I've downloaded the attack tool http://seclists.org/fulldisclosure/2011/Aug/att-175/killapache_pl.bin and confirmed the problem on my i586 system.
Keywords: (none) => Security
Assignee: bugsquad => security
Apache HTTPD Security ADVISORY for CVE-2011-3192 http://article.gmane.org/gmane.comp.apache.announce/58
Fix has been released: http://www.apache.org/dist/httpd/Announcement2.2.html
CC: (none) => sander.lepik
Status: NEW => ASSIGNEDCC: (none) => maarten.vanraesAssignee: security => maarten.vanraes
Component: RPM Packages => Security
Fix has been committed, but not yet submitted to buildsystem, if anyone is willing to look this over and comment/submit; and perhaps even test, i'd be grateful.
apache-2.2.17-5.1.mga1 has been submitted and tested by me; but not the security fix itself, should i just execute that .bin? or wasn't this remotely exploitable? i don't know much about this. can anyone test the security fix actually works?
Assignee: maarten.vanraes => qa-bugs
CC: (none) => security
$ perl ./killapache_pl.bin localhost 50 Host does not seem vulnerable I've also tested that I can access http://127.0.0.1/ Testing complete on i586 for srpm apache-2.2.17-5.1.mga1.src.rpm Does the apache install include the packages nss and libnss, or were those pulled in by the firefox update? The nss srpm is nss-3.12.11-1.1.mga1.src.rpm
Just as a comment: I heard / read that the original exploit was not always succesful. To ensure proper coverage of this test, we probably also want to test the killapache_pl.bin exploit against the old package and see if it comes up with something other than "Host does not seem vulnerable"?
As in the original report, I confirmed the problem existed on my system. Before starting the attack, I had around 700MB of 2048MB in use. After around 15 seconds of the attack running, I had over 1GB of swap used. I killed the attack at that point, and rebooted my system. With the new version of Apache, I get the Host does not seem vulnerable message, instead of having apache chew up my systems memory. I'm both the original reporter for this bug report, and a member of the qa team. Once this update has been tested on a x86-64 system, this update is ready to validate, in my opinion. For anyone else testing, note that the killapache_pl.bin file must be changed with "chmod a+x killapache_pl.bin", after downloading, and before execution. I don't know where it says that it isn't always successful, since no links were provided, but it is successful, with the current Mageia 1 version of Apache, on my i586 system.
Apologies Dave, I had overlooked your comment on the initial report. See the comments on http://lwn.net/Articles/456513/ for where I understood that the test doesn't always work. I'm happy with your explanation and apologise for not having properly read before.
CC: (none) => anssi.hannula
Confirming for x86_64, seems fixed: [doktor5000@mageia1 ~]$ perl ./killapache_pl.bin localhost 50 Host does not seem vulnerable
CC: (none) => doktor5000
Additionally, before the update our Apache was vulnerable: $ perl ./killapache_pl.bin localhost 50 host seems vuln ATTACKING localhost [using 50 forks] This is with: $ rg apache apache-mpm-prefork-2.2.17-4.mga1 apache-commons-lang-2.6-4.mga1 apache-conf-2.2.17-2.mga1 apache-commons-codec-1.4-13.mga1 apache-modules-2.2.17-4.mga1 apache-base-2.2.17-4.mga1 apache-commons-logging-1.1.1-17.mga1
Testing complete. Before pushing we need 2 things : - answer to comment #5 - an advisory
CC: (none) => stormi
in regards to comment #5: IMHO this issue has nothing to do with nss; this is about byterange fix in apache. (I think nss was rebuilt for the rootcerts security issue?) Advisory: This security update fixes CVE-2011-3192: "The byterange filter in the Apache HTTP Server allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges".
(In reply to comment #11) > > Before pushing we need 2 things : > - answer to comment #5 I had them already installed, so yes, they were pulled in by the earlier Firefox update.
Please push apache-2.2.17-5.1.mga1.src.rpm to Core Updates Advisory : This security update fixes CVE-2011-3192: "The byterange filter in the Apache HTTP Server allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges"
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
update pushed.
