fd957dce853f3f 790172 apache2_2.4.25-3+deb9u6.debian.tar.xz
 26ff2bc1b0d7dbe5b08d71f23633c4f9decf980fcfd0aa348ecf41cfc709ad7b 1186420 apache2-bin_2.4.25-3+deb9u6_amd64.deb
 c947d3889d33cfbb4b1e7c64f703c979830f4d53061d2966c0925e5e565d608f 162112 apache2-data_2.4.25-3+deb9u6_all.deb
 4eb1c252b7efbb9f9d3254da546729a564f6eb5aa751662526347a776989b16e 4017542 apache2-dbg_2.4.25-3+deb9u6_amd64.deb
 b23d03dea9bcfa7c8f0f8534d193fa92837444e6d98d974d9858520707b52941 313942 apache2-dev_2.4.25-3+deb9u6_amd64.deb
 e87ecf4173d13aed62efce16521ac5f32ed5316f57ed7161470f5ccaa5b7a62f 3770774 apache2-doc_2.4.25-3+deb9u6_all.deb
 53c2b3fe58ed0f232574a437f25302c052f798e9a3eec3ac8d7b617fddb65b22 2268 apache2-ssl-dev_2.4.25-3+deb9u6_amd64.deb
 8901fea6f314719cd975e854c077f342f45d5143fe57082f969906f8667f68b4 155210 apache2-suexec-custom_2.4.25-3+deb9u6_amd64.deb
 305a64e1a1871ca1e430dc2e164dc34c91581015540e8de71b758d07b848cf90 153732 apache2-suexec-pristine_2.4.25-3+deb9u6_amd64.deb
 4c557dccd216f4c319a01b0d20e6315bd483999a1bbcca6488bd2e59990b046f 217058 apache2-utils_2.4.25-3+deb9u6_amd64.deb
 8bde42135512e310cc1de367ae9375bb4e39625f2bb36dd14aff03a85284a18a 10163 apache2_2.4.25-3+deb9u6_amd64.buildinfo
 42bbfcabaa49fcc458ec20569229adde1a8662aacd69b2e8107cfee69d5f9b59 235974 apache2_2.4.25-3+deb9u6_amd64.deb
Files:
 0d89b47aef7b19975ae8387cb7d323d3 2986 httpd optional apache2_2.4.25-3+deb9u6.dsc
 96fe0be15c776db7710d473acb7872b2 790172 httpd optional apache2_2.4.25-3+deb9u6.debian.tar.xz
 c36fee808ccdac5ec0cd2faae758bf14 1186420 httpd optional apache2-bin_2.4.25-3+deb9u6_amd64.deb
 dcfaef6cb1024be84c2f9be07b54fb4d 162112 httpd optional apache2-data_2.4.25-3+deb9u6_all.deb
 f0c4416e5244bab112201761a4f32d55 4017542 debug extra apache2-dbg_2.4.25-3+deb9u6_amd64.deb
 1a0ae2576a3ba6b9e72b5a1432c38eee 313942 httpd optional apache2-dev_2.4.25-3+deb9u6_amd64.deb
 7e6df0368dff1ee78c0232d8f9670262 3770774 doc optional apache2-doc_2.4.25-3+deb9u6_all.deb
 94e03d511df7909bcd92a7a03073149c 2268 httpd optional apache2-ssl-dev_2.4.25-3+deb9u6_amd64.deb
 e159c61f9c7a050844852bc9ca056e77 155210 httpd extra apache2-suexec-custom_2.4.25-3+deb9u6_amd64.deb
 4597c9c7e7733f8fd26712f57c125dfe 153732 httpd optional apache2-suexec-pristine_2.4.25-3+deb9u6_amd64.deb
 2d3ac31dd972cf078b5493167e149839 217058 httpd optional apache2-utils_2.4.25-3+deb9u6_amd64.deb
 8e16239cc29939450aa2af0cd22e2b9a 10163 httpd optional apache2_2.4.25-3+deb9u6_amd64.buildinfo
 7fed7d6f182385772fbba22e615dcba2 235974 httpd optional apache2_2.4.25-3+deb9u6_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOpiNza8JqByyYYsxxodfNUHO/eAFAlvd794ACgkQxodfNUHO
/eCtiw/+IHqUZt7sc/+RGQBeBbk8b7c9MSUJHhow+Eh03GIXbHZtY6gRqylH4tBA
EBcuLXpxbdevh8OiQhby9DCaqFmURZ434pd39EDgf2+mAPrwiIw93dkD1DBBSRvK
Z87/TaYRT7lI1CYPQBvyk4dZgKdrmAJfua5WXBCqLZNBknDgbq2dZ9M0OLbCsZSY
fdz96WVxhTopdug4Yu6T6nwmnFebsV90DtTQvdvPJdDumDoMp9docGx80ypkj/zE
fDJchBn2lb2x4m8+M8kcnlm/5+/yPyjMOd0Tlk3XdJxUQX6+/Dod/cqk4ooB+hdy
7pjgFqBkDBu0fSktMFe2nfedTM4PUqy1BXLb42u3a3/FWaoCNK4HXsN7vbUgQQcN
FagHrjJ1dk/GqWgoYKeE4DOsdStJxZLL7ueSvl8x49DcQnZHYEtem0DXDrRKICOD
bK45JpDFcO8gwaGQFNhcnwBS4tBKdLBbID+Zj4+KI9fLmPBOO7XJIWznYrM8aXh6
ePdhLKarksw4zUKYdFFVRDlAKLBcxo8hjS7SY82bwnMJ6AKGxwnj6myzhxNOGT7F
iVtFUKrruQ4j0lHQWEjhlPy11kWxcFGbV/4hADzOSyk0t8Ox4aGiHyC/dV45vfyj
TewDaFwqzBMbRGrfZLXY2H7ISQ2MRnPrbIZ7oZDTnpHetTUjekE=
=QKQK
-----END PGP SIGNATURE-----