Bug#941202: marked as done (apache2: Fix for CVE-2019-10092 results in AH10187 when hitting balancer-manager)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Bug#941202: marked as done (apache2: Fix for CVE-2019-10092 results in AH10187 when hitting balancer-manager)

Debian Bug Tracking System
Your message dated Sat, 19 Oct 2019 12:32:08 +0000
with message-id <[hidden email]>
and subject line Bug#941202: fixed in apache2 2.4.38-3+deb10u2
has caused the Debian Bug report #941202,
regarding apache2: Fix for CVE-2019-10092 results in AH10187 when hitting balancer-manager
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [hidden email]
immediately.)


--
941202: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941202
Debian Bug Tracking System
Contact [hidden email] with problems

Package: apache2
Version: 2.4.25-3+deb9u8
Severity: normal

Dear Maintainer,

The fix for CVE-2019-10092 results in the following error when attempting to access details of a member in a mod_proxy_balancer http balancer via the balancer-manager web page:

"[Thu Sep 26 09:51:08.228312 2019] [proxy_balancer:error] [pid 13106:tid 139942457935616] [client 127.0.0.1:54712] AH10187: ignoring params in balancer-manager cross-site access, referer: http://httpbalancer01/httpbalancer/__balancer-manager?b=http-balancer&w=http://192.168.13.71&nonce=193a3e00-9795-f9bb-6cc2-d7f3ac222b68"

The net effect of this is an inability to dynamically change the status of members in the balancer via the balancer-manager.

Raised in Apache httpd-2 bug report 63688: https://bz.apache.org/bugzilla/show_bug.cgi?id=63688

Committed upstream in r1865749: https://svn.apache.org/viewvc?view=revision&revision=1865749

-- Package-specific info:

-- System Information:
Debian Release: 9.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-11-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apache2 depends on:
ii  apache2-bin          2.4.25-3+deb9u8
ii  apache2-data         2.4.25-3+deb9u8
ii  apache2-utils        2.4.25-3+deb9u8
ii  dpkg                 1.18.25
ii  init-system-helpers  1.48
ii  lsb-base             9.20161125
ii  mime-support         3.60
ii  perl                 5.24.1-3+deb9u5
ii  procps               2:3.3.12-3+deb9u1

Versions of packages apache2 recommends:
pn  ssl-cert  <none>

Versions of packages apache2 suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2-bin depends on:
ii  libapr1                  1.5.2-5
ii  libaprutil1              1.5.4-3
ii  libaprutil1-dbd-sqlite3  1.5.4-3
ii  libaprutil1-ldap         1.5.4-3
ii  libc6                    2.24-11+deb9u4
ii  libldap-2.4-2            2.4.44+dfsg-5+deb9u3
ii  liblua5.2-0              5.2.4-1.1+b2
ii  libnghttp2-14            1.18.1-1+deb9u1
ii  libpcre3                 2:8.39-3
ii  libssl1.0.2              1.0.2s-1~deb9u1
ii  libxml2                  2.9.4+dfsg1-2.2+deb9u2
ii  perl                     5.24.1-3+deb9u5
ii  zlib1g                   1:1.2.8.dfsg-5

Versions of packages apache2-bin suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2 is related to:
ii  apache2      2.4.25-3+deb9u8
ii  apache2-bin  2.4.25-3+deb9u8

-- no debconf information




Source: apache2
Source-Version: 2.4.38-3+deb10u2

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [hidden email],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Xavier Guimard <[hidden email]> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [hidden email])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 13 Oct 2019 22:23:11 +0200
Source: apache2
Architecture: source
Version: 2.4.38-3+deb10u2
Distribution: buster-security
Urgency: medium
Maintainer: Debian Apache Maintainers <[hidden email]>
Changed-By: Xavier Guimard <[hidden email]>
Closes: 941202
Changes:
 apache2 (2.4.38-3+deb10u2) buster-security; urgency=medium
 .
   * Fix CVE-2019-10092 patch (Closes: #941202)
Checksums-Sha1:
 3509de9f5126b36b0fe81e64f38bcc35f4078814 3263 apache2_2.4.38-3+deb10u2.dsc
 f285efd6d0ceb0e3d7f6f3794c339bc2ec0a0142 1058152 apache2_2.4.38-3+deb10u2.debian.tar.xz
Checksums-Sha256:
 de816406feffca2a5755190e1ca5c4e2428171e6144a903ced16ddad59bb4a23 3263 apache2_2.4.38-3+deb10u2.dsc
 583b34d9ad9578f74086cf1e83f196e384598ff87496b800eb52496c54ecd6a6 1058152 apache2_2.4.38-3+deb10u2.debian.tar.xz
Files:
 6a9e23082eda5dda6078bdaa22e7c3dc 3263 httpd optional apache2_2.4.38-3+deb10u2.dsc
 14c47928ce18fdba5be99f20998b99b9 1058152 httpd optional apache2_2.4.38-3+deb10u2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl2j+1QACgkQ9tdMp8mZ
7ulJBg//Ww6Sf6O00Nii7ALH3+08dlZ43KODVPd6H+BiWK8QnbV6yM/GaeLDF9H7
lFZ4447ugtouHP/+L+o3C/epUT3HzX3nX1vvPjKCzQCRLoH+dgIEjnhTwMW/XIlc
Iv/sDSBNUkAsYanTzFPn8o+GSWGHIK0G+AhLAR72muvMZVpAV5STBmh2E/sWCmyF
lQbKw7L9/IPoQq1s25MPq8SLoHM3HNbnGFfdFbnCm7/AtsCVVp7ELYCRPeV6aDVz
pnIA30EwLF6uvSH5t9YwDzRPKtl9rVbt4y5olhjFKaQ+r5RRAjWRpwKpG0LTCYz8
6gdN4BJ7b1RZ1af+PZoGDbexRIwCFjFpE4CBlzxdWFNdhxdvaM4tUb3yxp/FXcnI
xWFNSzCGZyLK/TnWdSRRDq9ZcoThfEpgxawF2RAsLYqSiC5cX3Bb49IEpY9EwgQJ
sEUMSsjBTx1WkCvqesKA3nbaPEQinorEWt5WDO7NTxNek5J40K6ylAKq0kEfdaBD
WUhE0dAFRRyB5IXu0ocTAugt1pddfjBqQ5c9L0JhEYje5nwkH9q6dPb5VIsGuzH+
PNFuqR1R8ezRx+pby1UHq3Rf+zWgQdwTHN/G1YGvNTzeA/rYjBqU3QuDsOr7zvMG
KB4IIDDj0sW330tch4nbZbae3LCniwxIv5HW/Sbga3fnLHniU/s=
=VX78
-----END PGP SIGNATURE-----