Status: ASSIGNED => RESOLVEDCC: (none) => dmorganecResolution: (none) => FIXED
(In reply to comment #8) > Apologies Dave, I had overlooked your comment on the initial report. > > See the comments on http://lwn.net/Articles/456513/ for where I understood that > the test doesn't always work. > > I'm happy with your explanation and apologise for not having properly read > before. No need for apologies. Better to ask, if you're not sure, especially with a security update. I'm well aware that text only message don't convey things that voice would. My opinion, If in doubt, always ask. Regards, Dave Hodgins
apparently there's a regression: https://issues.apache.org/bugzilla/show_bug.cgi?id=51748 I commited the regression fix, awaiting submission
Status: RESOLVED => REOPENEDResolution: FIXED => (none)
AL13N, it would be cleaner to let this bug closed and create another bug report referring to this one. Those are really 2 different updates now :)
but it's the same security fix, so imho this security fix failed so i reopened the bug report.
ok, submitted, can anyone retest if it STILL fixes the security bug AND if there's no regressions?
Status: REOPENED => ASSIGNED
Keywords: validated_update => (none)
Can you explain to us was the new fix is ?
Keywords: Security => (none)Status: ASSIGNED => NEW
This added fix, fixes a regression made by the previous security patch regarding negative byteranges, you can get more explanation in https://issues.apache.org/bugzilla/show_bug.cgi?id=51748 . afaik there is no POC to test this particular regression (as you can follow on that link), that's why i mentioned that it was important to test if it still fixes the security bug AND there are no regressions when using it. (This fix comes from the released 2.2.21 version, modified to work for 2.2.17.) Stormi: perhaps this one could also be mentioned on the -dev list? so that it can be tested for no regressions?
Keywords: (none) => SecurityStatus: NEW => ASSIGNED
i forgot to mention it's apache-2.2.17-5.2.mga1 that is to be tested.
(I have remove sysadmin so there are not spam)
CC: sysadmin-bugs => (none)Version: Cauldron => 1
how did this get set to cauldron? this was never cauldron?
(In reply to comment #23) > i forgot to mention it's apache-2.2.17-5.2.mga1 that is to be tested. Any suggestion for a test to confirm the regression exists, and is then fixed by the update, given that killapache_pl.bin doesn't show the system as vulnerable currently? Or should we only be testing to confirm basic apache functions?
$ perl ./killapache_pl.bin localhost 50 Host does not seem vulnerable I've also confirmed that http://127.0.0.1/phpmyadmin/ works on my i586 system.
(In reply to comment #22) > Stormi: perhaps this one could also be mentioned on the -dev list? so that it > can be tested for no regressions? Of course, feel free to send a message :) Until now, no regression spotted here on my i586 system. We still need an x86_64 tester.
(In reply to comment #26) > (In reply to comment #23) > > i forgot to mention it's apache-2.2.17-5.2.mga1 that is to be tested. > > Any suggestion for a test to confirm the regression exists, and is then fixed > by the update, given that killapache_pl.bin doesn't show the system as > vulnerable currently? > > Or should we only be testing to confirm basic apache functions? as i said before, afaik there is no POC to actually test this regression, if you look at the link, it seems that they just followed the RFC and found a small bug that was introduced. So, that's why I urge to test if the security fix is still fixed, and there are no regressions.
Ping x86_64 testers.
Test OK on x86_64 : kill_apache invulnerable and some www apps.
CC: (none) => lists.jjorge
Update Validated SRPM: apache-2.2.17-5.2.mga1.src.rpm Advisory: ----------------------- This security update fixes CVE-2011-3192: "The byterange filter in the Apache HTTP Server allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges" This added fix, corrects a regression made by the previous security patch regarding negative byteranges, there is further explanation at https://issues.apache.org/bugzilla/show_bug.cgi?id=51748 ------------------------ Could somebody from sysadmin please push from core/updates_testing to core/updates Thankyou!
Keywords: (none) => validated_updateCC: (none) => eeeemail, sysadmin-bugsHardware: i586 => All
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED