It's been reported to us by a user (see url), however, i've been looking for the exact patch and not being successfull. does anyone have a good idea how i could find this specific patch in apache svn? i've been looking, but it seems security bugs are closed off, so i can't get the exact patch for it. :-(
i've tracked down 3 possible commits: they all are something about ajp proxy and between the release dates. unfortunately, it could be any combination thereof. since this is security tagged, it's very difficult to even find other distro's which bug reports on this, since they are private, and their svn commits don't contain the CVE, which we IMHO should do as well, ... i need some help with this... svn log http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/modules/proxy -r 1163057:1167190 #(the revision numbers are from the tagged releases 2.2.20 and 2.2.21) r1166606 | rjung | 2011-09-08 12:18:14 +0200 (do, 08 sep 2011) | 5 lines mod_proxy_ajp: Respect "reuse" flag in END_REPONSE packets. Backport of r1152379 from trunk. ------------------------------------------------------------------------ r1166611 | rpluem | 2011-09-08 12:31:44 +0200 (do, 08 sep 2011) | 11 lines Merge r1153531 from trunk: * Do not even sent an empty brigade down the filter chain if the headers have not been sent by the AJP server so far. Even an empty brigade will trigger the headers filter to create the (in this case incomplete) HTTP headers of the response. PR: 51608 Submitted by: rpluem Reviewed by: rpluem, jim, jfclere ------------------------------------------------------------------------ r1167158 | wrowe | 2011-09-09 15:31:06 +0200 (vr, 09 sep 2011) | 5 lines AJP_EBAD_METHOD is also a bad request so return HTTP_NOT_IMPLEMENTED Submitted by: jfclere Backports: r1166551, r1166657 Reviewed by: wrowe, jorton
FWIW, this should help: http://patch-tracker.debian.org/patch/series/dl/apache2/2.2.16-6+squeeze4/087_mod_proxy_ajp_CVE-2011-3348.dpatch Found via the help of https://wiki.mageia.org/en/Packagers_linkpage ;)
CC: (none) => doktor5000
I hope debian got this one right, because it seems pretty difficult to even trigger, afaik there is no test, or it's a difficult one... too bad it's a dpatch file, and not a regular patch
(don't know if you want fo tix the package yourself, so added dmorgan)
CC: (none) => dmorganecSummary: fix security bug CVE-2011-3348 => apache, security bug CVE-2011-3348Source RPM: (none) => apache
exploit test: http://www.securityfocus.com/bid/49616/exploit RH bugreport: https://bugzilla.redhat.com/show_bug.cgi?id=736690 this seems to confirm it.
submitted apache-2.2.17-5.3.mga1
Assignee: bugsquad => qa-bugs
(In reply to comment #3) > > too bad it's a dpatch file, and not a regular patch For the record, you can use that just like a regular patch. Besides that, this still needs an advisory, like in https://wiki.mageia.org/en/Example_update_advisory_announcement As i'm nice :) here's an advisory to validate this update: There is now apache-2.2.17-5.3.mga1 in core/updates_testing to validate ------------------------------------------------------- Suggested advisory: ------------------- This update addresses the following CVEs: - CVE-2011-3348 The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when used with mod_proxy_balancer in certain configurations, allows remote attackers to cause a denial of service (temporary "error state" in the backend server) via a malformed HTTP request. This issue was reported to Mageia at [1]. [1] https://forums.mageia.org/en/viewtopic.php?f=7&t=1604 ------------------------------------------------------- Steps to reproduce: - install/update to update candidate - maybe http://community.jboss.org/message/625307 can help in validating
Status: NEW => ASSIGNED
I've no idea how to test this and there is no POC so just checking apache works correctly after update.
Testing x86_64 with zoneminder and phpmyadmin all appears OK.
Testing complete on i586. Could someone from the sysadmin team push the srpm apache-2.2.17-5.3.mga1.src.rpm from Core Updates Testing to Core Updates Advisory: This update addresses the following CVE: CVE-2011-3348 The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when used with mod_proxy_balancer in certain configurations, allows remote attackers to cause a denial of service (temporary "error state" in the backend server) via a malformed HTTP request. This issue was reported to Mageia at https://forums.mageia.org/en/viewtopic.php?f=7&t=1604 Note that qa testing has been limited to confirming basic functions of apache work, as no proof of concept is publicly available. https://bugs.mageia.org/show_bug.cgi?id=3773
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
Update pushed.
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED